Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7)

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 14.07.2015, 11:57   #1
McFly87
 
Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7) - Standard

Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7)



Hallo liebe Forengemeinde.

Ich habe folgendes Problem. Meine Freundin wollte einen Cheat auf einem Handyspiel anwenden und hat deshalb 3 Dateien heruntergeladen. Diese befinden sich nicht mehr auf meinem Laptop, aber ich weiß ebenfalls nicht welche Dateien das waren. Seit dem schlägt mein Virenscanner dauerhaft an und zeigt mir an das ich jede Menge Viren auf meinem Laptop habe. Die Zahl der Viren variiert sehr stark von 5 bis 160. Ich habe mein AntiVir laufen lassen aber die Meldungen kommen weiterhin.

Die meisten Meldungen sagen das es in dem Verzeichnis "C:\Windows\Temp\...." in etlichen Dateien Hinweise auf die Maleware ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7 gibt und das der Zugriff vom AntiViren Programm verweigert wurde.

Ich habe die geforderten Logs erstellt und diese sind im Anhang verfügbar.

Ich hoffe ihr könnt mir helfen.

Mit freundlichem Gruß

McFly

Alt 14.07.2015, 11:58   #2
schrauber
/// the machine
/// TB-Ausbilder
 

Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7) - Standard

Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7)



Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________

Alt 14.07.2015, 12:30   #3
McFly87
 
Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7) - Standard

Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7)



Entschuldigung. Natürlich mach ich das direkt ich habe nur nach Anleitung gearbeitet und da stand eben das ich Sie packen soll sollten Sie zu groß sein. Oder ich habe daran was falsches verstanden. Hier dann nochmal die Files.


FRST:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-07-2015
Ran by ****** (administrator) on ******-LAPTOP on 14-07-2015 11:36:43
Running from D:\Desktop
Loaded Profiles: ****** (Available Profiles: ****** & Administrator)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
() C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\epson\MyEpson Portal\mepService.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\epson\MyEpson Portal\mep.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe
() C:\Users\******\AppData\Local\WikiUpdate.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Atheros Communications) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
() C:\Windows\System32\hale.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe
(TomTom) C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe
(Microsoft Corporation) C:\Users\******\AppData\Local\Microsoft\OneDrive\OneDrive.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe
() C:\Program Files\Qualcomm Atheros\Killer Network Manager\KillerNetManager.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avscan.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12448872 2012-02-14] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [1020064 2012-02-13] (Atheros Communications)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [800416 2012-02-13] (Atheros Commnucations)
HKLM\...\Run: [Chew7Hale] => C:\Windows\System32\hale.exe [2169856 2012-09-27] ()
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [2409272 2012-10-06] (Logitech, Inc.)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [519408 2013-07-18] (Acronis)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2199840 2014-04-30] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Bdagent] => C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe [1691112 2015-03-12] (Bitdefender)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [730416 2015-06-10] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [502952 2012-07-09] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863400 2012-07-09] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058912 2012-04-02] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [7843744 2014-02-04] (Acronis)
HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [1104616 2013-10-10] (Acronis International GmbH)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe [134368 2015-06-02] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [mbot_de_014010030] => [X]
HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\Run: [MyDriveConnect.exe] => C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe [473496 2013-11-29] (TomTom)
HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\Run: [OneDrive] => C:\Users\******\AppData\Local\Microsoft\OneDrive\OneDrive.exe [382664 2015-05-27] (Microsoft Corporation)
HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\Run: [Amazon Music] => C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe [5886272 2015-03-03] ()
HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\Run: [Bitdefender-Geldb�rse-Agent] => C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe [790880 2015-01-15] (Bitdefender)
HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\MountPoints2: {754fe650-00b4-11e2-a611-806e6f6e6963} - E:\CDSetup.exe
HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\MountPoints2: {b013cf50-411f-11e2-9c6e-8c89a503fc40} - F:\AutoRun.exe
HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\MountPoints2: {b013cf58-411f-11e2-9c6e-8c89a503fc40} - F:\AutoRun.exe
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [176064 2015-05-12] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [154256 2015-05-12] (NVIDIA Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Qualcomm Atheros Killer Network Manager.lnk [2012-09-17]
ShortcutTarget: Qualcomm Atheros Killer Network Manager.lnk -> C:\Program Files\Qualcomm Atheros\Killer Network Manager\KillerNetManager.exe ()
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll [2015-05-27] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll [2015-05-27] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll [2015-05-27] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [01UnsuppModule] -> {AEB16659-2125-4ADA-A4AB-45EE21E86469} =>  No File
ShellIconOverlayIdentifiers: [02SyncingModule] -> {48AB5ADA-36B1-4137-99C9-2BD97F8788AB} =>  No File
ShellIconOverlayIdentifiers: [03SyncedModule] -> {472CE1AD-5D53-4BCF-A1FB-3982A5F55138} =>  No File
ShellIconOverlayIdentifiers: [04ReadOnlyModule] -> {A433C3E0-8B24-40EB-93C3-4B10D9959F58} =>  No File
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2013-10-01] ()
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2013-10-01] ()
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2013-10-01] ()
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\FileSyncShell.dll [2015-05-27] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\FileSyncShell.dll [2015-05-27] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\FileSyncShell.dll [2015-05-27] (Microsoft Corporation)
BootExecute: autocheck autochk * auto_reactivate \\?\Volume{754fe64c-00b4-11e2-a611-806e6f6e6963}\bootwiz\asrm.bin
GroupPolicyScripts: Group Policy detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-2762328675-326499041-2546556484-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKU\S-1-5-21-2762328675-326499041-2546556484-1000 - (No Name) - {84FF7BD6-B47F-46F8-9130-01B2696B36CB} - No File
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = 
SearchScopes: HKLM-x32 -> {BFFED5CA-8BDF-47CC-AED0-23F4E6D77732} URL = hxxp://start.iminent.com/?appId=2f627111-a2d5-49b8-94f5-d1570cf81eea&ref=toolbox&q={searchTerms}
BHO: Bitdefender-Geldbörse -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender 2015\pmbxie.dll [2015-01-28] (Bitdefender)
BHO: Easy Photo Print -> {9421DD08-935F-4701-A9CA-22DF90AC4EA6} -> C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll [2012-01-25] (SEIKO EPSON CORPORATION)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Bitdefender-Geldbörse -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\pmbxie.dll [2015-01-28] (Bitdefender)
BHO-x32: E-Web Print -> {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} -> C:\Program Files (x86)\Epson Software\E-Web Print\ewps_tb.dll [2014-11-27] (SEIKO EPSON CORPORATION)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-06-29] (Oracle Corporation)
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-02-13] (Atheros Commnucations)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2012-10-06] (Logitech, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> D:\Programme\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-06-29] (Oracle Corporation)
Toolbar: HKLM - Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll [2012-01-25] (SEIKO EPSON CORPORATION)
Toolbar: HKLM - Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\pmbxie.dll [2015-01-28] (Bitdefender)
Toolbar: HKLM-x32 - E-Web Print - {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - C:\Program Files (x86)\Epson Software\E-Web Print\ewps_tb.dll [2014-11-27] (SEIKO EPSON CORPORATION)
Toolbar: HKLM-x32 - Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\pmbxie.dll [2015-01-28] (Bitdefender)
Winsock: Catalog9-x64 01 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9-x64 02 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9-x64 03 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9-x64 04 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9-x64 16 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.10.10.241 10.10.10.242
Tcpip\..\Interfaces\{8323DF07-BD26-4316-8117-FB55680D7322}: [DhcpNameServer] 10.10.10.241 10.10.10.242
Tcpip\..\Interfaces\{8855DD4F-9182-480F-920D-BBF9D1B4E0F2}: [DhcpNameServer] 192.168.42.129
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://start.qone8.com/?type=sc&ts=1397327522&from=smt&uid=ST95005620AS_5YX1HQ5PXXXX5YX1HQ5P

FireFox:
========
FF ProfilePath: C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default
FF SelectedSearchEngine: StartWeb
FF Homepage: https://www.google.de/?gws_rd=ssl
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_203.dll [2015-07-09] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: synology.com/SurveillancePlugin_x86_64 -> C:\Program Files (x86)\Synology\SurveillancePlugin\1.0.0.565\npSurveillancePlugin_x86_64.dll [2015-01-29] (Synology)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll [2015-07-09] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-06-29] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-06-29] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> D:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> D:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @staging.google.com/globalUpdate Update;version=10 -> C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll No File
FF Plugin-x32: @staging.google.com/globalUpdate Update;version=4 -> C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll No File
FF Plugin-x32: @videolan.org/vlc,version=2.0.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2012-07-19] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin-x32: synology.com/SurveillancePlugin -> C:\Program Files (x86)\Synology\SurveillancePlugin\1.0.0.565\npSurveillancePlugin.dll [2015-01-29] (Synology)
FF Plugin HKU\S-1-5-21-2762328675-326499041-2546556484-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [2015-03-07] ()
FF user.js: detected! => C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default\user.js [2014-04-12]
FF SearchPlugin: C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default\searchplugins\avira-safesearch.xml [2014-12-16]
FF SearchPlugin: C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default\searchplugins\google-images.xml [2014-10-22]
FF SearchPlugin: C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default\searchplugins\google-maps.xml [2014-10-22]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\StartWeb.xml [2015-07-02]
FF Extension: Avira Browser Safety - C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default\Extensions\abs@avira.com [2015-07-05]
FF Extension: Block site - C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default\Extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc} [2015-05-30]
FF Extension: Minibar - C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default\Extensions\minibar@go.im.xpi [2015-07-14]
FF Extension: Unseen - C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default\Extensions\unseen@tangrs.xpi [2014-02-04]
FF Extension: Flagfox - C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default\Extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}.xpi [2014-03-08]
FF Extension: Adblock Plus - C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-06-07]
FF HKLM\...\Firefox\Extensions: [{21EAF666-26B3-4a3c-ABD0-CA2F5A326744}] - C:\Program Files\V-bates\Firefox
FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext
FF Extension: Bitdefender Antispam Toolbar - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext [2015-07-14]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2012-11-02]
FF HKLM-x32\...\Firefox\Extensions: [{21EAF666-26B3-4a3c-ABD0-CA2F5A326744}] - C:\Program Files\V-bates\Firefox
FF HKLM-x32\...\Firefox\Extensions: [e-webprint@epson.com] - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on
FF Extension: E-Web Print - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on [2015-04-09]
FF HKLM-x32\...\Firefox\Extensions: [bdwteff@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff
FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff [2015-07-14]
FF HKLM-x32\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext
FF HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\Firefox\Extensions: [cliqz@cliqz.com] - C:\Users\******\AppData\Roaming\Mozilla\Firefox\Profiles\oerwem6s.default\extensions\cliqz@cliqz.com

Chrome: 
=======
CHR HKLM-x32\...\Chrome\Extension: [adpeheiliennogfclcgmchdfdmafjegc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [edaibbiobngpbmeonadpbfafbkimjbdd] - C:\ProgramData\Logitech\LogiSmoothChromeExt.crx [2012-11-02]
CHR HKLM-x32\...\Chrome\Extension: [ehhlaekjfiiojlddgndcnefflngfmhen] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fabcmochhfpldjekobfaaggijgohadih] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nociobghckdhokecfeajdpimjeapnopn] - https://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [827184 2015-06-10] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [450808 2015-06-10] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [450808 2015-06-10] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1188360 2015-06-10] (Avira Operations GmbH & Co. KG)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [106144 2012-02-13] (Atheros Commnucations) [File not signed]
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [217280 2015-06-02] (Avira Operations GmbH & Co. KG)
S3 BdDesktopParental; C:\Program Files\Bitdefender\Bitdefender 2015\bdparentalservice.exe [78144 2014-12-09] (Bitdefender)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319376 2014-10-01] (Intel Corporation)
R2 MyEpson Portal Service; C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe [703984 2014-09-22] (SEIKO EPSON CORPORATION)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1617696 2014-04-30] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21007192 2014-04-30] (NVIDIA Corporation)
R2 Qualcomm Atheros Killer Service; C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe [490496 2012-07-23] () [File not signed]
S3 sppuinotify; C:\Windows\system32\sppuinotify.dll [65536 2014-02-08] (Microsoft Corporation) [File not signed]
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe [67320 2014-10-27] (Bitdefender)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe [1547936 2015-03-16] (Bitdefender)
R2 WikiBrowserUpdateService; C:\Users\******\AppData\Local\WikiUpdate.exe [364032 2015-06-30] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 globalUpdatem; C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe /medsvc [X] <==== ATTENTION
S2 Update veberGreat; "C:\Program Files (x86)\veberGreat\updateveberGreat.exe" [X]
S2 Util veberGreat; "C:\Program Files (x86)\veberGreat\bin\utilveberGreat.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 Ak27x64; C:\Windows\System32\DRIVERS\Ak27x64.sys [3364720 2012-07-23] (Qualcomm Atheros, Inc.)
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1306464 2015-01-14] (BitDefender)
R3 avchv; C:\Windows\System32\DRIVERS\avchv.sys [262544 2015-01-23] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [677104 2015-01-14] (BitDefender)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [153256 2015-06-10] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132656 2015-06-10] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-10-01] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [44088 2015-03-11] (Avira Operations GmbH & Co. KG)
R1 BdfNdisf; c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [93600 2014-12-15] (BitDefender LLC)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [107080 2012-10-29] (BitDefender LLC)
S3 bdfwfpf_pc; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf_pc.sys [121928 2013-07-02] (Bitdefender SRL)
S3 BDSandBox; C:\Windows\system32\drivers\bdsandbox.sys [82824 2015-01-09] (BitDefender SRL)
R1 BfLwf; C:\Windows\System32\DRIVERS\bflwfx64.sys [66928 2012-07-23] (Qualcomm Atheros, Inc.)
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [160544 2015-02-24] (BitDefender LLC)
R3 L1C; C:\Windows\System32\DRIVERS\e22w7x64.sys [157552 2012-07-23] (Qualcomm Atheros, Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [18776 2014-04-30] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [40392 2014-03-31] (NVIDIA Corporation)
R0 tib; C:\Windows\System32\DRIVERS\tib.sys [1120032 2013-12-24] (Acronis International GmbH)
R0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [198432 2013-12-24] (Acronis International GmbH)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [452040 2014-10-15] (BitDefender S.R.L.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2013-03-18] (Apple, Inc.) [File not signed]
R0 vidsflt; C:\Windows\System32\DRIVERS\vidsflt.sys [117024 2013-12-24] (Acronis International GmbH)
S3 massfilter; system32\drivers\massfilter.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 ZTEusbnet; system32\DRIVERS\ZTEusbnet.sys [X]
S3 ZTEusbnmea; system32\DRIVERS\ZTEusbnmea.sys [X]
S3 ZTEusbser6k; system32\DRIVERS\ZTEusbser6k.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-14 11:36 - 2015-07-14 11:36 - 00000000 ____D C:\FRST
2015-07-14 11:34 - 2015-07-14 11:34 - 00000000 _____ C:\Users\******\defogger_reenable
2015-07-14 11:18 - 2015-07-14 11:18 - 00000000 ____D C:\Users\******\AppData\Local\bdch
2015-07-14 11:18 - 2015-07-14 11:18 - 00000000 ____D C:\ProgramData\bdch
2015-07-14 11:04 - 2015-07-14 11:04 - 00000000 ___HD C:\OneDriveTemp
2015-07-14 10:43 - 2015-07-14 10:43 - 00076944 _____ (BitDefender) C:\Windows\system32\Drivers\bdvedisk.sys
2015-07-14 10:43 - 2015-07-14 10:43 - 00074000 _____ (BitDefender SRL) C:\Windows\system32\bdsandboxuiskin32.dll
2015-07-14 10:19 - 2015-07-14 10:19 - 00000000 ____D C:\Users\******\AppData\Temp
2015-07-14 10:12 - 2015-07-14 10:12 - 00636826 _____ C:\ProgramData\1436861066.bdinstall.bin
2015-07-14 10:12 - 2015-07-14 10:12 - 00000684 ____H C:\bdr-cf01
2015-07-14 10:12 - 2015-07-14 10:12 - 00000385 _____ C:\Windows\system32\user_gensett.xml
2015-07-14 10:12 - 2015-07-14 10:12 - 00000385 _____ C:\Users\******\AppData\Roaminguser_gensett.xml
2015-07-14 10:11 - 2015-07-14 10:11 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_avchv_01009.Wdf
2015-07-14 10:11 - 2015-07-14 10:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bitdefender 2015
2015-07-14 10:11 - 2015-07-14 10:11 - 00000000 ____D C:\ProgramData\BDLogging
2015-07-14 10:11 - 2015-01-23 16:30 - 00262544 _____ (BitDefender) C:\Windows\system32\Drivers\avchv.sys
2015-07-14 10:11 - 2015-01-14 13:13 - 00677104 _____ (BitDefender) C:\Windows\system32\Drivers\avckf.sys
2015-07-14 10:11 - 2015-01-14 13:07 - 01306464 _____ (BitDefender) C:\Windows\system32\Drivers\avc3.sys
2015-07-14 10:11 - 2015-01-09 11:59 - 00082824 _____ (BitDefender SRL) C:\Windows\system32\Drivers\bdsandbox.sys
2015-07-14 10:11 - 2015-01-09 11:44 - 00074000 _____ (BitDefender SRL) C:\Windows\SysWOW64\bdsandboxuiskin32.dll
2015-07-14 10:11 - 2014-12-15 18:04 - 00093600 _____ (BitDefender LLC) C:\Windows\system32\Drivers\BdfNdisf6.sys
2015-07-14 10:11 - 2007-04-11 11:11 - 00511328 _____ (Microsoft Corporation) C:\Windows\capicom.dll
2015-07-14 10:07 - 2015-07-14 10:17 - 00000000 ____D C:\Users\******\AppData\Roaming\Bitdefender
2015-07-14 10:07 - 2015-07-14 10:12 - 00253404 ____H C:\bdr-ld01
2015-07-14 10:07 - 2015-07-14 10:12 - 00009216 ____H C:\bdr-ld01.mbr
2015-07-14 10:07 - 2014-07-04 17:49 - 49563064 ____H C:\bdr-im01.gz
2015-07-14 10:07 - 2013-08-13 13:38 - 03271472 ____H C:\bdr-bz01
2015-07-14 10:05 - 2015-07-14 10:12 - 00000000 ____D C:\ProgramData\Bitdefender
2015-07-14 10:05 - 2015-02-24 17:52 - 00160544 _____ (BitDefender LLC) C:\Windows\system32\Drivers\gzflt.sys
2015-07-14 10:05 - 2015-01-09 11:44 - 00084848 _____ (BitDefender SRL) C:\Windows\system32\BDSandBoxUISkin.dll
2015-07-14 10:05 - 2015-01-09 11:44 - 00033360 _____ (BitDefender SRL) C:\Windows\system32\BDSandBoxUH.dll
2015-07-14 10:04 - 2015-07-14 10:05 - 00000000 ____D C:\Program Files\Common Files\Bitdefender
2015-07-14 10:04 - 2015-07-14 10:04 - 00000000 ____D C:\Users\******\AppData\Roaming\QuickScan
2015-07-14 10:04 - 2015-07-14 10:04 - 00000000 ____D C:\Program Files\Bitdefender
2015-07-14 10:04 - 2015-07-14 10:04 - 00000000 ____D C:\KVRT_Data
2015-07-14 10:04 - 2014-10-15 17:14 - 00452040 _____ (BitDefender S.R.L.) C:\Windows\system32\Drivers\trufos.sys
2015-07-14 08:57 - 2015-07-14 09:01 - 00000000 ____D C:\Windows\System32\Tasks\OptiSpace
2015-07-14 08:56 - 2015-07-14 11:04 - 00001000 _____ C:\Windows\Tasks\RPKBwyOEM3ar.job
2015-07-14 08:56 - 2015-07-14 08:56 - 00004038 _____ C:\Windows\System32\Tasks\RPKBwyOEM3ar
2015-07-14 08:54 - 2015-07-14 08:54 - 00000000 ____D C:\Program Files (x86)\app_setup
2015-07-14 08:52 - 2015-07-14 10:04 - 00000000 ____D C:\Program Files (x86)\FastSearch
2015-07-14 08:52 - 2015-07-14 08:59 - 00009216 _____ C:\Windows\SysWOW64\abengineOff.ini
2015-07-14 08:52 - 2015-07-14 08:59 - 00009216 _____ C:\Windows\system32\abengineOff.ini
2015-07-14 08:52 - 2015-07-14 08:52 - 00003090 _____ C:\Windows\System32\Tasks\tet3008
2015-07-14 08:52 - 2015-07-14 08:52 - 00000002 _____ C:\END
2015-07-09 09:47 - 2015-07-12 17:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-07-05 13:48 - 2015-07-14 11:04 - 00003211 _____ C:\Windows\setupact.log
2015-07-05 13:48 - 2015-07-05 13:48 - 00000000 _____ C:\Windows\setuperr.log
2015-06-30 14:23 - 2015-06-30 14:23 - 00364032 _____ C:\Users\******\AppData\Local\WikiUpdate.exe
2015-06-29 11:35 - 2015-06-29 11:35 - 00000696 __RSH C:\ProgramData\ntuser.pol

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-14 11:34 - 2012-09-17 12:45 - 00000000 ____D C:\Users\******
2015-07-14 11:16 - 2012-09-18 19:26 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-14 11:13 - 2009-07-14 06:45 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-14 11:13 - 2009-07-14 06:45 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-14 11:10 - 2009-07-14 19:58 - 00703192 _____ C:\Windows\system32\perfh007.dat
2015-07-14 11:10 - 2009-07-14 19:58 - 00150800 _____ C:\Windows\system32\perfc007.dat
2015-07-14 11:10 - 2009-07-14 07:13 - 01629348 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-14 11:04 - 2013-03-22 12:47 - 00000000 ___RD C:\Users\******\SkyDrive
2015-07-14 11:04 - 2012-09-17 13:10 - 00000000 ____D C:\ProgramData\Bigfoot Networks
2015-07-14 11:04 - 2012-09-17 13:09 - 00535638 _____ C:\Windows\PFRO.log
2015-07-14 11:04 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-14 10:59 - 2012-09-17 12:47 - 01979040 _____ C:\Windows\WindowsUpdate.log
2015-07-14 10:34 - 2014-08-18 20:50 - 00000000 ____D C:\Users\******\AppData\Local\Adobe
2015-07-14 10:34 - 2012-09-18 19:26 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-14 10:34 - 2012-09-18 19:26 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-14 10:24 - 2012-11-02 14:16 - 01603628 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2015-07-14 09:18 - 2012-10-11 18:38 - 00000000 ____D C:\Users\******\AppData\Local\CrashDumps
2015-07-14 09:00 - 2012-09-17 12:45 - 00001421 _____ C:\Users\******\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-07-14 08:54 - 2014-02-20 09:24 - 00002288 _____ C:\Users\******\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk
2015-07-14 08:54 - 2014-02-03 17:25 - 00002114 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft SkyDrive.lnk
2015-07-14 08:54 - 2014-02-03 17:25 - 00001427 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-07-12 17:38 - 2012-09-18 19:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-07-09 10:16 - 2012-10-09 19:17 - 18510000 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-07-09 10:16 - 2012-09-18 19:26 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-06 20:17 - 2014-08-07 08:29 - 00000000 ____D C:\ProgramData\Package Cache
2015-07-06 20:17 - 2012-11-02 11:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2015-07-06 20:17 - 2012-11-02 11:27 - 00000000 ____D C:\Program Files (x86)\Avira
2015-07-02 10:29 - 2012-12-24 13:44 - 00000000 ____D C:\ProgramData\Skype
2015-07-02 10:28 - 2013-03-17 16:20 - 00000000 ____D C:\Program Files (x86)\Steam
2015-06-30 15:57 - 2014-12-02 19:08 - 00000000 __SHD C:\Users\******\AppData\Local\EmieBrowserModeList
2015-06-30 15:57 - 2014-04-28 15:44 - 00000000 __SHD C:\Users\******\AppData\Local\EmieUserList
2015-06-30 15:57 - 2014-04-28 15:44 - 00000000 __SHD C:\Users\******\AppData\Local\EmieSiteList
2015-06-30 15:41 - 2014-12-26 17:58 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-06-29 12:00 - 2013-10-19 08:17 - 00000000 ____D C:\ProgramData\Oracle
2015-06-29 11:59 - 2014-10-15 20:13 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-06-29 11:59 - 2014-10-15 20:13 - 00000000 ____D C:\Program Files (x86)\Java
2015-06-29 11:34 - 2009-07-14 05:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-06-28 12:26 - 2009-07-14 07:32 - 00000000 ____D C:\Windows\system32\FxsTmp

==================== Files in the root of some directories =======

2012-12-01 14:08 - 2012-12-01 14:08 - 0036035 _____ () C:\Users\******\AppData\Roaming\fotobuch-cache7.xml
2012-12-01 14:08 - 2012-12-01 14:08 - 0389336 _____ () C:\Users\******\AppData\Roaming\fotobuch-tcache.xml
2012-12-01 14:14 - 2012-12-01 14:15 - 0001411 _____ () C:\Users\******\AppData\Roaming\fotobuch.xml
2015-06-07 08:46 - 2015-06-07 08:46 - 0000080 _____ () C:\Users\******\AppData\Roaming\mBot.ini
2012-12-05 15:36 - 2012-12-05 15:36 - 0038409 _____ () C:\Users\******\AppData\Roaming\Microsoft Excel 97-2003.ADR
2013-05-31 15:17 - 2013-05-31 15:17 - 0003584 _____ () C:\Users\******\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-22 17:43 - 2015-01-22 17:43 - 0002118 _____ () C:\Users\******\AppData\Local\recently-used.xbel
2015-06-30 14:23 - 2015-06-30 14:23 - 0364032 _____ () C:\Users\******\AppData\Local\WikiUpdate.exe
2015-07-14 10:12 - 2015-07-14 10:12 - 0636826 _____ () C:\ProgramData\1436861066.bdinstall.bin
2013-09-18 13:58 - 2013-09-18 13:58 - 0000057 _____ () C:\ProgramData\Ament.ini

Some files in TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\avgnt.exe
C:\Users\******\AppData\Local\Temp\avgnt.exe
C:\Users\******\AppData\Local\Temp\handle.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-19 16:38

==================== End of log ============================
         
[CODE]Additional
FRST Logfile:
Code:
ATTFilter
scan result of Farbar Recovery Scan Tool (x64) Version:13-07-2015
Ran by ****** at 2015-07-14 11:37:16
Running from D:\Desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2762328675-326499041-2546556484-500 - Administrator - Disabled) => C:\Users\Administrator
Gast (S-1-5-21-2762328675-326499041-2546556484-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2762328675-326499041-2546556484-1005 - Limited - Enabled)
****** (S-1-5-21-2762328675-326499041-2546556484-1000 - Administrator - Enabled) => C:\Users\******

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Antivirus (Disabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AV: Bitdefender Antivirus (Enabled - Up to date) {9A0813D8-CED6-F86B-072E-28D2AF25A83D}
AS: Bitdefender Spyware-Schutz (Enabled - Up to date) {2169F23C-E8EC-F7E5-3D9E-13A0D4A2E280}
AS: Avira Antivirus (Disabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Bitdefender Firewall (Enabled) {A23392FD-84B9-F933-2C71-81E751F6EF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acronis True Image 2014 (HKLM-x32\...\{3ECDD663-5AF8-489B-9E3C-561F33A271BD}Visible) (Version: 17.0.6673 - Acronis)
Acronis True Image 2014 (x32 Version: 17.0.6673 - Acronis) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 4.0.0.1390 - Adobe Systems Incorporated)
Adobe Flash Player 18 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.203 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.11) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.11 - Adobe Systems Incorporated)
Amazon Music (HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\Amazon Amazon Music) (Version: 3.8.1.754 - Amazon Services LLC)
Amazon Music Importer (HKLM-x32\...\com.amazon.music.uploader) (Version: 2.1.0 - Amazon Services LLC)
Amazon Music Importer (x32 Version: 2.1.0 - Amazon Services LLC) Hidden
Atheros Bluetooth Suite (64) (HKLM\...\{230D1595-57DA-4933-8C4E-375797EBB7E1}) (Version: 7.4.0.122 - Atheros)
Audacity 2.0.6 (HKLM-x32\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
Audiograbber 1.83 SE  (HKLM-x32\...\Audiograbber) (Version: 1.83 SE  - Audiograbber)
Audiograbber MP3-Plugin (HKLM-x32\...\Audiograbber-Lame) (Version: 1.0 - AG)
Avira (HKLM-x32\...\{8467e01f-0496-42ce-b247-88ef205b4880}) (Version: 1.1.40.29239 - Avira Operations GmbH & Co. KG)
Avira (x32 Version: 1.1.40.29239 - Avira Operations GmbH & Co. KG) Hidden
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.11.579 - Avira Operations GmbH & Co. KG)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Bitdefender Internet Security 2015 (HKLM\...\Bitdefender) (Version: 18.22.0.1521 - Bitdefender)
Counter-Strike 1.6 (HKLM-x32\...\{13B792AA-C078-43A4-8A3A-8B12D629940D}) (Version: 1.00.0000 - )
Druckerdeinstallation für EPSON Remote Print (HKLM\...\EPSON Remote Print) (Version:  - SEIKO EPSON Corporation)
Epson Benutzerhandbuch WF-3520 Series (HKLM-x32\...\WF-3520 Series Useg) (Version:  - )
Epson Connect Guide (HKLM-x32\...\Epson Connect Guide) (Version:  - )
Epson Connect Printer Setup (HKLM-x32\...\{D9B1D51B-EB56-410D-AEB5-1CCFAC4B6C8C}) (Version: 1.3.0 - SEIKO EPSON CORPORATION)
Epson Easy Photo Print 2 (HKLM-x32\...\{02A312B5-1542-47B6-BFE9-F51358C39E86}) (Version: 2.4.0.0 - SEIKO EPSON CORPORATION)
Epson Easy Photo Print Plug-in for PMB(Picture Motion Browser) (HKLM-x32\...\{B2D55EB8-32C5-4B43-9006-9E97DECBA178}) (Version: 1.00.0000 - SEIKO EPSON CORPORATION2)
Epson Event Manager (HKLM-x32\...\{8F01524C-0676-4CC1-B4AE-64753C723391}) (Version: 3.01.0005 - Seiko Epson Corporation)
Epson E-Web Print (HKLM-x32\...\{E904F572-D7DB-43C1-929F-043F267FC77D}) (Version: 1.22.0000 - SEIKO EPSON CORPORATION)
Epson FAX Utility (HKLM-x32\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.31.00 - SEIKO EPSON CORPORATION)
Epson Netzwerkhandbuch WF-3520 Series (HKLM-x32\...\WF-3520 Series Netg) (Version:  - )
Epson PC-FAX Driver (HKLM-x32\...\EPSON PC-FAX Driver 2) (Version:  - )
EPSON Printer Finder (HKLM-x32\...\{B8ECD0D3-AE08-4891-B6C7-32F96B75EB6C}) (Version: 1.0.0 - SEIKO EPSON CORPORATION)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON WF-3520 Series Printer Uninstall (HKLM\...\EPSON WF-3520 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.6.0 - SEIKO EPSON CORPORATION)
eReg (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.0.1262 - Intel Corporation)
Intel(R) OpenCL CPU Runtime (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version:  - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3958 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.0.0.1032 - Intel Corporation)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
Logitech SetPoint 6.50 (HKLM\...\sp6) (Version: 6.50.152 - Logitech)
Logitech Unifying-Software 2.10 (HKLM\...\Logitech Unifying) (Version: 2.10.37 - Logitech)
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Outlook Connector (HKLM-x32\...\{95140000-0081-0407-0000-0000000FF1CE}) (Version: 14.0.6123.5001 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\OneDriveSetup.exe) (Version: 17.3.5860.0512 - Microsoft Corporation)
Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit (HKLM-x32\...\{95140000-007D-0409-0000-0000000FF1CE}) (Version: 14.0.5120.5000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022.218 (HKLM\...\{BBBE35B2-9349-3C48-BD3D-F574B17C7924}) (Version: 9.0.21022.218 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{402ED4A1-8F5B-387A-8688-997ABF58B8F2}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Visual Studio 2010-Tools für Office-Laufzeit (x64) Language Pack - DEU (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Language Pack - DEU) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 39.0 (x86 de) (HKLM-x32\...\Mozilla Firefox 39.0 (x86 de)) (Version: 39.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
Mp3tag v2.65a (HKLM-x32\...\Mp3tag) (Version: v2.65a - Florian Heidenreich)
MusicBrainz Picard (HKLM-x32\...\MusicBrainz Picard) (Version: 1.3.2 - MusicBrainz)
MyDriveConnect 3.3.0.1342 (HKLM-x32\...\MyDriveConnect) (Version: 3.3.0.1342 - TomTom)
MyEpson Portal (HKLM-x32\...\MyEpson Portal) (Version:  - SEIKO EPSON Corporation)
MyEpson Portal (x32 Version: 1.1.1.0 - SEIKO EPSON CORPORATION) Hidden
Nero BurningROM 2015 (HKLM-x32\...\{6A4B15CC-4E95-45A1-807A-AB7267B02959}) (Version: 16.0.02000 - Nero AG)
Nero Info (HKLM-x32\...\{B791E0AB-87A9-41A4-8D98-D13C2E37D928}) (Version: 16.0.1003 - Nero AG)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.7.5 - Notepad++ Team)
NVIDIA GeForce Experience 2.0.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.0.1 - NVIDIA Corporation)
NVIDIA Grafiktreiber 352.86 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 352.86 - NVIDIA Corporation)
NVIDIA PhysX-Systemsoftware 9.15.0428 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0428 - NVIDIA Corporation)
PDF Split And Merge Basic (HKLM\...\{9A40D2F8-9458-458B-95E3-B57797C574E1}) (Version: 2.2.3 - Andrea Vacondio)
Photo Station Uploader (remove only) (HKLM-x32\...\Photo Station Uploader) (Version:  - Synology)
POIbase 2.0.9 (HKLM-x32\...\POIbase_is1) (Version:  - POIbase)
Prerequisite installer (x32 Version: 16.0.0003 - Nero AG) Hidden
Qualcomm Atheros Killer Network Manager (HKLM-x32\...\InstallShield_{DF446558-ADF7-4884-9B2D-281979CCE71F}) (Version: 6.1.0.395 - Qualcomm Atheros)
Qualcomm Atheros Killer Network Manager (Version: 6.1.0.395 - Qualcomm Atheros) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6570 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.90 - Realtek Semiconductor Corp.)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.4.4.0 - SAMSUNG Electronics Co., Ltd.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Setup (HKLM-x32\...\{7ADF667E-E14D-4D2C-827C-B0108F0D93BC}) (Version:  - )
SHIELD Streaming (Version: 2.1.108 - NVIDIA Corporation) Hidden
Software Updater (HKLM-x32\...\{E1BAD1BA-C0E8-4018-9281-E7D2C6B07474}) (Version: 4.3.6 - SEIKO EPSON CORPORATION)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
SurveillancePlugin (HKLM-x32\...\{970AE435-8AAE-4F5E-A754-880DAC8968C5}) (Version: 1.0.0.565 - Synology)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.41110 - TeamViewer)
TmNationsForever (HKLM-x32\...\TmNationsForever_is1) (Version:  - Nadeo)
Uplay (HKLM-x32\...\Uplay) (Version: 4.0 - Ubisoft)
Visual Studio C++ 10.0 Runtime (HKLM-x32\...\{4412F224-3849-4461-A3E9-DEEF8D252790}) (Version: 10.0.0 - TomTom International B.V.)
VLC media player 2.0.3 (HKLM-x32\...\VLC media player) (Version: 2.0.3 - VideoLAN)
WAV To MP3 V2 (HKLM-x32\...\WAV To MP3_is1) (Version:  - hxxp://www.WAVMP3.net)
WinRAR 5.00 (64-Bit) (HKLM\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2762328675-326499041-2546556484-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 -> C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2762328675-326499041-2546556484-1000_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
CustomCLSID: HKU\S-1-5-21-2762328675-326499041-2546556484-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2762328675-326499041-2546556484-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 -> C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2762328675-326499041-2546556484-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2762328675-326499041-2546556484-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2762328675-326499041-2546556484-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2762328675-326499041-2546556484-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\******\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64\FileSyncApi64.dll (Microsoft Corporation)

==================== Restore Points =========================

14-07-2015 10:21:25 Windows Update

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0B1253F1-84C0-4779-A23C-246F23C0910D} - System32\Tasks\{4B4D3694-BFCF-40CB-9595-5BA5DBC52F95} => Firefox.exe hxxp://ui.skype.com/ui/0/6.3.73.105.457/de/abandoninstall?page=tsMain
Task: {426AA303-CD7E-4954-AB96-D9ED1126B822} - System32\Tasks\HP Officejet Pro 8100.exe_{B0B8727A-453B-481E-9D63-CCF71FBE7402} => C:\Program Files\HP\HP Officejet Pro 8100\Bin\HP Officejet Pro 8100.exe
Task: {4554668E-1C5A-46D4-948F-61C5DBA88515} - System32\Tasks\RPKBwyOEM3ar => C:\Users\******\AppData\Roaming\RPKBwyOEM3ar.exe <==== ATTENTION
Task: {732CB92F-98CF-4D10-A04B-F55DBC7DA6FE} - System32\Tasks\{EAC3AF2B-5DE7-491A-9A8F-8B56E741984B} => pcalua.exe -a "C:\Program Files (x86)\Profi cash Demo\uinstall.exe" -c C:\Program Files (x86)\Profi cash Demo\install.log
Task: {782D776B-668C-4B7D-B11C-662CF3FBCC74} - System32\Tasks\Nero\Nero Info => C:\Program Files (x86)\Common Files\Nero\Nero Info\NeroInfo.exe [2014-07-21] (Nero AG)
Task: {7D929B08-500F-4310-AB10-2E80168D66F4} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-07-14] (Adobe Systems Incorporated)
Task: {A404F2C4-4ED1-46EE-860B-56E2E3193094} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-06-12] (Adobe Systems Incorporated)
Task: {C2CC0A76-2554-4570-879A-730C3A3A44BF} - System32\Tasks\Microsoft\Windows\SyncCenter\S-1-5-21-2762328675-326499041-2546556484-1000\{750FDF10-2A26-11D1-A3EA-080036587F03}\Offlinedateien-Synchronisierungszeitplan 1 => C:\Windows\system32\mobsync.exe [2010-11-20] (Microsoft Corporation)
Task: {C4AE796E-0DC7-4CD4-8265-5ABD330831F6} - System32\Tasks\Amazon Music Helper => C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe [2015-03-03] ()
Task: {FAFFBE1D-E7E7-4699-9DB8-8336DDB64D43} - System32\Tasks\tet3008 => C:\PROGRA~2\FASTSE~1\tet3008.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => 
Task: C:\Windows\Tasks\RPKBwyOEM3ar.job => 

==================== Loaded Modules (Whitelisted) ==============

2015-07-14 10:11 - 2014-08-27 16:31 - 00265080 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\txmlutil.dll
2015-07-14 10:11 - 2013-09-03 14:29 - 00101328 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\bdmetrics.dll
2015-07-14 10:11 - 2015-04-01 18:05 - 00003072 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\UI\accessl.ui
2015-07-14 10:11 - 2012-10-29 14:22 - 00152816 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\bdfwcore.dll
2015-07-14 10:18 - 2015-07-14 10:18 - 00790368 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_00350_002\ashttpbr.mdl
2015-07-14 10:18 - 2015-07-14 10:18 - 00711064 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_00350_002\ashttpdsp.mdl
2015-07-14 10:18 - 2015-07-14 10:18 - 02683520 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_00350_002\ashttpph.mdl
2015-07-14 10:18 - 2015-07-14 10:18 - 01326504 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_00350_002\ashttprbl.mdl
2012-09-17 12:55 - 2015-05-12 05:30 - 00116368 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2012-09-17 12:54 - 2015-05-12 08:27 - 00012104 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2014-10-31 15:12 - 2015-03-03 00:44 - 05886272 _____ () C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe
2012-07-23 16:36 - 2012-07-23 16:36 - 00490496 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe
2011-05-09 20:46 - 2011-05-09 20:46 - 02760192 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\QtCore4.dll
2011-05-09 20:56 - 2011-05-09 20:56 - 09856000 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\QtGui4.dll
2011-05-09 20:47 - 2011-05-09 20:47 - 00416256 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\QtXml4.dll
2012-07-23 16:36 - 2012-07-23 16:36 - 00217600 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFCommon.dll
2011-05-10 12:32 - 2011-05-10 12:32 - 00731648 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\qwt5.dll
2011-05-09 20:48 - 2011-05-09 20:48 - 00990720 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\QtNetwork4.dll
2015-06-30 14:23 - 2015-06-30 14:23 - 00364032 _____ () C:\Users\******\AppData\Local\WikiUpdate.exe
2013-10-01 11:32 - 2013-10-01 11:32 - 02818216 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll
2012-09-27 13:52 - 2012-09-27 13:52 - 02169856 ___SH () C:\Windows\System32\hale.exe
2012-10-06 10:15 - 2012-10-06 10:15 - 01976632 _____ () C:\Program Files\Logitech\SetPointP\Macros\MacroCore.dll
2012-07-23 16:36 - 2012-07-23 16:36 - 00553984 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\KillerNetManager.exe
2012-07-23 16:36 - 2012-07-23 16:36 - 00404992 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\plugins\modApplications.dll
2012-07-23 16:36 - 2012-07-23 16:36 - 00036864 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\plugins\modFeatures.dll
2012-07-23 16:36 - 2012-07-23 16:36 - 00025088 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\plugins\modFraps.dll
2012-07-23 16:36 - 2012-07-23 16:36 - 00240128 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\plugins\modGraph.dll
2012-07-23 16:36 - 2012-07-23 16:36 - 00062464 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\plugins\modlcd.dll
2012-07-23 16:36 - 2012-07-23 16:36 - 00291328 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\plugins\modNetwork.dll
2012-07-23 16:36 - 2012-07-23 16:36 - 00184832 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\plugins\modNpu.dll
2012-07-23 16:36 - 2012-07-23 16:36 - 00211456 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\plugins\modOptions.dll
2012-07-23 16:36 - 2012-07-23 16:36 - 00064000 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\plugins\modOverview.dll
2012-07-23 16:36 - 2012-07-23 16:36 - 00317440 _____ () C:\Program Files\Qualcomm Atheros\Killer Network Manager\plugins\modSystemInfo.dll
2012-09-17 12:54 - 2015-05-12 08:27 - 00011920 _____ () C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll
2013-11-29 11:29 - 2013-11-29 11:29 - 00026520 _____ () C:\Program Files (x86)\MyDrive Connect\DeviceDetection.dll
2013-11-29 11:28 - 2013-11-29 11:28 - 00082840 _____ () C:\Program Files (x86)\MyDrive Connect\TomTomSupporterBase.dll
2013-11-29 11:28 - 2013-11-29 11:28 - 00344984 _____ () C:\Program Files (x86)\MyDrive Connect\TomTomSupporterProxy.dll
2014-02-04 19:25 - 2014-02-04 19:25 - 00036672 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\qt_icontray_ex.dll
2014-02-04 19:25 - 2014-02-04 19:25 - 00028992 _____ () C:\Program Files (x86)\Common Files\Acronis\Home\thread_pool.dll
2013-10-10 13:02 - 2013-10-10 13:02 - 00013120 _____ () C:\Program Files (x86)\Common Files\Acronis\TibMounter\icudt38.dll
2014-10-17 20:02 - 2014-10-17 20:02 - 00172032 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\92a1650dbe9fad5f46633b835420e1a8\IsdiInterop.ni.dll
2012-09-17 13:05 - 2011-11-29 20:00 - 00059392 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
2014-02-04 19:28 - 2014-02-04 19:28 - 00420160 _____ () C:\Program Files (x86)\Common Files\Acronis\Home\ulxmlrpcpp.dll
2013-10-01 12:00 - 2013-10-01 12:00 - 00022336 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\ti_managers_proxy_stub.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\abengine => ""="service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-2762328675-326499041-2546556484-1000\...\webcompanion.com -> hxxp://webcompanion.com


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2762328675-326499041-2546556484-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\******\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 10.10.10.241 - 10.10.10.242

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Amazon Music => "C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe"
MSCONFIG\startupreg: Steam => "C:\Program Files (x86)\Steam\Steam.exe" -silent
MSCONFIG\startupreg: VISIT-X Video Splitter => "C:\Program Files (x86)\Visit-X B.V\VISIT-X Video Splitter\VISIT-X Video Splitter.exe" /a

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [TCP Query User{E7A7CA79-6BA0-42BB-B945-9F4BD983C71E}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{7C9D8FF3-1AC3-4616-9AE4-36FE6E49E2FB}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [{F8CEC990-56B2-4E59-9DA5-270C3A0A9CAA}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{D9EE26B2-3119-4D1E-A39B-14348939D5E3}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [TCP Query User{541049E0-E2DB-436B-89A7-7520527B9C15}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{F18D00B6-64DF-496C-B154-D72AE36040F1}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [TCP Query User{1DD01764-7E0E-48FE-9024-A2DC78F19C9E}C:\program files (x86)\synology\assistant\dsassistant.exe] => (Allow) C:\program files (x86)\synology\assistant\dsassistant.exe
FirewallRules: [UDP Query User{D9B8EEE7-868B-413C-ABA0-AE98C97157E2}C:\program files (x86)\synology\assistant\dsassistant.exe] => (Allow) C:\program files (x86)\synology\assistant\dsassistant.exe
FirewallRules: [{BACF097A-D401-497B-8E46-4FBFFF90121C}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{C7BD37A0-3BFC-4C6F-9FBA-F5F1FEDED811}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{43CF44D2-EB50-4275-8FFF-263F5D89D84A}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{ECFC7F1F-6534-4000-B8E3-33846F7F5D5D}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{E96E44AB-3DC9-4004-80A9-5DAD75EB5FBA}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{92F3CF2E-7D27-450B-9BBE-FB603F57B957}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{F89FE0C8-6EE0-4E51-8786-23F676570A9A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{08C6006F-184E-4550-88C8-C137ED75131B}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{14F7FFCF-CDB8-4A62-A29E-7FC70447E778}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{B6E66B03-7B0D-4853-9879-2158B991E55D}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [TCP Query User{CAF7D8AF-6840-4E93-8B39-339BFA166A8B}C:\program files (x86)\synology\photo station uploader\mediauploader.exe] => (Allow) C:\program files (x86)\synology\photo station uploader\mediauploader.exe
FirewallRules: [UDP Query User{D234295E-8106-4DF1-B63C-F395A2E677B2}C:\program files (x86)\synology\photo station uploader\mediauploader.exe] => (Allow) C:\program files (x86)\synology\photo station uploader\mediauploader.exe
FirewallRules: [{F518644E-50DB-4ED6-932A-2DAD3AD19CB8}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{2B8FEC1B-CA03-461C-A431-8A0204412D4E}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{5B317551-2F87-400E-BC2E-04FA62E041D2}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{CE91F7A6-F3CA-48D6-92FA-686CB81EF3B3}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{33BCE5C2-4699-4D89-965D-986A1FDE12AD}] => (Allow) C:\Program Files (x86)\Nero\Nero 2015\Nero Burning ROM\StartNBR.exe
FirewallRules: [{E415FF24-97C4-4748-8402-B082A8BEFAF4}] => (Allow) C:\Program Files (x86)\Nero\Nero 2015\Nero Burning ROM\nero.exe
FirewallRules: [TCP Query User{05B8DB86-6CF9-49CE-A192-D887A2869028}C:\program files (x86)\valve\hl.exe] => (Allow) C:\program files (x86)\valve\hl.exe
FirewallRules: [UDP Query User{52B6DB25-68B0-44B5-A519-6606E686D9B8}C:\program files (x86)\valve\hl.exe] => (Allow) C:\program files (x86)\valve\hl.exe
FirewallRules: [TCP Query User{82ACB459-4709-4900-8309-31169AAFB7F6}C:\program files (x86)\tmnationsforever\tmforever.exe] => (Allow) C:\program files (x86)\tmnationsforever\tmforever.exe
FirewallRules: [UDP Query User{32F7FD0D-CEDE-4110-8A1E-4F3AEFF946CC}C:\program files (x86)\tmnationsforever\tmforever.exe] => (Allow) C:\program files (x86)\tmnationsforever\tmforever.exe
FirewallRules: [TCP Query User{5A6EBE47-EE0E-4B9E-9A5A-51A3323E3E61}G:\games\conflict online\mbot\mbot_vsro110.exe] => (Allow) G:\games\conflict online\mbot\mbot_vsro110.exe
FirewallRules: [UDP Query User{A877645E-CD61-4697-AD27-FF30B6E2E446}G:\games\conflict online\mbot\mbot_vsro110.exe] => (Allow) G:\games\conflict online\mbot\mbot_vsro110.exe
FirewallRules: [{92348183-84F4-4FD6-A72A-E8B6A1437BEC}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe
FirewallRules: [{5C78C832-E8E9-4267-B707-9084A6895109}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe

==================== Faulty Device Manager Devices =============

Name: Microsoft-Teredo-Tunneling-Adapter
Description: Microsoft-Teredo-Tunneling-Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (07/14/2015 10:59:48 AM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe) (EventID: 1) (User: )
Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]

Error: (07/14/2015 10:24:29 AM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: ******-LAPTOP)
Description: Die Anwendung oder der Dienst "Bitdefender Virus Shield" konnte nicht heruntergefahren werden.

Error: (07/14/2015 10:24:29 AM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: ******-LAPTOP)
Description: Die Anwendung oder der Dienst "Bitdefender Virus Shield" konnte nicht heruntergefahren werden.

Error: (07/14/2015 09:00:47 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: Avira.Systray.exe, Version: 1.1.40.29268, Zeitstempel: 0x556dc898
Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.1.7601.18869, Zeitstempel: 0x556363bc
Ausnahmecode: 0xe0434352
Fehleroffset: 0x0000c42d
ID des fehlerhaften Prozesses: 0x1e40
Startzeit der fehlerhaften Anwendung: 0xAvira.Systray.exe0
Pfad der fehlerhaften Anwendung: Avira.Systray.exe1
Pfad des fehlerhaften Moduls: Avira.Systray.exe2
Berichtskennung: Avira.Systray.exe3

Error: (07/14/2015 09:00:13 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (5760) WindowsMail0: Die Sicherung wurde abgebrochen, weil sie vom Client angehalten wurde, oder weil die Verbindung mit dem Client unterbrochen wurde.

Error: (07/14/2015 08:58:29 AM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe) (EventID: 1) (User: )
Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]

Error: (07/14/2015 08:58:13 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm gentlemjmp_ieu.tmp, Version 51.52.0.0 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 2b44

Startzeit: 01d0be024e845c84

Endzeit: 0

Anwendungspfad: C:\Users\******\AppData\Local\Temp\is-29PVU.tmp\gentlemjmp_ieu.tmp

Berichts-ID:

Error: (07/14/2015 08:58:13 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm myoffergroup_de.tmp, Version 51.52.0.0 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 2374

Startzeit: 01d0be024804d7bb

Endzeit: 0

Anwendungspfad: C:\Users\******\AppData\Local\Temp\is-UV6T4.tmp\myoffergroup_de.tmp

Berichts-ID:

Error: (07/14/2015 08:53:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: QQBrowser.exe, Version: 7.3.11251.400, Zeitstempel: 0x51d4fd5d
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00000001
ID des fehlerhaften Prozesses: 0x22f8
Startzeit der fehlerhaften Anwendung: 0xQQBrowser.exe0
Pfad der fehlerhaften Anwendung: QQBrowser.exe1
Pfad des fehlerhaften Moduls: QQBrowser.exe2
Berichtskennung: QQBrowser.exe3

Error: (07/14/2015 08:53:07 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: QQBrowser.exe, Version: 7.3.11251.400, Zeitstempel: 0x51d4fd5d
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00000001
ID des fehlerhaften Prozesses: 0x1a2c
Startzeit der fehlerhaften Anwendung: 0xQQBrowser.exe0
Pfad der fehlerhaften Anwendung: QQBrowser.exe1
Pfad des fehlerhaften Moduls: QQBrowser.exe2
Berichtskennung: QQBrowser.exe3


System errors:
=============
Error: (07/14/2015 11:05:29 AM) (Source: DCOM) (EventID: 10016) (User: NT-AUTORITÄT)
Description: AnwendungsspezifischLokalStart{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT-AUTORITÄTSYSTEMS-1-5-18LocalHost (unter Verwendung von LRPC)

Error: (07/14/2015 11:04:31 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Util veberGreat" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2

Error: (07/14/2015 11:04:31 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Update veberGreat" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2

Error: (07/14/2015 11:00:19 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst VSSERV erreicht.

Error: (07/14/2015 10:04:41 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Der Dienst "Avira Echtzeit-Scanner" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 0 Millisekunden durchgeführt: Neustart des Diensts.

Error: (07/14/2015 09:11:49 AM) (Source: DCOM) (EventID: 10016) (User: NT-AUTORITÄT)
Description: AnwendungsspezifischLokalStart{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT-AUTORITÄTSYSTEMS-1-5-18LocalHost (unter Verwendung von LRPC)

Error: (07/14/2015 09:10:50 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Util veberGreat" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2

Error: (07/14/2015 09:10:50 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Update veberGreat" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2

Error: (07/14/2015 09:06:49 AM) (Source: DCOM) (EventID: 10016) (User: NT-AUTORITÄT)
Description: AnwendungsspezifischLokalStart{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT-AUTORITÄTSYSTEMS-1-5-18LocalHost (unter Verwendung von LRPC)

Error: (07/14/2015 09:05:49 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Util veberGreat" wurde aufgrund folgenden Fehlers nicht gestartet: 
%%2


Microsoft Office:
=========================
Error: (07/14/2015 10:59:48 AM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe) (EventID: 1) (User: )
Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]

Error: (07/14/2015 10:24:29 AM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: ******-LAPTOP)
Description: 1vsserv.exeBitdefender Virus Shield0302621616080

Error: (07/14/2015 10:24:29 AM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: ******-LAPTOP)
Description: 0vsserv.exeBitdefender Virus Shield030262161608243003A005C00570069006E0064006F00770073005C004D006900630072006F0073006F00660074002E004E00450054005C004600720061006D00650077006F0072006B00360034005C00760034002E0030002E00330030003300310039005C0053006500740075007000430061006300680065005C00760034002E0035002E00350030003900330038005C004E0065007400460078005F00460075006C006C005F004700440052002E006D007A007A00000043003A005C00570069006E0064006F00770073005C004D006900630072006F0073006F00660074002E004E00450054005C004600720061006D00650077006F0072006B00360034005C00760034002E0030002E00330030003300310039005C0053006500740075007000430061006300680065005C00760034002E0035002E00350030003900330038005C004E0065007400460078005F00460075006C006C005F004C00440052002E006D007A007A000000

Error: (07/14/2015 09:00:47 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Avira.Systray.exe1.1.40.29268556dc898KERNELBASE.dll6.1.7601.18869556363bce04343520000c42d1e4001d0be02c305cc50C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exeC:\Windows\syswow64\KERNELBASE.dll0cfd325b-29f6-11e5-b0a7-844bf516ae4d

Error: (07/14/2015 09:00:13 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail5760WindowsMail0:

Error: (07/14/2015 08:58:29 AM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe) (EventID: 1) (User: )
Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]

Error: (07/14/2015 08:58:13 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: gentlemjmp_ieu.tmp51.52.0.02b4401d0be024e845c840C:\Users\******\AppData\Local\Temp\is-29PVU.tmp\gentlemjmp_ieu.tmp

Error: (07/14/2015 08:58:13 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: myoffergroup_de.tmp51.52.0.0237401d0be024804d7bb0C:\Users\******\AppData\Local\Temp\is-UV6T4.tmp\myoffergroup_de.tmp

Error: (07/14/2015 08:53:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: QQBrowser.exe7.3.11251.40051d4fd5dunknown0.0.0.000000000c00000050000000122f801d0be01ca94965aC:\Users\******\AppData\Local\Temp\Miui-tmp\QQBrowser.exeunknown0941b4b5-29f5-11e5-9fa2-8c89a503fc40

Error: (07/14/2015 08:53:07 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: QQBrowser.exe7.3.11251.40051d4fd5dunknown0.0.0.000000000c0000005000000011a2c01d0be01bafe2f8cC:\Users\******\AppData\Local\Temp\Miui-tmp\QQBrowser.exeunknownfac5c2ba-29f4-11e5-9fa2-8c89a503fc40


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz
Percentage of memory in use: 55%
Total physical RAM: 8088.82 MB
Available physical RAM: 3637.71 MB
Total Virtual: 16175.86 MB
Available Virtual: 11735.05 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:119.24 GB) (Free:15.22 GB) NTFS
Drive d: (Volume) (Fixed) (Total:465.66 GB) (Free:425.68 GB) NTFS
Drive e: (Onkelz Live 2014) (CDROM) (Total:2.25 GB) (Free:0 GB) UDF
Drive f: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.03 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive v: (Backup) (Network) (Total:1829.35 GB) (Free:1402.84 GB) NTFS
Drive w: (Hörbücher) (Network) (Total:1829.35 GB) (Free:1402.84 GB) NTFS
Drive x: (music) (Network) (Total:1829.35 GB) (Free:1402.84 GB) NTFS
Drive y: (Eigene Dokumente) (Network) (Total:1829.35 GB) (Free:1402.84 GB) NTFS
Drive z: (photo) (Network) (Total:1829.35 GB) (Free:1402.84 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: D86FA451)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 119.2 GB) (Disk ID: D86FA449)
Partition 1: (Not Active) - (Size=119.2 GB) - (Type=07 NTFS)

==================== End of log ============================
         
--- --- ---
__________________

Alt 14.07.2015, 12:37   #4
McFly87
 
Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7) - Standard

GMER Teil 1



Code:
ATTFilter
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-07-14 12:26:50
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2 SAMSUNG_ rev.CXM0 119,24GB
Running: Gmer-19357.exe; Driver: C:\Users\******\AppData\Local\Temp\kxdiakow.sys


---- User code sections - GMER 2.1 ----

.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                     00000000772e8731 11 bytes [B8, F9, 04, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                    00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                   00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                             000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                         000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                             000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                         000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                             000000007730ddc0 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                         000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                       000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                   000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                  000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                              000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                            000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                  000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                              000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                            000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                   000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                               000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                    000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                   000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                               000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                      000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                  000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                        000000007730e100 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                    000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                     000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                 000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                    000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                        000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                    000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                  000000007730eb70 6 bytes [48, B8, 79, 01, B4, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                              000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                    000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                  000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                              000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                              000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                          000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                    000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                                000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                     000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                 000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                              000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                               00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                         00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                  00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                 00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                           00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                              00000000770c0941 11 bytes [B8, 79, 08, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                            00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                            00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                     000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                     000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                        000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                        000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                  000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                 000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                             000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                               000007fefd215370 12 bytes [48, B8, F9, E1, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                              000007fefd215eb1 11 bytes [B8, B9, E3, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                   000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                         000007fefd2197a1 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                            000007fefd21a0e1 11 bytes [B8, 39, E0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                 000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                             000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                 000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                             000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                           000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                         000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                        000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                               000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                      000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                            000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                      000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                 000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                             000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                             000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                              000007fefdb9b039 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                     000007fefdbc8fd9 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                    00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                 00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                    00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                    00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                            00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                              00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                              00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                    00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!ShowWindow                                                                         00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                     00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                   00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                    00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                    00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                 00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                   00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!GetMessageW                                                                        00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                        00000000771da2c9 11 bytes [B8, F9, 0B, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                     00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                  00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                    00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                    00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                              00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                             00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                  00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                  00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                  0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                  0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                 000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                  000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                  000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                               000007fefdf3ae81 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                         000007fefdf3aee1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                               000007fefdf3e6e9 11 bytes [B8, F9, FD, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                         000007fefdf4048d 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                              000007fefdf40579 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                            000007fefdf405b1 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                           000007fefdf405f9 5 bytes [B8, 39, FC, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                               000007fefdf54e21 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                   000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                 000007fefdf6b9c1 7 bytes [B8, B9, EA, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                                000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                   000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                             000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                             000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                              00000000772e8731 11 bytes [B8, B9, 06, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                             00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                            00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                      000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                  000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                      000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                  000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                      000000007730ddc0 6 bytes [48, B8, F9, 04, B4, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                  000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                            000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                           000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                       000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                         000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                     000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                           000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                       000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                         000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                     000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                            000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                        000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                      000000007730dfc0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                                                  000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                             000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                         000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                            000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                        000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                               000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                           000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                 000000007730e100 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                             000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                              000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                          000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                             000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                         000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                 000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                             000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                           000000007730eb70 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                       000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                             000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                         000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                           000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                       000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                       000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                   000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                             000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                         000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                              000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                          000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                 000000007730f480 6 bytes [48, B8, F9, 0B, B4, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                             000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                       000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                        00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                  00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                           00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                          00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                    00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                       00000000770c0941 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                     00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                     00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                              000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                              000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                 000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                 000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                           000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                          000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                         000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                         000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                      000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                        000007fefd215370 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                       000007fefd215eb1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                            000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                  000007fefd2197a1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                     000007fefd21a0e1 11 bytes [B8, F9, E1, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                          000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                      000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                          000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                      000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                    000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                  000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                 000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                        000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!CreateWindowExA                                                             00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                            00000000771ca405 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                          00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                             00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                             00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                         00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                     00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                       00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                       00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!CreateWindowExW                                                             00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!ShowWindow                                                                  00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                              00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                            00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!SetWinEventHook                                                             00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                             00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                          00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                            00000000771d76e5 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                            00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!GetMessageW                                                                 00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                 00000000771da2c9 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                              00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                           00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                             00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                             00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                       00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                      00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                           00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                           00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                           0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                           0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                          000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                           000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                           000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                       000007fefdb9b039 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                              000007fefdbc8fd9 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                        000007fefdf3ae81 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                  000007fefdf3aee1 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                        000007fefdf3e6e9 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                  000007fefdf4048d 11 bytes [B8, F9, E8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                       000007fefdf40579 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                     000007fefdf405b1 11 bytes [B8, 39, FC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                    000007fefdf405f9 5 bytes [B8, F9, FD, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                        000007fefdf54e21 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                            000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                          000007fefdf6b9c1 7 bytes [B8, 79, EC, B3, 75, 00, 00]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                         000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                            000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                      000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                      000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                         000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                               000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                     000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                               000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                          000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                      000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                      000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                 000007fefdee13b1 11 bytes [B8, B9, AB, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!closesocket                                                                 000007fefdee18e0 12 bytes [48, B8, F9, A9, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                              000007fefdee1bd1 11 bytes [B8, 39, A8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                 000007fefdee2201 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                000007fefdee23c0 12 bytes [48, B8, 39, 8C, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!connect                                                                     000007fefdee45c0 12 bytes [48, B8, 79, 67, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!send + 1                                                                    000007fefdee8001 11 bytes [B8, 79, A6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!gethostbyname                                                               000007fefdee8df0 7 bytes [48, B8, B9, 8F, B3, 75, 00]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                           000007fefdee8df9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW                                                              000007fefdeec090 12 bytes [48, B8, F9, 8D, B3, 75, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!socket + 1                                                                  000007fefdeede91 11 bytes [B8, 39, EE, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!recv + 1                                                                    000007fefdeedf41 11 bytes [B8, 79, F3, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\igfxCUIService.exe[1852] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                              000007fefdf0e0f1 11 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                            00000000772e8731 11 bytes [B8, B9, 06, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                           00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                          00000000772f676a 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                    000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                    000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                    000000007730ddc0 6 bytes [48, B8, F9, 04, B4, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                              000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                          000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                         000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                     000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                       000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                   000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                         000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                     000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                       000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                   000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                          000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                      000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                    000000007730dfc0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                                000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                           000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                       000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                          000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                      000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                             000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                         000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                               000000007730e100 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                           000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                            000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                        000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                           000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                       000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                               000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                           000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                         000000007730eb70 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                     000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                           000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                       000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                         000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                     000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                     000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                 000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                           000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                       000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                            000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                        000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                               000000007730f480 6 bytes [48, B8, F9, 0B, B4, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                           000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                     000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                      00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                         00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                        00000000770a2b6a 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                  00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                     00000000770c0941 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                   00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                   00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!ReadConsoleW                                            000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!ReadConsoleA                                            000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                               000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                               000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                         000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                        000000007712f73a 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                       000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                       000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                    000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                      000007fefd215370 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                     000007fefd215eb1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                          000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                000007fefd2197a1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                   000007fefd21a0e1 11 bytes [B8, F9, E1, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                        000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                    000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                        000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                    000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                  000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                               000007fefd25283a 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                      000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                     000007fefdb9b039 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                            000007fefdbc8fd9 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!CreateWindowExA                                           00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!PostMessageA + 1                                          00000000771ca405 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                        00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!FindWindowW + 1                                           00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!FindWindowW + 9                                           00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                       00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                   00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                     00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                     00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!CreateWindowExW                                           00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!ShowWindow                                                00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!ShowWindow + 8                                            00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                          00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!SetWinEventHook                                           00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!GetMessageA + 1                                           00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                        00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!PostMessageW + 1                                          00000000771d76e5 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                          00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!GetMessageW                                               00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                               00000000771da2c9 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                            00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                         00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!FindWindowA + 1                                           00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!FindWindowA + 9                                           00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                     00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                    00000000771e8c2a 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                         00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                         00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                         0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                         0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                        000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                         000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                         000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                      000007fefdf3ae81 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                000007fefdf3aee1 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                      000007fefdf3e6e9 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                000007fefdf4048d 11 bytes [B8, F9, E8, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                     000007fefdf40579 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                   000007fefdf405b1 11 bytes [B8, 39, FC, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                  000007fefdf405f9 5 bytes [B8, F9, FD, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                      000007fefdf54e21 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                          000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                        000007fefdf6b9c1 7 bytes [B8, 79, EC, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                       000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                          000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                    000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                    000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                       000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                             000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                   000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                             000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                        000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                    000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                    000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1944] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                    000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                     00000000772e8731 11 bytes [B8, F9, 04, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                    00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                   00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                             000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                         000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                             000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                         000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                             000000007730ddc0 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                         000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                       000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                   000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                  000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                              000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                            000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                  000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                              000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                            000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                   000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                               000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                    000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                   000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                               000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                      000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                  000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                        000000007730e100 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                    000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                     000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                 000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                    000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                        000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                    000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                  000000007730eb70 6 bytes [48, B8, 79, 01, B4, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                              000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                    000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                  000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                              000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                              000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                          000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                    000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                                000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                     000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                 000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                              000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                               00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                         00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                  00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                 00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                           00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                              00000000770c0941 11 bytes [B8, 79, 08, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                            00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                            00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                     000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                     000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                        000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                        000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                  000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                 000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                             000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                               000007fefd215370 12 bytes [48, B8, F9, E1, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                              000007fefd215eb1 11 bytes [B8, B9, E3, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                   000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                         000007fefd2197a1 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                            000007fefd21a0e1 11 bytes [B8, 39, E0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                 000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                             000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                 000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                             000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                           000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                         000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                        000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                               000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                      000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                            000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                      000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                 000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                             000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                             000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                              000007fefdb9b039 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                     000007fefdbc8fd9 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                    00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                 00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                    00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                    00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                            00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                              00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                              00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                    00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!ShowWindow                                                                         00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                     00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                   00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                    00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                    00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                 00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                   00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!GetMessageW                                                                        00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                        00000000771da2c9 11 bytes [B8, F9, 0B, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                     00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                  00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                    00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                    00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                              00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                             00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                  00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                  00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                  0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                  0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                 000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                  000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                  000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                               000007fefdf3ae81 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                         000007fefdf3aee1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                               000007fefdf3e6e9 11 bytes [B8, F9, FD, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                         000007fefdf4048d 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                              000007fefdf40579 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                            000007fefdf405b1 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                           000007fefdf405f9 5 bytes [B8, 39, FC, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                               000007fefdf54e21 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                   000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                 000007fefdf6b9c1 7 bytes [B8, B9, EA, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                                000007fefdf6b9ca 2 bytes [50, C3]
         

Alt 14.07.2015, 12:38   #5
McFly87
 
Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7) - Standard

GMER Teil 2



Code:
ATTFilter
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                   000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                             000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                             000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                        000007fefdee13b1 11 bytes [B8, B9, AB, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!closesocket                                                                        000007fefdee18e0 12 bytes [48, B8, F9, A9, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                     000007fefdee1bd1 11 bytes [B8, 39, A8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                        000007fefdee2201 11 bytes [B8, 79, F3, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                       000007fefdee23c0 12 bytes [48, B8, 39, 8C, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!connect                                                                            000007fefdee45c0 12 bytes [48, B8, 79, 67, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!send + 1                                                                           000007fefdee8001 11 bytes [B8, 79, A6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                      000007fefdee8df0 7 bytes [48, B8, B9, 8F, B3, 75, 00]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                  000007fefdee8df9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW                                                                     000007fefdeec090 12 bytes [48, B8, F9, 8D, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!socket + 1                                                                         000007fefdeede91 11 bytes [B8, 79, EC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!recv + 1                                                                           000007fefdeedf41 11 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                     000007fefdf0e0f1 11 bytes [B8, F9, EF, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] c:\windows\system32\DNSAPI.dll!DnsQuery_UTF8                                                                      000007fefc6456e0 12 bytes [48, B8, 39, CB, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] c:\windows\system32\DNSAPI.dll!DnsQuery_W                                                                         000007fefc65010c 12 bytes [48, B8, 79, C9, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] c:\windows\system32\DNSAPI.dll!DnsQuery_A                                                                         000007fefc66daa0 12 bytes [48, B8, B9, C7, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] c:\windows\system32\WINHTTP.dll!WinHttpCloseHandle                                                                000007fefb2422e0 12 bytes [48, B8, F9, A2, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] c:\windows\system32\WINHTTP.dll!WinHttpOpenRequest                                                                000007fefb2445f8 12 bytes [48, B8, 39, A1, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[1980] c:\windows\system32\WINHTTP.dll!WinHttpConnect                                                                    000007fefb253e3c 12 bytes [48, B8, B9, A4, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                      00000000772e8731 11 bytes [B8, B9, 06, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                     00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                    00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                              000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                          000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                              000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                          000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                              000000007730ddc0 6 bytes [48, B8, F9, 04, B4, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                          000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                        000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                    000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                   000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                               000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                 000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                             000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                   000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                               000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                 000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                             000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                    000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                              000000007730dfc0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                                                          000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                     000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                 000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                    000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                       000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                   000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                         000000007730e100 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                     000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                      000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                  000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                     000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                 000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                         000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                     000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                   000000007730eb70 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                               000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                     000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                 000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                   000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                               000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                               000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                           000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                     000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                                 000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                      000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                  000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                         000000007730f480 6 bytes [48, B8, F9, 0B, B4, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                     000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                               000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                          00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                   00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                  00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                            00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                               00000000770c0941 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                             00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                             00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                      000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                      000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                         000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                         000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                   000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                  000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                 000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                 000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                              000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                                000007fefd215370 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                               000007fefd215eb1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                    000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                          000007fefd2197a1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                             000007fefd21a0e1 11 bytes [B8, F9, E1, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                  000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                              000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                  000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                              000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                            000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                          000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                         000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                               000007fefdb9b039 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                      000007fefdbc8fd9 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                     00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                    00000000771ca405 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                  00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                     00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                     00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                 00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                             00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                               00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                               00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                     00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!ShowWindow                                                                          00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                      00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                    00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                     00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                     00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                  00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                    00000000771d76e5 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                    00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!GetMessageW                                                                         00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                         00000000771da2c9 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                      00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                   00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                     00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                     00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                               00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                              00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                   00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                   00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                   0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                   0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                  000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                   000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                   000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                                000007fefdf3ae81 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                          000007fefdf3aee1 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                                000007fefdf3e6e9 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                          000007fefdf4048d 11 bytes [B8, F9, E8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                               000007fefdf40579 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                             000007fefdf405b1 11 bytes [B8, 39, FC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                            000007fefdf405f9 5 bytes [B8, F9, FD, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                                000007fefdf54e21 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                    000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                  000007fefdf6b9c1 7 bytes [B8, 79, EC, B3, 75, 00, 00]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                                 000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                    000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                              000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                              000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                 000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                       000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                             000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                       000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                  000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                              000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                              000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                              000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW                                                             000007fefdd78050 12 bytes [48, B8, B9, 65, B3, 75, 00, ...]
.text    C:\Windows\system32\nvvsvc.exe[1996] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1                                                              000007fefdd795e1 11 bytes [B8, F9, 63, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                     00000000772e8731 11 bytes [B8, B9, 06, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                    00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                   00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                             000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                         000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                             000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                         000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                             000000007730ddc0 6 bytes [48, B8, F9, 04, B4, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                         000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                       000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                   000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                  000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                              000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                            000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                  000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                              000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                            000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                   000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                               000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                             000000007730dfc0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                                                         000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                    000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                   000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                               000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                      000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                  000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                        000000007730e100 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                    000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                     000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                 000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                    000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                        000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                    000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                  000000007730eb70 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                              000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                    000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                  000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                              000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                              000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                          000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                    000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                                000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                     000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                 000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                        000000007730f480 6 bytes [48, B8, F9, 0B, B4, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                    000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                              000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                               00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                         00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                  00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                 00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                           00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                              00000000770c0941 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                            00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                            00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                     000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                     000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                        000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                        000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                  000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                 000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                             000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                               000007fefd215370 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                              000007fefd215eb1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                   000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                         000007fefd2197a1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                            000007fefd21a0e1 11 bytes [B8, F9, E1, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                 000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                             000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                 000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                             000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                           000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                         000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                        000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                               000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                      000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                            000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                      000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                 000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                             000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                             000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                    00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                   00000000771ca405 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                 00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                    00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                    00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                            00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                              00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                              00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                    00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!ShowWindow                                                                         00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                     00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                   00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                    00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                    00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                 00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                   00000000771d76e5 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                   00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!GetMessageW                                                                        00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                        00000000771da2c9 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                     00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                  00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                    00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                    00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                              00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                             00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                  00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                  00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                  0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                  0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                 000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                  000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                  000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                              000007fefdb9b039 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                     000007fefdbc8fd9 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                               000007fefdf3ae81 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                         000007fefdf3aee1 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                               000007fefdf3e6e9 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                         000007fefdf4048d 11 bytes [B8, F9, E8, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                              000007fefdf40579 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                            000007fefdf405b1 11 bytes [B8, 39, FC, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                           000007fefdf405f9 5 bytes [B8, F9, FD, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                               000007fefdf54e21 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                   000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                 000007fefdf6b9c1 7 bytes [B8, 79, EC, B3, 75, 00, 00]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                                000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                   000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                             000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                             000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8                                                                      000007fefc6456e0 12 bytes [48, B8, 39, CB, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\System32\DNSAPI.dll!DnsQuery_W                                                                         000007fefc65010c 12 bytes [48, B8, 79, C9, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\System32\DNSAPI.dll!DnsQuery_A                                                                         000007fefc66daa0 12 bytes [48, B8, B9, C7, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                        000007fefdee13b1 11 bytes [B8, B9, AB, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!closesocket                                                                        000007fefdee18e0 12 bytes [48, B8, F9, A9, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                     000007fefdee1bd1 11 bytes [B8, 39, A8, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                        000007fefdee2201 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                       000007fefdee23c0 12 bytes [48, B8, 39, 8C, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!connect                                                                            000007fefdee45c0 12 bytes [48, B8, 79, 67, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!send + 1                                                                           000007fefdee8001 11 bytes [B8, 79, A6, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                      000007fefdee8df0 7 bytes [48, B8, B9, 8F, B3, 75, 00]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                  000007fefdee8df9 3 bytes [00, 50, C3]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW                                                                     000007fefdeec090 12 bytes [48, B8, F9, 8D, B3, 75, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!socket + 1                                                                         000007fefdeede91 11 bytes [B8, 39, EE, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!recv + 1                                                                           000007fefdeedf41 11 bytes [B8, 79, F3, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                     000007fefdf0e0f1 11 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\spoolsv.exe[2084] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                             000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                    00000000772e8731 11 bytes [B8, B9, 06, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                   00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                  00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                            000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                        000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                            000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                        000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                            000000007730ddc0 6 bytes [48, B8, F9, 04, B4, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                        000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                      000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                  000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                 000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                             000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                               000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                           000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                 000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                             000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                               000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                           000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                  000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                              000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                            000000007730dfc0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                                                        000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                   000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                               000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                  000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                              000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                     000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                 000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                       000000007730e100 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                   000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                    000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                   000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                               000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                       000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                   000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                 000000007730eb70 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                             000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                   000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                               000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                 000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                             000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                             000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                         000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                   000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                               000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                    000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                       000000007730f480 6 bytes [48, B8, F9, 0B, B4, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                   000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                             000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                              00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                        00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                 00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                          00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                             00000000770c0941 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                           00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                           00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                    000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                    000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                       000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                       000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                 000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                               000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                               000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                            000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                              000007fefd215370 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                             000007fefd215eb1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                  000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                        000007fefd2197a1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                           000007fefd21a0e1 11 bytes [B8, F9, E1, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                            000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                            000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                          000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                        000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                       000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                              000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                             000007fefdb9b039 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                    000007fefdbc8fd9 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                   00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                  00000000771ca405 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                   00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                   00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                               00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                           00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                             00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                             00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                   00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!ShowWindow                                                                        00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                    00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                  00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                   00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                   00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                  00000000771d76e5 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                  00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!GetMessageW                                                                       00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                       00000000771da2c9 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                    00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                 00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                   00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                   00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                             00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                            00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                 00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                 00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                 0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                 0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                 000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                 000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                               000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                     000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                           000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                     000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                            000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                            000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                              000007fefdf3ae81 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                        000007fefdf3aee1 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                              000007fefdf3e6e9 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                        000007fefdf4048d 11 bytes [B8, F9, E8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                             000007fefdf40579 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                           000007fefdf405b1 11 bytes [B8, 39, FC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                          000007fefdf405f9 5 bytes [B8, F9, FD, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                              000007fefdf54e21 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                  000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                000007fefdf6b9c1 7 bytes [B8, 79, EC, B3, 75, 00, 00]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                               000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                  000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                            000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                            000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\system32\taskhost.exe[2196] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                            000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                     00000000772e8731 11 bytes [B8, B9, 06, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                    00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                   00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                             000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                         000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                             000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                         000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                             000000007730ddc0 6 bytes [48, B8, F9, 04, B4, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                         000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                       000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                   000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                  000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                              000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                            000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                  000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                              000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                            000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                   000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                               000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                             000000007730dfc0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                                                         000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                    000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                   000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                               000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                      000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                  000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                        000000007730e100 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                    000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                     000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                 000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                    000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                        000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                    000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                  000000007730eb70 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                              000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                    000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                  000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                              000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                              000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                          000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                    000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                                000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                     000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                 000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                        000000007730f480 6 bytes [48, B8, F9, 0B, B4, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                    000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                              000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                               00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                         00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                  00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                 00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!RegSetValueExW                                                                   00000000770aa3e0 7 bytes JMP 000000016fff0228
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!RegQueryValueExW                                                                 00000000770b3f00 5 bytes JMP 000000016fff0180
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                           00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                              00000000770c0941 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!RegDeleteValueW                                                                  00000000770cffd0 5 bytes JMP 000000016fff01b8
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                                                            00000000770df350 5 bytes JMP 000000016fff0110
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                            00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                            00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                                                          0000000077109aa0 7 bytes JMP 000000016fff00d8
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                     000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                     000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                                                          0000000077119530 5 bytes JMP 000000016fff0148
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                        000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                        000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                  000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                 000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\kernel32.dll!RegSetValueExA                                                                   0000000077138850 7 bytes JMP 000000016fff01f0
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                                                    000007fefd212db0 12 bytes JMP 000007fffd200180
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                             000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                                               000007fefd2137d0 7 bytes JMP 000007fffd2000d8
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                               000007fefd215370 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                              000007fefd215eb1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                   000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                         000007fefd2197a1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                            000007fefd21a0e1 11 bytes [B8, F9, E1, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                                             000007fefd21a410 2 bytes JMP 000007fffd200110
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3                                                         000007fefd21a413 2 bytes [FE, FF]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                 000007fefd21aec0 12 bytes JMP 000007fffd200148
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                             000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                 000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                             000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                           000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                         000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                        000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                               000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW                                                                00000000771c6c80 5 bytes JMP 000000016fff02d0
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                    00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                   00000000771ca405 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA                                                                00000000771ca5b4 5 bytes JMP 000000016fff0298
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                 00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                    00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
         


Alt 14.07.2015, 12:39   #6
McFly87
 
Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7) - Standard

GMER Teil 3



Code:
ATTFilter
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                    00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                            00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                              00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                              00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                    00000000771d0810 7 bytes JMP 000000016fff0308
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!ShowWindow                                                                         00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                     00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                   00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                    00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                    00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                 00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                   00000000771d76e5 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                   00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!GetMessageW                                                                        00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                        00000000771da2c9 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo                                                         00000000771dccec 9 bytes JMP 000000016fff0260
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                     00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                  00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                    00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                    00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                              00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                             00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                  00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                  00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!ChangeDisplaySettingsExW                                                           0000000077210700 5 bytes JMP 000000016fff0340
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                  0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                  0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                 000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                  000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                  000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                                              000007fefdb989e0 8 bytes JMP 000007fffd2001f0
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                              000007fefdb9b039 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                                            000007fefdb9be40 8 bytes JMP 000007fffd2001b8
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                     000007fefdbc8fd9 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                    000007fefd947490 11 bytes JMP 000007fffd200228
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                                                   000007fefd95bf00 7 bytes JMP 000007fffd200260
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                               000007fefdf3ae81 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                         000007fefdf3aee1 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                               000007fefdf3e6e9 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                         000007fefdf4048d 11 bytes [B8, F9, E8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                              000007fefdf40579 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                            000007fefdf405b1 11 bytes [B8, 39, FC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                           000007fefdf405f9 5 bytes [B8, F9, FD, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                               000007fefdf54e21 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                   000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                 000007fefdf6b9c1 7 bytes [B8, 79, EC, B3, 75, 00, 00]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                                000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                   000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                             000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                             000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                      000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                            000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                      000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                 000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                             000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                             000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                     00000000772e8731 11 bytes [B8, F9, 04, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                    00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                   00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                             000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                         000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                             000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                         000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                             000000007730ddc0 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                         000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                       000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                   000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                  000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                              000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                            000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                  000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                              000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                            000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                   000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                               000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                    000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                   000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                               000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                      000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                  000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                        000000007730e100 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                    000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                     000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                 000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                    000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                        000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                    000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                  000000007730eb70 6 bytes [48, B8, 79, 01, B4, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                              000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                    000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                  000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                              000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                              000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                          000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                    000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                                000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                     000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                 000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                              000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                               00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                         00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                  00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                 00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                           00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                              00000000770c0941 11 bytes [B8, 79, 08, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                            00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                            00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                     000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                     000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                        000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                        000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                  000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                 000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                             000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                               000007fefd215370 12 bytes [48, B8, F9, E1, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                              000007fefd215eb1 11 bytes [B8, B9, E3, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                   000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                         000007fefd2197a1 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                            000007fefd21a0e1 11 bytes [B8, 39, E0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                 000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                             000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                 000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                             000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                           000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                         000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                        000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                               000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                      000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                            000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                      000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                 000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                             000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                             000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                              000007fefdb9b039 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                     000007fefdbc8fd9 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                    00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                 00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                    00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                    00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                            00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                              00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                              00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                    00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!ShowWindow                                                                         00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                     00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                   00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                    00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                    00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                 00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                   00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!GetMessageW                                                                        00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                        00000000771da2c9 11 bytes [B8, F9, 0B, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                     00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                  00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                    00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                    00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                              00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                             00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                  00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                  00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                  0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                  0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                 000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                  000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                  000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                               000007fefdf3ae81 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                         000007fefdf3aee1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                               000007fefdf3e6e9 11 bytes [B8, F9, FD, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                         000007fefdf4048d 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                              000007fefdf40579 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                            000007fefdf405b1 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                           000007fefdf405f9 5 bytes [B8, 39, FC, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                               000007fefdf54e21 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                   000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                 000007fefdf6b9c1 7 bytes [B8, B9, EA, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                                000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                   000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                             000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                             000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                        000007fefdee13b1 11 bytes [B8, B9, AB, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!closesocket                                                                        000007fefdee18e0 12 bytes [48, B8, F9, A9, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                     000007fefdee1bd1 11 bytes [B8, 39, A8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                        000007fefdee2201 11 bytes [B8, 79, F3, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                       000007fefdee23c0 12 bytes [48, B8, 39, 8C, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!connect                                                                            000007fefdee45c0 12 bytes [48, B8, 79, 67, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!send + 1                                                                           000007fefdee8001 11 bytes [B8, 79, A6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                      000007fefdee8df0 7 bytes [48, B8, B9, 8F, B3, 75, 00]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                  000007fefdee8df9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW                                                                     000007fefdeec090 12 bytes [48, B8, F9, 8D, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!socket + 1                                                                         000007fefdeede91 11 bytes [B8, 79, EC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!recv + 1                                                                           000007fefdeedf41 11 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[2564] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                     000007fefdf0e0f1 11 bytes [B8, F9, EF, B3, 75, 00, 00, ...]
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtReadFile                                       00000000774bf93c 5 bytes JMP 00000001735b6911
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtClose                                          00000000774bfa2c 5 bytes JMP 00000001735b5e61
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                          00000000774bfb74 5 bytes JMP 00000001735b5871
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken                          00000000774bfbf4 5 bytes JMP 00000001735b74f1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                    00000000774bfc6c 5 bytes JMP 00000001735b31d9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                               00000000774bfc9c 5 bytes JMP 00000001735b15f1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                             00000000774bfccc 5 bytes JMP 00000001735b1689
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                               00000000774bfcfc 5 bytes JMP 00000001735b57d9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                             00000000774bfe60 5 bytes JMP 00000001735b30a9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                00000000774bfe90 5 bytes JMP 00000001735b3309
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                          00000000774bff0c 5 bytes JMP 00000001735b67e1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                 00000000774bff70 5 bytes JMP 00000001735b3271
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                00000000774c0038 5 bytes JMP 00000001735b2ee1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                   00000000774c0050 5 bytes JMP 00000001735b2db1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                     00000000774c0100 5 bytes JMP 00000001735b1ed9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                    00000000774c0210 5 bytes JMP 00000001735b2301
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                  00000000774c0860 5 bytes JMP 00000001735b2e49
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                 00000000774c08f0 5 bytes JMP 00000001735b2d19
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                     00000000774c0e40 5 bytes JMP 00000001735b5ef9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken                               00000000774c110c 5 bytes JMP 00000001735b7459
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                 00000000774c1650 5 bytes JMP 00000001735b4ac9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                               00000000774c196c 5 bytes JMP 00000001735b3141
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                           00000000774c1c30 5 bytes JMP 00000001735b5f91
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess                                 00000000774c1da0 5 bytes JMP 00000001735b3439
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                  00000000774c1dbc 5 bytes JMP 00000001735b33a1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                     00000000774c1f34 5 bytes JMP 00000001735b7621
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                       00000000774d4964 5 bytes JMP 00000001735b1ab1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid                                      00000000774e0fe1 5 bytes JMP 00000001735b7589
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                     0000000077500f4b 5 bytes JMP 00000001735b2009
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                               00000000775488cf 5 bytes JMP 00000001735b4b61
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                       000000007754eb6b 5 bytes JMP 00000001735b1f71
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                               0000000075410e00 5 bytes JMP 00000001735b1da9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                0000000075411072 5 bytes JMP 00000001735b2a21
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW                              0000000075411efe 7 bytes JMP 0000000170b03880
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                  000000007541498f 5 bytes JMP 00000001735b25f9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!RegSetValueExW                                0000000075415b9d 7 bytes JMP 0000000170b03ec0
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                                00000000754213f9 7 bytes JMP 0000000170b03ad0
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                        0000000075423bab 5 bytes JMP 00000001735b3011
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW                         0000000075429aa4 5 bytes JMP 00000001735b6749
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!MoveFileExW                                   0000000075429b05 5 bytes JMP 00000001735b64e9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW                               000000007542ea45 7 bytes JMP 0000000170b03870
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                      0000000075437327 5 bytes JMP 00000001735b2729
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!Process32NextW                                00000000754388da 5 bytes JMP 00000001735b5dc9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!MoveFileExA                                   000000007543ccb1 5 bytes JMP 00000001735b63b9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA                         000000007543ccd1 5 bytes JMP 00000001735b6619
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!WinExec                                       0000000075493051 5 bytes JMP 00000001735b28f1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                             00000000754b751b 5 bytes JMP 00000001735b46a1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                             00000000754b753e 5 bytes JMP 00000001735b47d1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                  00000000754b78e9 5 bytes JMP 00000001735b4901
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                  00000000754b7962 5 bytes JMP 00000001735b4a31
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                       00000000754b8ea4 7 bytes JMP 0000000170b033c0
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                       00000000754b8f29 5 bytes JMP 0000000170b03470
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                         00000000754b9281 5 bytes JMP 0000000170b033d0
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                     0000000076f58f8d 5 bytes JMP 00000001735b1a19
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                 0000000076f5c436 5 bytes JMP 00000001735b3b59
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl                             0000000076f5d0af 5 bytes JMP 00000001735b6879
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                          0000000076f5eca6 5 bytes JMP 00000001735b3601
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                 0000000076f5f206 5 bytes JMP 00000001735b2399
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                             0000000076f5fa89 5 bytes JMP 00000001735b1e41
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW                            0000000076f5fbb7 5 bytes JMP 00000001735b6289
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                0000000076f61358 5 bytes JMP 00000001735b3ac1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                  0000000076f6137f 5 bytes JMP 00000001735b3a29
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                            0000000076f61d29 5 bytes JMP 0000000170b03380
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                          0000000076f61dd7 5 bytes JMP 0000000170b03340
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                              0000000076f61e15 5 bytes JMP 00000001735b24c9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                              0000000076f62ab1 5 bytes JMP 0000000170b03480
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                              0000000076f62cdf 5 bytes JMP 00000001735b5909
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                 0000000076f62d1d 5 bytes JMP 0000000170b03190
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                            0000000076f62e80 5 bytes JMP 00000001735b18e9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                     0000000076f63b76 5 bytes JMP 00000001735b2269
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                       0000000076f6449c 5 bytes JMP 00000001735b2431
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                0000000076f6460e 5 bytes JMP 00000001735b3569
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                          0000000076f64637 5 bytes JMP 00000001735b2c81
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW                               0000000076f6a217 5 bytes JMP 00000001735b6a41
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW                            0000000076f6a500 5 bytes JMP 00000001735b69a9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                 0000000076f6c73a 5 bytes JMP 00000001735b27c1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid                          0000000076f6e2a4 5 bytes JMP 00000001735b73c1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!closesocket                                     0000000076a13918 5 bytes JMP 00000001735b5741
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!WSASocketW                                      0000000076a13cd3 5 bytes JMP 00000001735b56a9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!socket                                          0000000076a13eb8 5 bytes JMP 00000001735b6d39
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!WSASend                                         0000000076a14406 5 bytes JMP 00000001735b2139
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW                                    0000000076a14889 5 bytes JMP 00000001735b4dc1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!recv                                            0000000076a16b0e 5 bytes JMP 00000001735b6f01
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!connect                                         0000000076a16bdd 1 byte JMP 00000001735b41e1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!connect + 2                                     0000000076a16bdf 3 bytes {CALL RBP}
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!send                                            0000000076a16f01 5 bytes JMP 00000001735b20a1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!WSARecv                                         0000000076a17089 5 bytes JMP 00000001735b6f99
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                      0000000076a1cc3f 5 bytes JMP 00000001735b6e69
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW                                  0000000076a1d1ea 5 bytes JMP 00000001735b4e59
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\WS2_32.dll!gethostbyname                                   0000000076a27673 5 bytes JMP 00000001735b4ef1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\msvcrt.dll!_lock + 41                                      00000000766ca472 5 bytes JMP 00000001735b7881
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\msvcrt.dll!__p__fmode                                      00000000766d27ce 5 bytes JMP 00000001735b1be1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\msvcrt.dll!__p__environ                                    00000000766de6cf 5 bytes JMP 00000001735b1b49
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!GetMessageW                                     0000000074ed78e2 5 bytes JMP 00000001735b4441
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!GetMessageA                                     0000000074ed7bd3 5 bytes JMP 00000001735b43a9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                 0000000074ed8a29 5 bytes JMP 00000001735b4f89
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!FindWindowW                                     0000000074ed98fd 1 byte JMP 00000001735b5c01
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!FindWindowW + 2                                 0000000074ed98ff 3 bytes {JMP 0xfffffffffe6dc304}
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                         0000000074edb6ed 5 bytes JMP 00000001735b7919
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                 0000000074edd22e 5 bytes JMP 00000001735b5021
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                 0000000074edee09 5 bytes JMP 00000001735b34d1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!FindWindowA                                     0000000074edffe6 5 bytes JMP 00000001735b5ad1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!FindWindowExA                                   0000000074ee00d9 5 bytes JMP 00000001735b5b69
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!PeekMessageW                                    0000000074ee05ba 5 bytes JMP 00000001735b4571
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!ShowWindow                                      0000000074ee0dfb 5 bytes JMP 00000001735b50b9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!PostMessageW                                    0000000074ee12a5 5 bytes JMP 00000001735b7751
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                  0000000074ee20ec 5 bytes JMP 00000001735b5449
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!PostMessageA                                    0000000074ee3baa 5 bytes JMP 00000001735b76b9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA                             0000000074ee4572 5 bytes JMP 0000000170b03110
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!PeekMessageA                                    0000000074ee5f74 5 bytes JMP 00000001735b44d9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                  0000000074ee6285 5 bytes JMP 00000001735b4bf9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                               0000000074ee7603 5 bytes JMP 00000001735b2be9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                  0000000074ee7aee 5 bytes JMP 00000001735b53b1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                               0000000074ee835c 5 bytes JMP 00000001735b2b51
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                      0000000074efce54 5 bytes JMP 00000001735b51e9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW                             0000000074efe567 5 bytes JMP 0000000170b03180
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                             0000000074eff52b 5 bytes JMP 00000001735b4c91
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!FindWindowExW                                   0000000074eff588 5 bytes JMP 00000001735b5c99
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                   0000000074f010a0 5 bytes JMP 00000001735b5151
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW                        0000000074f207d7 5 bytes JMP 0000000170b02700
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                   0000000074f2fcd6 2 bytes JMP 00000001735b5281
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3                               0000000074f2fcd9 2 bytes [68, FE]
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                   0000000074f2fcfa 5 bytes JMP 00000001735b5319
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo                      0000000074f37a5c 5 bytes JMP 0000000170b03100
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512                       00000000767d6343 5 bytes JMP 00000001735b79b1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                         00000000767ee96b 5 bytes JMP 0000000170b029a0
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                           00000000767eeba5 5 bytes JMP 0000000170b029c0
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\GDI32.dll!NamedEscape                                      0000000076803fd7 5 bytes JMP 00000001735b7031
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey                                   00000000764e8e89 5 bytes JMP 00000001735b6c09
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA                          00000000764e9179 5 bytes JMP 00000001735b6ad9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey                                00000000764e9186 5 bytes JMP 00000001735b7161
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey                                00000000764ec4d2 5 bytes JMP 00000001735b7329
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                  00000000764ec9ec 5 bytes JMP 00000001735b3c89
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW                          00000000764edeb4 5 bytes JMP 00000001735b6b71
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData                                 00000000764eded6 5 bytes JMP 00000001735b7291
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash                               00000000764edeee 5 bytes JMP 00000001735b70c9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam                             00000000764edf1e 5 bytes JMP 00000001735b71f9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                                  00000000764f2b50 5 bytes JMP 00000001735b3bf1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                            00000000764f35fc 5 bytes JMP 00000001735b40b1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222                           00000000764f494d 5 bytes JMP 00000001735b7a49
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                0000000076507154 5 bytes JMP 00000001735b4311
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                000000007650716c 5 bytes JMP 00000001735b3e51
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                                 0000000076507184 5 bytes JMP 00000001735b3ee9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt                                  00000000765077cb 5 bytes JMP 00000001735b6ca1
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA                          00000000765233bc 5 bytes JMP 00000001735b3f81
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW                          00000000765233cc 5 bytes JMP 00000001735b4019
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA                             00000000765233dc 5 bytes JMP 00000001735b3d21
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW                             00000000765233ec 5 bytes JMP 00000001735b3db9
.text    C:\Users\******\AppData\Local\Amazon Music\Amazon Music Helper.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                000000007652342c 5 bytes JMP 00000001735b4279
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                  00000000772e8731 11 bytes [B8, B9, 22, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                 00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                00000000772f676a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                          000000007730dca0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                      000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                          000000007730dd70 6 bytes [48, B8, 39, CB, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                      000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                          000000007730ddc0 6 bytes [48, B8, F9, 20, B4, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                      000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                    000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                               000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                           000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                             000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                         000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                               000000007730de70 6 bytes [48, B8, 79, C9, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                           000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                             000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                         000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                            000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                          000000007730dfc0 6 bytes [48, B8, 79, FA, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                      000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                 000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                             000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                            000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                   000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                               000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                     000000007730e100 6 bytes [48, B8, 39, FC, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                 000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                  000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                              000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                 000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                             000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                     000000007730e9a0 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                 000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                               000000007730eb70 6 bytes [48, B8, 39, 1F, B4, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                           000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                 000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                             000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                               000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                           000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                           000000007730f2a0 6 bytes [48, B8, F9, E1, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                       000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                 000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                             000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                  000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                              000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                     000000007730f480 6 bytes [48, B8, F9, 27, B4, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                 000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                           000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!Process32NextW + 1                            00000000770a1b21 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                      00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                               00000000770a2b61 8 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                              00000000770a2b6a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                        00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                           00000000770c0941 11 bytes [B8, 39, 26, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                         00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                         00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!ReadConsoleW                                  000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!ReadConsoleA                                  000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                     000000007712f501 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                     000000007712f701 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                               000000007712f731 8 bytes [B8, 39, EE, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                              000000007712f73a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                             000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                             000007fefd212db1 11 bytes [B8, 79, D0, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                          000007fefd213461 11 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                            000007fefd215370 12 bytes [48, B8, B9, FF, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                           000007fefd215eb1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                      000007fefd2197a1 11 bytes [B8, 79, 1D, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                         000007fefd21a0e1 11 bytes [B8, F9, FD, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                              000007fefd21aec0 12 bytes [48, B8, B9, CE, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                          000007fefd21ca31 11 bytes [B8, F9, CC, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                              000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                          000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                        000007fefd250bd1 11 bytes [B8, B9, EA, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                      000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                     000007fefd25283a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                            000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                            000007fefdf3ae81 11 bytes [B8, 79, 16, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                      000007fefdf3aee1 11 bytes [B8, 39, 03, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                            000007fefdf3e6e9 11 bytes [B8, B9, 1B, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                      000007fefdf4048d 11 bytes [B8, F9, 04, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                           000007fefdf40579 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                         000007fefdf405b1 11 bytes [B8, 39, 18, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                        000007fefdf405f9 5 bytes [B8, F9, 19, B4, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                            000007fefdf54e21 11 bytes [B8, 39, 2D, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                              000007fefdf6b9c1 7 bytes [B8, 79, 08, B4, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                             000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                          000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                          000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                             000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                   000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                         000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                   000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                              000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                          000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                          000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!CreateWindowExA                                 00000000771ca2e0 12 bytes [48, B8, 39, AF, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!PostMessageA + 1                                00000000771ca405 11 bytes [B8, B9, 29, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                              00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!FindWindowW + 1                                 00000000771cd265 7 bytes [B8, 79, D7, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!FindWindowW + 9                                 00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                             00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                         00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                           00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                           00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!CreateWindowExW                                 00000000771d0810 12 bytes [48, B8, 79, AD, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!ShowWindow                                      00000000771d1930 6 bytes [48, B8, F9, B0, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!ShowWindow + 8                                  00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!SetWinEventHook                                 00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!GetMessageA + 1                                 00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                              00000000771d7055 11 bytes [B8, 79, BB, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!PostMessageW + 1                                00000000771d76e5 11 bytes [B8, 79, 2B, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!GetMessageW                                     00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                     00000000771da2c9 11 bytes [B8, F9, 2E, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                  00000000771e4efd 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1               00000000771e7469 11 bytes [B8, B9, B2, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!FindWindowA + 1                                 00000000771e8271 7 bytes [B8, F9, D3, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!FindWindowA + 9                                 00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                           00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                          00000000771e8c2a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!FindWindowExW + 1                               00000000771e8d21 7 bytes [B8, 39, D9, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!FindWindowExW + 9                               00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                               0000000077231371 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                               0000000077231395 11 bytes [B8, F9, B7, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                              000000007723d379 11 bytes [B8, B9, B9, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!FindWindowExA + 1                               000000007723dae1 7 bytes [B8, B9, D5, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\USER32.dll!FindWindowExA + 9                               000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                           000007fefdb9b039 11 bytes [B8, B9, 30, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                  000007fefdbc8fd9 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!WSASend + 1                                     000007fefdee13b1 11 bytes [B8, B9, C7, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!closesocket                                     000007fefdee18e0 12 bytes [48, B8, F9, C5, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                  000007fefdee1bd1 11 bytes [B8, 39, C4, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                     000007fefdee2201 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                    000007fefdee23c0 12 bytes [48, B8, 39, A8, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!connect                                         000007fefdee45c0 12 bytes [48, B8, 79, 67, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!send + 1                                        000007fefdee8001 11 bytes [B8, 79, C2, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!gethostbyname                                   000007fefdee8df0 7 bytes [48, B8, B9, AB, B3, 75, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                               000007fefdee8df9 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW                                  000007fefdeec090 12 bytes [48, B8, F9, A9, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!socket + 1                                      000007fefdeede91 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!recv + 1                                        000007fefdeedf41 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                  000007fefdf0e0f1 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[2772] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                          000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                00000000774bfa2c 5 bytes JMP 00000001735b5e61
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                00000000774bfb74 5 bytes JMP 00000001735b5871
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken                                00000000774bfbf4 5 bytes JMP 00000001735b7459
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                          00000000774bfc6c 5 bytes JMP 00000001735b31d9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                     00000000774bfc9c 5 bytes JMP 00000001735b15f1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                   00000000774bfccc 5 bytes JMP 00000001735b1689
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                     00000000774bfcfc 5 bytes JMP 00000001735b57d9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                   00000000774bfe60 5 bytes JMP 00000001735b30a9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                      00000000774bfe90 5 bytes JMP 00000001735b3309
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                00000000774bff0c 5 bytes JMP 00000001735b67e1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                       00000000774bff70 5 bytes JMP 00000001735b3271
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                      00000000774c0038 5 bytes JMP 00000001735b2ee1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                         00000000774c0050 5 bytes JMP 00000001735b2db1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                           00000000774c0100 5 bytes JMP 00000001735b1ed9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                          00000000774c0210 5 bytes JMP 00000001735b2301
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                        00000000774c0860 5 bytes JMP 00000001735b2e49
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                       00000000774c08f0 5 bytes JMP 00000001735b2d19
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                           00000000774c0e40 5 bytes JMP 00000001735b5ef9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken                                     00000000774c110c 5 bytes JMP 00000001735b73c1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                       00000000774c1650 5 bytes JMP 00000001735b4ac9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                     00000000774c196c 5 bytes JMP 00000001735b3141
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                 00000000774c1c30 5 bytes JMP 00000001735b5f91
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess                                       00000000774c1da0 5 bytes JMP 00000001735b3439
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                        00000000774c1dbc 5 bytes JMP 00000001735b33a1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                           00000000774c1f34 5 bytes JMP 00000001735b7589
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                             00000000774d4964 5 bytes JMP 00000001735b1ab1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid                                            00000000774e0fe1 5 bytes JMP 00000001735b74f1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                           0000000077500f4b 5 bytes JMP 00000001735b2009
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                     00000000775488cf 5 bytes JMP 00000001735b4b61
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                             000000007754eb6b 5 bytes JMP 00000001735b1f71
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                     0000000075410e00 5 bytes JMP 00000001735b1da9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                      0000000075411072 5 bytes JMP 00000001735b2a21
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                        000000007541498f 5 bytes JMP 00000001735b25f9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                              0000000075423bab 5 bytes JMP 00000001735b3011
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW                               0000000075429aa4 5 bytes JMP 00000001735b6749
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!MoveFileExW                                         0000000075429b05 5 bytes JMP 00000001735b64e9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                            0000000075437327 5 bytes JMP 00000001735b2729
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!Process32NextW                                      00000000754388da 5 bytes JMP 00000001735b5dc9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!MoveFileExA                                         000000007543ccb1 5 bytes JMP 00000001735b63b9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA                               000000007543ccd1 5 bytes JMP 00000001735b6619
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!WinExec                                             0000000075493051 5 bytes JMP 00000001735b28f1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                   00000000754b751b 5 bytes JMP 00000001735b46a1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                   00000000754b753e 5 bytes JMP 00000001735b47d1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                        00000000754b78e9 5 bytes JMP 00000001735b4901
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                        00000000754b7962 5 bytes JMP 00000001735b4a31
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                           0000000076f58f8d 5 bytes JMP 00000001735b1a19
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                       0000000076f5c436 5 bytes JMP 00000001735b3b59
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl                                   0000000076f5d0af 5 bytes JMP 00000001735b6879
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                0000000076f5eca6 5 bytes JMP 00000001735b3601
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                       0000000076f5f206 5 bytes JMP 00000001735b2399
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                   0000000076f5fa89 5 bytes JMP 00000001735b1e41
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW                                  0000000076f5fbb7 5 bytes JMP 00000001735b6289
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                      0000000076f61358 5 bytes JMP 00000001735b3ac1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                        0000000076f6137f 5 bytes JMP 00000001735b3a29
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                  0000000076f61d29 5 bytes JMP 00000001735b1981
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                    0000000076f61e15 5 bytes JMP 00000001735b24c9
         

Alt 14.07.2015, 12:40   #7
McFly87
 
Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7) - Standard

GMER Teil 4



Code:
ATTFilter
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                    0000000076f62ab1 5 bytes JMP 00000001735b59a1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                    0000000076f62cdf 5 bytes JMP 00000001735b5909
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                       0000000076f62d1d 5 bytes JMP 00000001735b5a39
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                  0000000076f62e80 5 bytes JMP 00000001735b18e9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                           0000000076f63b76 5 bytes JMP 00000001735b2269
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                             0000000076f6449c 5 bytes JMP 00000001735b2431
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                      0000000076f6460e 5 bytes JMP 00000001735b3569
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                0000000076f64637 5 bytes JMP 00000001735b2c81
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW                                     0000000076f6a217 5 bytes JMP 00000001735b69a9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW                                  0000000076f6a500 5 bytes JMP 00000001735b6911
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                       0000000076f6c73a 5 bytes JMP 00000001735b27c1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid                                0000000076f6e2a4 5 bytes JMP 00000001735b7329
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!GetMessageW                                           0000000074ed78e2 5 bytes JMP 00000001735b4441
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!GetMessageA                                           0000000074ed7bd3 5 bytes JMP 00000001735b43a9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                       0000000074ed8a29 5 bytes JMP 00000001735b4f89
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!FindWindowW                                           0000000074ed98fd 1 byte JMP 00000001735b5c01
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!FindWindowW + 2                                       0000000074ed98ff 3 bytes {JMP 0xfffffffffe6dc304}
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                               0000000074edb6ed 5 bytes JMP 00000001735b7751
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                       0000000074edd22e 5 bytes JMP 00000001735b5021
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                       0000000074edee09 5 bytes JMP 00000001735b34d1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!FindWindowA                                           0000000074edffe6 5 bytes JMP 00000001735b5ad1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!FindWindowExA                                         0000000074ee00d9 5 bytes JMP 00000001735b5b69
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!PeekMessageW                                          0000000074ee05ba 5 bytes JMP 00000001735b4571
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!ShowWindow                                            0000000074ee0dfb 5 bytes JMP 00000001735b50b9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!PostMessageW                                          0000000074ee12a5 5 bytes JMP 00000001735b76b9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                        0000000074ee20ec 5 bytes JMP 00000001735b5449
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!PostMessageA                                          0000000074ee3baa 5 bytes JMP 00000001735b7621
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!PeekMessageA                                          0000000074ee5f74 5 bytes JMP 00000001735b44d9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                        0000000074ee6285 5 bytes JMP 00000001735b4bf9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                     0000000074ee7603 5 bytes JMP 00000001735b2be9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                        0000000074ee7aee 5 bytes JMP 00000001735b53b1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                     0000000074ee835c 5 bytes JMP 00000001735b2b51
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                            0000000074efce54 5 bytes JMP 00000001735b51e9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                   0000000074eff52b 5 bytes JMP 00000001735b4c91
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!FindWindowExW                                         0000000074eff588 5 bytes JMP 00000001735b5c99
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                         0000000074f010a0 5 bytes JMP 00000001735b5151
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                         0000000074f2fcd6 2 bytes JMP 00000001735b5281
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3                                     0000000074f2fcd9 2 bytes [68, FE]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                         0000000074f2fcfa 5 bytes JMP 00000001735b5319
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512                             00000000767d6343 5 bytes JMP 00000001735b77e9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\GDI32.dll!NamedEscape                                            0000000076803fd7 5 bytes JMP 00000001735b6f99
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\msvcrt.dll!_lock + 41                                            00000000766ca472 5 bytes JMP 00000001735b7881
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\msvcrt.dll!__p__fmode                                            00000000766d27ce 5 bytes JMP 00000001735b1be1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\msvcrt.dll!__p__environ                                          00000000766de6cf 5 bytes JMP 00000001735b1b49
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey                                         00000000764e8e89 5 bytes JMP 00000001735b6b71
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA                                00000000764e9179 5 bytes JMP 00000001735b6a41
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey                                      00000000764e9186 5 bytes JMP 00000001735b70c9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey                                      00000000764ec4d2 5 bytes JMP 00000001735b7291
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                        00000000764ec9ec 5 bytes JMP 00000001735b3c89
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW                                00000000764edeb4 5 bytes JMP 00000001735b6ad9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData                                       00000000764eded6 5 bytes JMP 00000001735b71f9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash                                     00000000764edeee 5 bytes JMP 00000001735b7031
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam                                   00000000764edf1e 5 bytes JMP 00000001735b7161
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                                        00000000764f2b50 5 bytes JMP 00000001735b3bf1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                  00000000764f35fc 5 bytes JMP 00000001735b40b1
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222                                 00000000764f494d 5 bytes JMP 00000001735b7919
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                      0000000076507154 5 bytes JMP 00000001735b4311
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                      000000007650716c 5 bytes JMP 00000001735b3e51
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                                       0000000076507184 5 bytes JMP 00000001735b3ee9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt                                        00000000765077cb 5 bytes JMP 00000001735b6c09
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA                                00000000765233bc 5 bytes JMP 00000001735b3f81
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW                                00000000765233cc 5 bytes JMP 00000001735b4019
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA                                   00000000765233dc 5 bytes JMP 00000001735b3d21
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW                                   00000000765233ec 5 bytes JMP 00000001735b3db9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                      000000007652342c 5 bytes JMP 00000001735b4279
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2836] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW                                    0000000075830179 5 bytes JMP 00000001735b4d29
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                  00000000772e8731 11 bytes [B8, B9, 22, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                 00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                00000000772f676a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                          000000007730dca0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                      000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                          000000007730dd70 6 bytes [48, B8, 39, CB, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                      000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                          000000007730ddc0 6 bytes [48, B8, F9, 20, B4, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                      000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                    000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                               000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                           000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                             000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                         000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                               000000007730de70 6 bytes [48, B8, 79, C9, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                           000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                             000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                         000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                            000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                          000000007730dfc0 6 bytes [48, B8, 79, FA, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                      000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                 000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                             000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                            000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                   000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                               000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                     000000007730e100 6 bytes [48, B8, 39, FC, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                 000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                  000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                              000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                 000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                             000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                     000000007730e9a0 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                 000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                               000000007730eb70 6 bytes [48, B8, 39, 1F, B4, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                           000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                 000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                             000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                               000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                           000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                           000000007730f2a0 6 bytes [48, B8, F9, E1, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                       000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                 000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                             000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                  000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                              000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                     000000007730f480 6 bytes [48, B8, F9, 27, B4, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                 000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                           000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!Process32NextW + 1                            00000000770a1b21 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                      00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                               00000000770a2b61 8 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                              00000000770a2b6a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!RegSetValueExW                                00000000770aa3e0 7 bytes JMP 000000016fff0228
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!RegQueryValueExW                              00000000770b3f00 5 bytes JMP 000000016fff0180
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                        00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                           00000000770c0941 11 bytes [B8, 39, 26, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!RegDeleteValueW                               00000000770cffd0 5 bytes JMP 000000016fff01b8
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                         00000000770df350 5 bytes JMP 000000016fff0110
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                         00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                         00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                       0000000077109aa0 7 bytes JMP 000000016fff00d8
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!ReadConsoleW                                  000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!ReadConsoleA                                  000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                       0000000077119530 5 bytes JMP 000000016fff0148
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                     000000007712f501 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                     000000007712f701 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                               000000007712f731 8 bytes [B8, 39, EE, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                              000000007712f73a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\kernel32.dll!RegSetValueExA                                0000000077138850 7 bytes JMP 000000016fff01f0
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                             000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                 000007fefd212db0 12 bytes JMP 000007fffd200180
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                          000007fefd213461 11 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                            000007fefd2137d0 7 bytes JMP 000007fffd2000d8
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                            000007fefd215370 12 bytes [48, B8, B9, FF, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                           000007fefd215eb1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                      000007fefd2197a1 11 bytes [B8, 79, 1D, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                         000007fefd21a0e1 11 bytes [B8, F9, FD, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                          000007fefd21a410 2 bytes JMP 000007fffd200110
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3                      000007fefd21a413 2 bytes [FE, FF]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                              000007fefd21aec0 12 bytes JMP 000007fffd200148
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                          000007fefd21ca31 11 bytes [B8, F9, CC, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                              000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                          000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                        000007fefd250bd1 11 bytes [B8, B9, EA, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                      000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                     000007fefd25283a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                            000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                            000007fefdf3ae81 11 bytes [B8, 79, 16, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                      000007fefdf3aee1 11 bytes [B8, 39, 03, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                            000007fefdf3e6e9 11 bytes [B8, B9, 1B, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                      000007fefdf4048d 11 bytes [B8, F9, 04, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                           000007fefdf40579 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                         000007fefdf405b1 11 bytes [B8, 39, 18, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                        000007fefdf405f9 5 bytes [B8, F9, 19, B4, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                            000007fefdf54e21 11 bytes [B8, 39, 2D, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                              000007fefdf6b9c1 7 bytes [B8, 79, 08, B4, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                             000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                          000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                          000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                             000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                   000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                         000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                   000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                              000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                          000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                          000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW                             00000000771c6c80 5 bytes JMP 000000016fff02d0
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!CreateWindowExA                                 00000000771ca2e0 12 bytes [48, B8, 39, AF, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!PostMessageA + 1                                00000000771ca405 11 bytes [B8, B9, 29, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA                             00000000771ca5b4 5 bytes JMP 000000016fff0298
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                              00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!FindWindowW + 1                                 00000000771cd265 7 bytes [B8, 79, D7, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!FindWindowW + 9                                 00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                             00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                         00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                           00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                           00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!CreateWindowExW                                 00000000771d0810 7 bytes JMP 000000016fff0308
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!ShowWindow                                      00000000771d1930 6 bytes [48, B8, F9, B0, B3, 75]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!ShowWindow + 8                                  00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!SetWinEventHook                                 00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!GetMessageA + 1                                 00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                              00000000771d7055 11 bytes [B8, 79, BB, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!PostMessageW + 1                                00000000771d76e5 11 bytes [B8, 79, 2B, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!GetMessageW                                     00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                     00000000771da2c9 11 bytes [B8, F9, 2E, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo                      00000000771dccec 9 bytes JMP 000000016fff0260
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                  00000000771e4efd 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1               00000000771e7469 11 bytes [B8, B9, B2, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!FindWindowA + 1                                 00000000771e8271 7 bytes [B8, F9, D3, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!FindWindowA + 9                                 00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                           00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                          00000000771e8c2a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!FindWindowExW + 1                               00000000771e8d21 7 bytes [B8, 39, D9, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!FindWindowExW + 9                               00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!ChangeDisplaySettingsExW                        0000000077210700 5 bytes JMP 000000016fff0340
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                               0000000077231371 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                               0000000077231395 11 bytes [B8, F9, B7, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                              000000007723d379 11 bytes [B8, B9, B9, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!FindWindowExA + 1                               000000007723dae1 7 bytes [B8, B9, D5, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\USER32.dll!FindWindowExA + 9                               000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                           000007fefdb989e0 8 bytes JMP 000007fffd2001f0
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                           000007fefdb9b039 11 bytes [B8, B9, 30, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                         000007fefdb9be40 8 bytes JMP 000007fffd2001b8
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                  000007fefdbc8fd9 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                          000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ole32.dll!CoCreateInstance                                 000007fefd947490 11 bytes JMP 000007fffd200228
.text    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[2872] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                000007fefd95bf00 7 bytes JMP 000007fffd200260
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                    00000000774bfa2c 5 bytes JMP 00000001735b67e1
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                    00000000774bfb74 5 bytes JMP 00000001735b61f1
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken                                    00000000774bfbf4 5 bytes JMP 00000001735b7dd9
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                              00000000774bfc6c 5 bytes JMP 00000001735b31d9
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                         00000000774bfc9c 5 bytes JMP 00000001735b15f1
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                       00000000774bfccc 5 bytes JMP 00000001735b1689
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                         00000000774bfcfc 5 bytes JMP 00000001735b6159
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                       00000000774bfe60 5 bytes JMP 00000001735b30a9
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                          00000000774bfe90 5 bytes JMP 00000001735b3309
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                    00000000774bff0c 5 bytes JMP 00000001735b7161
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                           00000000774bff70 5 bytes JMP 00000001735b3271
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                          00000000774c0038 5 bytes JMP 00000001735b2ee1
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                             00000000774c0050 5 bytes JMP 00000001735b2db1
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                               00000000774c0100 5 bytes JMP 00000001735b1ed9
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                              00000000774c0210 5 bytes JMP 00000001735b2301
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                            00000000774c0860 5 bytes JMP 00000001735b2e49
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                           00000000774c08f0 5 bytes JMP 00000001735b2d19
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                               00000000774c0e40 5 bytes JMP 00000001735b6879
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken                                         00000000774c110c 5 bytes JMP 00000001735b7d41
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                           00000000774c1650 5 bytes JMP 00000001735b4ac9
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                         00000000774c196c 5 bytes JMP 00000001735b3141
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                     00000000774c1c30 5 bytes JMP 00000001735b6911
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess                                           00000000774c1da0 5 bytes JMP 00000001735b3439
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                            00000000774c1dbc 5 bytes JMP 00000001735b33a1
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                               00000000774c1f34 5 bytes JMP 00000001735b7f09
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                 00000000774d4964 5 bytes JMP 00000001735b1ab1
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid                                                00000000774e0fe1 5 bytes JMP 00000001735b7e71
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                               0000000077500f4b 5 bytes JMP 00000001735b2009
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                         00000000775488cf 5 bytes JMP 00000001735b4b61
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                 000000007754eb6b 5 bytes JMP 00000001735b1f71
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                         0000000075410e00 5 bytes JMP 00000001735b1da9
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                          0000000075411072 5 bytes JMP 00000001735b2a21
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                            000000007541498f 5 bytes JMP 00000001735b25f9
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                  0000000075423bab 5 bytes JMP 00000001735b3011
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW                                   0000000075429aa4 5 bytes JMP 00000001735b70c9
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!MoveFileExW                                             0000000075429b05 5 bytes JMP 00000001735b6e69
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                0000000075437327 5 bytes JMP 00000001735b2729
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!Process32NextW                                          00000000754388da 5 bytes JMP 00000001735b6749
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!MoveFileExA                                             000000007543ccb1 5 bytes JMP 00000001735b6d39
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA                                   000000007543ccd1 5 bytes JMP 00000001735b6f99
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!WinExec                                                 0000000075493051 5 bytes JMP 00000001735b28f1
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                       00000000754b751b 5 bytes JMP 00000001735b46a1
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                       00000000754b753e 5 bytes JMP 00000001735b47d1
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                            00000000754b78e9 5 bytes JMP 00000001735b4901
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe[2940] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                            00000000754b7962 5 bytes JMP 00000001735b4a31
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                             00000000772e8731 11 bytes [B8, B9, 22, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                            00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                           00000000772f676a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                     000000007730dca0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                 000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                     000000007730dd70 6 bytes [48, B8, 39, CB, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                 000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                     000000007730ddc0 6 bytes [48, B8, F9, 20, B4, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                 000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                               000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                           000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                          000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                      000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                        000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                    000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                          000000007730de70 6 bytes [48, B8, 79, C9, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                      000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                        000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                    000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                           000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                       000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                     000000007730dfc0 6 bytes [48, B8, 79, FA, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                                 000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                            000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                        000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                           000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                       000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                              000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                          000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                000000007730e100 6 bytes [48, B8, 39, FC, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                            000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                             000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                         000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                            000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                        000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                000000007730e9a0 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                            000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                          000000007730eb70 6 bytes [48, B8, 39, 1F, B4, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                      000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                            000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                        000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                          000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                      000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                      000000007730f2a0 6 bytes [48, B8, F9, E1, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                  000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                            000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                        000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                             000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                         000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                000000007730f480 6 bytes [48, B8, F9, 27, B4, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                            000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                      000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                       00000000770a1b21 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                 00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                          00000000770a2b61 8 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                         00000000770a2b6a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                   00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                      00000000770c0941 11 bytes [B8, 39, 26, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                    00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                    00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!ReadConsoleW                                             000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!ReadConsoleA                                             000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                000000007712f501 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                000000007712f701 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                          000000007712f731 8 bytes [B8, 39, EE, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                         000000007712f73a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                        000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                        000007fefd212db1 11 bytes [B8, 79, D0, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                     000007fefd213461 11 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                       000007fefd215370 12 bytes [48, B8, B9, FF, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                      000007fefd215eb1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                           000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                 000007fefd2197a1 11 bytes [B8, 79, 1D, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                    000007fefd21a0e1 11 bytes [B8, F9, FD, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                         000007fefd21aec0 12 bytes [48, B8, B9, CE, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                     000007fefd21ca31 11 bytes [B8, F9, CC, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                         000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                     000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                   000007fefd250bd1 11 bytes [B8, B9, EA, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                 000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                000007fefd25283a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                       000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                        000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                              000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                    000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                              000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                         000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                     000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                     000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                     000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                      000007fefdb9b039 11 bytes [B8, F9, 2E, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                             000007fefdbc8fd9 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!CreateWindowExA                                            00000000771ca2e0 12 bytes [48, B8, 39, AF, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!PostMessageA + 1                                           00000000771ca405 11 bytes [B8, B9, 29, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                         00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!FindWindowW + 1                                            00000000771cd265 7 bytes [B8, 79, D7, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!FindWindowW + 9                                            00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                        00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                    00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                      00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                      00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!CreateWindowExW                                            00000000771d0810 12 bytes [48, B8, 79, AD, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!ShowWindow                                                 00000000771d1930 6 bytes [48, B8, F9, B0, B3, 75]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!ShowWindow + 8                                             00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                           00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!SetWinEventHook                                            00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!GetMessageA + 1                                            00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                         00000000771d7055 11 bytes [B8, 79, BB, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!PostMessageW + 1                                           00000000771d76e5 11 bytes [B8, 79, 2B, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                           00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!GetMessageW                                                00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                00000000771da2c9 11 bytes [B8, B9, 30, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                             00000000771e4efd 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                          00000000771e7469 11 bytes [B8, B9, B2, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!FindWindowA + 1                                            00000000771e8271 7 bytes [B8, F9, D3, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!FindWindowA + 9                                            00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                      00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                     00000000771e8c2a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                          00000000771e8d21 7 bytes [B8, 39, D9, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                          00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                          0000000077231371 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                          0000000077231395 11 bytes [B8, F9, B7, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                         000000007723d379 11 bytes [B8, B9, B9, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                          000000007723dae1 7 bytes [B8, B9, D5, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                          000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                       000007fefdf3ae81 11 bytes [B8, 79, 16, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                 000007fefdf3aee1 11 bytes [B8, 39, 03, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                       000007fefdf3e6e9 11 bytes [B8, B9, 1B, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                 000007fefdf4048d 11 bytes [B8, F9, 04, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                      000007fefdf40579 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                    000007fefdf405b1 11 bytes [B8, 39, 18, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                   000007fefdf405f9 5 bytes [B8, F9, 19, B4, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                       000007fefdf54e21 11 bytes [B8, 79, 32, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                           000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                         000007fefdf6b9c1 7 bytes [B8, 79, 08, B4, 75, 00, 00]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                        000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                           000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                     000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[2980] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                     000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                     00000000772e8731 11 bytes [B8, F9, 04, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                    00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                   00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                             000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                         000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                             000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                         000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                             000000007730ddc0 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                         000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                       000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                   000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                  000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                              000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                            000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                  000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                              000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                            000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                   000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                               000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                    000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                   000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                               000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                      000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                  000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                        000000007730e100 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                    000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                     000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                 000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                    000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                        000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                    000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                  000000007730eb70 6 bytes [48, B8, 79, 01, B4, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                              000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                    000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                  000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                              000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                              000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                          000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                    000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                                000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                     000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                 000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                              000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                               00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                         00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                  00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                 00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                           00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                              00000000770c0941 11 bytes [B8, 79, 08, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                            00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                            00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                     000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                     000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                        000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                        000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                  000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                 000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                             000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                               000007fefd215370 12 bytes [48, B8, F9, E1, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                              000007fefd215eb1 11 bytes [B8, B9, E3, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                   000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                         000007fefd2197a1 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                            000007fefd21a0e1 11 bytes [B8, 39, E0, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                 000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                             000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                 000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                             000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                           000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                         000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                        000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                               000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                      000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                            000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                      000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                 000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                             000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                             000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                              000007fefdb9b039 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                     000007fefdbc8fd9 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                    00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                 00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                    00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                    00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                            00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                              00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                              00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                    00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!ShowWindow                                                                         00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                     00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                   00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                    00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                    00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                 00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                   00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!GetMessageW                                                                        00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                        00000000771da2c9 11 bytes [B8, F9, 0B, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                     00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                  00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                    00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                    00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                              00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                             00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                  00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                  00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                  0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                  0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                 000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                  000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                  000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                               000007fefdf3ae81 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                         000007fefdf3aee1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                               000007fefdf3e6e9 11 bytes [B8, F9, FD, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                         000007fefdf4048d 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                              000007fefdf40579 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                            000007fefdf405b1 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                           000007fefdf405f9 5 bytes [B8, 39, FC, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                               000007fefdf54e21 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                   000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                 000007fefdf6b9c1 7 bytes [B8, B9, EA, B3, 75, 00, 00]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                                000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                   000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                             000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                             000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                        000007fefdee13b1 11 bytes [B8, B9, AB, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!closesocket                                                                        000007fefdee18e0 12 bytes [48, B8, F9, A9, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                     000007fefdee1bd1 11 bytes [B8, 39, A8, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                        000007fefdee2201 11 bytes [B8, 79, F3, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                       000007fefdee23c0 12 bytes [48, B8, 39, 8C, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!connect                                                                            000007fefdee45c0 12 bytes [48, B8, 79, 67, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!send + 1                                                                           000007fefdee8001 11 bytes [B8, 79, A6, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                      000007fefdee8df0 7 bytes [48, B8, B9, 8F, B3, 75, 00]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                  000007fefdee8df9 3 bytes [00, 50, C3]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW                                                                     000007fefdeec090 12 bytes [48, B8, F9, 8D, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!socket + 1                                                                         000007fefdeede91 11 bytes [B8, 79, EC, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!recv + 1                                                                           000007fefdeedf41 11 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                     000007fefdf0e0f1 11 bytes [B8, F9, EF, B3, 75, 00, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] c:\windows\system32\WINHTTP.dll!WinHttpCloseHandle                                                                000007fefb2422e0 12 bytes [48, B8, F9, A2, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] c:\windows\system32\WINHTTP.dll!WinHttpOpenRequest                                                                000007fefb2445f8 12 bytes [48, B8, 39, A1, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] c:\windows\system32\WINHTTP.dll!WinHttpConnect                                                                    000007fefb253e3c 12 bytes [48, B8, B9, A4, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\System32\DNSAPI.dll!DnsQuery_UTF8                                                                      000007fefc6456e0 12 bytes [48, B8, 39, CB, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\System32\DNSAPI.dll!DnsQuery_W                                                                         000007fefc65010c 12 bytes [48, B8, 79, C9, B3, 75, 00, ...]
.text    C:\Windows\System32\svchost.exe[3020] C:\Windows\System32\DNSAPI.dll!DnsQuery_A                                                                         000007fefc66daa0 12 bytes [48, B8, B9, C7, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                         00000000772e8731 11 bytes [B8, B9, 06, B4, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                        00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
         

Alt 14.07.2015, 12:41   #8
McFly87
 
Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7) - Standard

GMER Teil 5



Code:
ATTFilter
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                       00000000772f676a 2 bytes [50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                 000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                             000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                 000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                             000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                 000000007730ddc0 6 bytes [48, B8, F9, 04, B4, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                             000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                           000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                       000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                      000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                  000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                    000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                      000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                  000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                    000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                       000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                   000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                 000000007730dfc0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                             000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                        000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                    000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                       000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                   000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                          000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                      000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                            000000007730e100 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                        000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                         000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                     000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                        000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                    000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                            000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                        000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                      000000007730eb70 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                  000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                        000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                    000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                      000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                  000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                  000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                              000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                        000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                    000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                         000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                     000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                            000000007730f480 6 bytes [48, B8, F9, 0B, B4, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                        000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                  000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                   00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                             00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                      00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                     00000000770a2b6a 2 bytes [50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                               00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                  00000000770c0941 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!ReadConsoleW                                         000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!ReadConsoleA                                         000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                            000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                            000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                      000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                     000000007712f73a 2 bytes [50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                    000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                    000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                 000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                   000007fefd215370 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                  000007fefd215eb1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                       000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                             000007fefd2197a1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                000007fefd21a0e1 11 bytes [B8, F9, E1, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                     000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                 000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                     000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                 000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                               000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                             000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                            000007fefd25283a 2 bytes [50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                   000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                   000007fefdf3ae81 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                             000007fefdf3aee1 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                   000007fefdf3e6e9 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                             000007fefdf4048d 11 bytes [B8, F9, E8, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                  000007fefdf40579 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                000007fefdf405b1 11 bytes [B8, 39, FC, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                               000007fefdf405f9 5 bytes [B8, F9, FD, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                   000007fefdf54e21 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                       000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                     000007fefdf6b9c1 7 bytes [B8, 79, EC, B3, 75, 00, 00]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                    000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                       000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                 000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                 000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                    000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                          000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                          000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                     000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                 000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                 000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!CreateWindowExA                                        00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!PostMessageA + 1                                       00000000771ca405 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                     00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!FindWindowW + 1                                        00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!FindWindowW + 9                                        00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                    00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                  00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                  00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!CreateWindowExW                                        00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!ShowWindow                                             00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!ShowWindow + 8                                         00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                       00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!SetWinEventHook                                        00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!GetMessageA + 1                                        00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                     00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!PostMessageW + 1                                       00000000771d76e5 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                       00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!GetMessageW                                            00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                            00000000771da2c9 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                         00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                      00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!FindWindowA + 1                                        00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!FindWindowA + 9                                        00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                  00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                 00000000771e8c2a 2 bytes [50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                      00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                      00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                      0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                      0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                     000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                      000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                      000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                  000007fefdb9b039 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                         000007fefdbc8fd9 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE[3056] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                 000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                  00000000774bfa2c 5 bytes JMP 00000001735b5e61
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                  00000000774bfb74 5 bytes JMP 00000001735b5871
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken                                  00000000774bfbf4 5 bytes JMP 00000001735b7459
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                            00000000774bfc6c 5 bytes JMP 00000001735b31d9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                       00000000774bfc9c 5 bytes JMP 00000001735b15f1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                     00000000774bfccc 5 bytes JMP 00000001735b1689
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                       00000000774bfcfc 5 bytes JMP 00000001735b57d9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                     00000000774bfe60 5 bytes JMP 00000001735b30a9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                        00000000774bfe90 5 bytes JMP 00000001735b3309
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                  00000000774bff0c 5 bytes JMP 00000001735b67e1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                         00000000774bff70 5 bytes JMP 00000001735b3271
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                        00000000774c0038 5 bytes JMP 00000001735b2ee1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                           00000000774c0050 5 bytes JMP 00000001735b2db1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                             00000000774c0100 5 bytes JMP 00000001735b1ed9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                            00000000774c0210 5 bytes JMP 00000001735b2301
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                          00000000774c0860 5 bytes JMP 00000001735b2e49
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                         00000000774c08f0 5 bytes JMP 00000001735b2d19
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                             00000000774c0e40 5 bytes JMP 00000001735b5ef9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken                                       00000000774c110c 5 bytes JMP 00000001735b73c1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                         00000000774c1650 5 bytes JMP 00000001735b4ac9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                       00000000774c196c 5 bytes JMP 00000001735b3141
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                   00000000774c1c30 5 bytes JMP 00000001735b5f91
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess                                         00000000774c1da0 5 bytes JMP 00000001735b3439
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                          00000000774c1dbc 5 bytes JMP 00000001735b33a1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                             00000000774c1f34 5 bytes JMP 00000001735b7589
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                               00000000774d4964 5 bytes JMP 00000001735b1ab1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid                                              00000000774e0fe1 5 bytes JMP 00000001735b74f1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                             0000000077500f4b 5 bytes JMP 00000001735b2009
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                       00000000775488cf 5 bytes JMP 00000001735b4b61
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                               000000007754eb6b 5 bytes JMP 00000001735b1f71
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                       0000000075410e00 5 bytes JMP 00000001735b1da9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                        0000000075411072 5 bytes JMP 00000001735b2a21
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                          000000007541498f 5 bytes JMP 00000001735b25f9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                0000000075423bab 5 bytes JMP 00000001735b3011
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW                                 0000000075429aa4 5 bytes JMP 00000001735b6749
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!MoveFileExW                                           0000000075429b05 5 bytes JMP 00000001735b64e9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                              0000000075437327 5 bytes JMP 00000001735b2729
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!Process32NextW                                        00000000754388da 5 bytes JMP 00000001735b5dc9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!MoveFileExA                                           000000007543ccb1 5 bytes JMP 00000001735b63b9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA                                 000000007543ccd1 5 bytes JMP 00000001735b6619
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!WinExec                                               0000000075493051 5 bytes JMP 00000001735b28f1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                     00000000754b751b 5 bytes JMP 00000001735b46a1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                     00000000754b753e 5 bytes JMP 00000001735b47d1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                          00000000754b78e9 5 bytes JMP 00000001735b4901
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                          00000000754b7962 5 bytes JMP 00000001735b4a31
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                             0000000076f58f8d 5 bytes JMP 00000001735b1a19
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                         0000000076f5c436 5 bytes JMP 00000001735b3b59
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl                                     0000000076f5d0af 5 bytes JMP 00000001735b6879
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                  0000000076f5eca6 5 bytes JMP 00000001735b3601
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                         0000000076f5f206 5 bytes JMP 00000001735b2399
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                     0000000076f5fa89 5 bytes JMP 00000001735b1e41
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW                                    0000000076f5fbb7 5 bytes JMP 00000001735b6289
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                        0000000076f61358 5 bytes JMP 00000001735b3ac1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                          0000000076f6137f 5 bytes JMP 00000001735b3a29
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                    0000000076f61d29 5 bytes JMP 00000001735b1981
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                      0000000076f61e15 5 bytes JMP 00000001735b24c9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                      0000000076f62ab1 5 bytes JMP 00000001735b59a1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                      0000000076f62cdf 5 bytes JMP 00000001735b5909
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                         0000000076f62d1d 5 bytes JMP 00000001735b5a39
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                    0000000076f62e80 5 bytes JMP 00000001735b18e9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                             0000000076f63b76 5 bytes JMP 00000001735b2269
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                               0000000076f6449c 5 bytes JMP 00000001735b2431
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                        0000000076f6460e 5 bytes JMP 00000001735b3569
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                  0000000076f64637 5 bytes JMP 00000001735b2c81
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW                                       0000000076f6a217 5 bytes JMP 00000001735b69a9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW                                    0000000076f6a500 5 bytes JMP 00000001735b6911
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                         0000000076f6c73a 5 bytes JMP 00000001735b27c1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid                                  0000000076f6e2a4 5 bytes JMP 00000001735b7329
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\msvcrt.dll!_lock + 41                                              00000000766ca472 5 bytes JMP 00000001735b7751
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\msvcrt.dll!__p__fmode                                              00000000766d27ce 5 bytes JMP 00000001735b1be1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\msvcrt.dll!__p__environ                                            00000000766de6cf 5 bytes JMP 00000001735b1b49
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!GetMessageW                                             0000000074ed78e2 5 bytes JMP 00000001735b4441
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!GetMessageA                                             0000000074ed7bd3 5 bytes JMP 00000001735b43a9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                         0000000074ed8a29 5 bytes JMP 00000001735b4f89
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!FindWindowW                                             0000000074ed98fd 1 byte JMP 00000001735b5c01
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!FindWindowW + 2                                         0000000074ed98ff 3 bytes {JMP 0xfffffffffe6dc304}
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                                 0000000074edb6ed 5 bytes JMP 00000001735b77e9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                         0000000074edd22e 5 bytes JMP 00000001735b5021
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                         0000000074edee09 5 bytes JMP 00000001735b34d1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!FindWindowA                                             0000000074edffe6 5 bytes JMP 00000001735b5ad1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!FindWindowExA                                           0000000074ee00d9 5 bytes JMP 00000001735b5b69
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!PeekMessageW                                            0000000074ee05ba 5 bytes JMP 00000001735b4571
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!ShowWindow                                              0000000074ee0dfb 5 bytes JMP 00000001735b50b9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!PostMessageW                                            0000000074ee12a5 5 bytes JMP 00000001735b76b9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                          0000000074ee20ec 5 bytes JMP 00000001735b5449
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!PostMessageA                                            0000000074ee3baa 5 bytes JMP 00000001735b7621
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!PeekMessageA                                            0000000074ee5f74 5 bytes JMP 00000001735b44d9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                          0000000074ee6285 5 bytes JMP 00000001735b4bf9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                       0000000074ee7603 5 bytes JMP 00000001735b2be9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                          0000000074ee7aee 5 bytes JMP 00000001735b53b1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                       0000000074ee835c 5 bytes JMP 00000001735b2b51
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                              0000000074efce54 5 bytes JMP 00000001735b51e9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                     0000000074eff52b 5 bytes JMP 00000001735b4c91
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!FindWindowExW                                           0000000074eff588 5 bytes JMP 00000001735b5c99
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                           0000000074f010a0 5 bytes JMP 00000001735b5151
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                           0000000074f2fcd6 2 bytes JMP 00000001735b5281
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3                                       0000000074f2fcd9 2 bytes [68, FE]
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                           0000000074f2fcfa 5 bytes JMP 00000001735b5319
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512                               00000000767d6343 5 bytes JMP 00000001735b7881
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\GDI32.dll!NamedEscape                                              0000000076803fd7 5 bytes JMP 00000001735b6f99
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey                                           00000000764e8e89 5 bytes JMP 00000001735b6b71
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA                                  00000000764e9179 5 bytes JMP 00000001735b6a41
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey                                        00000000764e9186 5 bytes JMP 00000001735b70c9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey                                        00000000764ec4d2 5 bytes JMP 00000001735b7291
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                          00000000764ec9ec 5 bytes JMP 00000001735b3c89
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW                                  00000000764edeb4 5 bytes JMP 00000001735b6ad9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData                                         00000000764eded6 5 bytes JMP 00000001735b71f9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash                                       00000000764edeee 5 bytes JMP 00000001735b7031
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam                                     00000000764edf1e 5 bytes JMP 00000001735b7161
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                                          00000000764f2b50 5 bytes JMP 00000001735b3bf1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                    00000000764f35fc 5 bytes JMP 00000001735b40b1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222                                   00000000764f494d 5 bytes JMP 00000001735b7919
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                        0000000076507154 5 bytes JMP 00000001735b4311
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                        000000007650716c 5 bytes JMP 00000001735b3e51
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                                         0000000076507184 5 bytes JMP 00000001735b3ee9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt                                          00000000765077cb 5 bytes JMP 00000001735b6c09
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA                                  00000000765233bc 5 bytes JMP 00000001735b3f81
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW                                  00000000765233cc 5 bytes JMP 00000001735b4019
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA                                     00000000765233dc 5 bytes JMP 00000001735b3d21
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW                                     00000000765233ec 5 bytes JMP 00000001735b3db9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                        000000007652342c 5 bytes JMP 00000001735b4279
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW                                      0000000075830179 5 bytes JMP 00000001735b4d29
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!closesocket                                             0000000076a13918 5 bytes JMP 00000001735b5741
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!WSASocketW                                              0000000076a13cd3 5 bytes JMP 00000001735b56a9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!socket                                                  0000000076a13eb8 5 bytes JMP 00000001735b6ca1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!WSASend                                                 0000000076a14406 5 bytes JMP 00000001735b2139
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW                                            0000000076a14889 5 bytes JMP 00000001735b4dc1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!recv                                                    0000000076a16b0e 5 bytes JMP 00000001735b6e69
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!connect                                                 0000000076a16bdd 1 byte JMP 00000001735b41e1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!connect + 2                                             0000000076a16bdf 3 bytes {CALL RBP}
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!send                                                    0000000076a16f01 5 bytes JMP 00000001735b20a1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!WSARecv                                                 0000000076a17089 5 bytes JMP 00000001735b6f01
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                              0000000076a1cc3f 5 bytes JMP 00000001735b6dd1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW                                          0000000076a1d1ea 5 bytes JMP 00000001735b4e59
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe[1552] C:\Windows\syswow64\WS2_32.dll!gethostbyname                                           0000000076a27673 5 bytes JMP 00000001735b4ef1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                         00000000774bfa2c 5 bytes JMP 00000001735b5e61
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                         00000000774bfb74 5 bytes JMP 00000001735b5871
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken                                         00000000774bfbf4 5 bytes JMP 00000001735b7459
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                   00000000774bfc6c 5 bytes JMP 00000001735b31d9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                              00000000774bfc9c 5 bytes JMP 00000001735b15f1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                            00000000774bfccc 5 bytes JMP 00000001735b1689
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                              00000000774bfcfc 5 bytes JMP 00000001735b57d9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                            00000000774bfe60 5 bytes JMP 00000001735b30a9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                               00000000774bfe90 5 bytes JMP 00000001735b3309
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                         00000000774bff0c 5 bytes JMP 00000001735b67e1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                                00000000774bff70 5 bytes JMP 00000001735b3271
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                               00000000774c0038 5 bytes JMP 00000001735b2ee1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                  00000000774c0050 5 bytes JMP 00000001735b2db1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                    00000000774c0100 5 bytes JMP 00000001735b1ed9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                   00000000774c0210 5 bytes JMP 00000001735b2301
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                 00000000774c0860 5 bytes JMP 00000001735b2e49
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                00000000774c08f0 5 bytes JMP 00000001735b2d19
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                    00000000774c0e40 5 bytes JMP 00000001735b5ef9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken                                              00000000774c110c 5 bytes JMP 00000001735b73c1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                                00000000774c1650 5 bytes JMP 00000001735b4ac9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                              00000000774c196c 5 bytes JMP 00000001735b3141
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                          00000000774c1c30 5 bytes JMP 00000001735b5f91
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess                                                00000000774c1da0 5 bytes JMP 00000001735b3439
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                 00000000774c1dbc 5 bytes JMP 00000001735b33a1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                                    00000000774c1f34 5 bytes JMP 00000001735b7589
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                      00000000774d4964 5 bytes JMP 00000001735b1ab1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid                                                     00000000774e0fe1 5 bytes JMP 00000001735b74f1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                                    0000000077500f4b 5 bytes JMP 00000001735b2009
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                              00000000775488cf 5 bytes JMP 00000001735b4b61
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                      000000007754eb6b 5 bytes JMP 00000001735b1f71
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                              0000000075410e00 5 bytes JMP 00000001735b1da9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                               0000000075411072 5 bytes JMP 00000001735b2a21
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW                                             0000000075411efe 7 bytes JMP 0000000170b03880
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                                 000000007541498f 5 bytes JMP 00000001735b25f9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!RegSetValueExW                                               0000000075415b9d 7 bytes JMP 0000000170b03ec0
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                                               00000000754213f9 7 bytes JMP 0000000170b03ad0
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                       0000000075423bab 5 bytes JMP 00000001735b3011
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW                                        0000000075429aa4 5 bytes JMP 00000001735b6749
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!MoveFileExW                                                  0000000075429b05 5 bytes JMP 00000001735b64e9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW                                              000000007542ea45 7 bytes JMP 0000000170b03870
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                     0000000075437327 5 bytes JMP 00000001735b2729
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!Process32NextW                                               00000000754388da 5 bytes JMP 00000001735b5dc9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!MoveFileExA                                                  000000007543ccb1 5 bytes JMP 00000001735b63b9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA                                        000000007543ccd1 5 bytes JMP 00000001735b6619
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!WinExec                                                      0000000075493051 5 bytes JMP 00000001735b28f1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                            00000000754b751b 5 bytes JMP 00000001735b46a1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                            00000000754b753e 5 bytes JMP 00000001735b47d1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                                 00000000754b78e9 5 bytes JMP 00000001735b4901
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                                 00000000754b7962 5 bytes JMP 00000001735b4a31
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                                      00000000754b8ea4 7 bytes JMP 0000000170b033c0
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                                      00000000754b8f29 5 bytes JMP 0000000170b03470
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                                        00000000754b9281 5 bytes JMP 0000000170b033d0
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                                    0000000076f58f8d 5 bytes JMP 00000001735b1a19
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                                0000000076f5c436 5 bytes JMP 00000001735b3b59
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl                                            0000000076f5d0af 5 bytes JMP 00000001735b6879
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                         0000000076f5eca6 5 bytes JMP 00000001735b3601
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                                0000000076f5f206 5 bytes JMP 00000001735b2399
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                            0000000076f5fa89 5 bytes JMP 00000001735b1e41
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW                                           0000000076f5fbb7 5 bytes JMP 00000001735b6289
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                               0000000076f61358 5 bytes JMP 00000001735b3ac1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                                 0000000076f6137f 5 bytes JMP 00000001735b3a29
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                           0000000076f61d29 5 bytes JMP 0000000170b03380
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                                         0000000076f61dd7 5 bytes JMP 0000000170b03340
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                             0000000076f61e15 5 bytes JMP 00000001735b24c9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                             0000000076f62ab1 5 bytes JMP 0000000170b03480
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                             0000000076f62cdf 5 bytes JMP 00000001735b5909
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                0000000076f62d1d 5 bytes JMP 0000000170b03190
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                           0000000076f62e80 5 bytes JMP 00000001735b18e9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                                    0000000076f63b76 5 bytes JMP 00000001735b2269
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                      0000000076f6449c 5 bytes JMP 00000001735b2431
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                               0000000076f6460e 5 bytes JMP 00000001735b3569
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                         0000000076f64637 5 bytes JMP 00000001735b2c81
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW                                              0000000076f6a217 5 bytes JMP 00000001735b69a9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW                                           0000000076f6a500 5 bytes JMP 00000001735b6911
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                                0000000076f6c73a 5 bytes JMP 00000001735b27c1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid                                         0000000076f6e2a4 5 bytes JMP 00000001735b7329
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\msvcrt.dll!_lock + 41                                                     00000000766ca472 5 bytes JMP 00000001735b7751
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\msvcrt.dll!__p__fmode                                                     00000000766d27ce 5 bytes JMP 00000001735b1be1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\msvcrt.dll!__p__environ                                                   00000000766de6cf 5 bytes JMP 00000001735b1b49
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!GetMessageW                                                    0000000074ed78e2 5 bytes JMP 00000001735b4441
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!GetMessageA                                                    0000000074ed7bd3 5 bytes JMP 00000001735b43a9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                                0000000074ed8a29 5 bytes JMP 00000001735b4f89
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!FindWindowW                                                    0000000074ed98fd 1 byte JMP 00000001735b5c01
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!FindWindowW + 2                                                0000000074ed98ff 3 bytes {JMP 0xfffffffffe6dc304}
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                                        0000000074edb6ed 5 bytes JMP 00000001735b77e9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                                0000000074edd22e 5 bytes JMP 00000001735b5021
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                0000000074edee09 5 bytes JMP 00000001735b34d1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!FindWindowA                                                    0000000074edffe6 5 bytes JMP 00000001735b5ad1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!FindWindowExA                                                  0000000074ee00d9 5 bytes JMP 00000001735b5b69
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!PeekMessageW                                                   0000000074ee05ba 5 bytes JMP 00000001735b4571
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!ShowWindow                                                     0000000074ee0dfb 5 bytes JMP 00000001735b50b9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!PostMessageW                                                   0000000074ee12a5 5 bytes JMP 00000001735b76b9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                                 0000000074ee20ec 5 bytes JMP 00000001735b5449
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!PostMessageA                                                   0000000074ee3baa 5 bytes JMP 00000001735b7621
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA                                            0000000074ee4572 5 bytes JMP 0000000170b03110
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!PeekMessageA                                                   0000000074ee5f74 5 bytes JMP 00000001735b44d9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                                 0000000074ee6285 5 bytes JMP 00000001735b4bf9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                              0000000074ee7603 5 bytes JMP 00000001735b2be9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                                 0000000074ee7aee 5 bytes JMP 00000001735b53b1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                              0000000074ee835c 5 bytes JMP 00000001735b2b51
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                                     0000000074efce54 5 bytes JMP 00000001735b51e9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW                                            0000000074efe567 5 bytes JMP 0000000170b03180
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                            0000000074eff52b 5 bytes JMP 00000001735b4c91
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!FindWindowExW                                                  0000000074eff588 5 bytes JMP 00000001735b5c99
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                                  0000000074f010a0 5 bytes JMP 00000001735b5151
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW                                       0000000074f207d7 5 bytes JMP 0000000170b02700
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                                  0000000074f2fcd6 2 bytes JMP 00000001735b5281
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3                                              0000000074f2fcd9 2 bytes [68, FE]
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                                  0000000074f2fcfa 5 bytes JMP 00000001735b5319
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo                                     0000000074f37a5c 5 bytes JMP 0000000170b03100
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512                                      00000000767d6343 5 bytes JMP 00000001735b7881
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                                        00000000767ee96b 5 bytes JMP 0000000170b029a0
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                                          00000000767eeba5 5 bytes JMP 0000000170b029c0
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\GDI32.dll!NamedEscape                                                     0000000076803fd7 5 bytes JMP 00000001735b6f99
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey                                                  00000000764e8e89 5 bytes JMP 00000001735b6b71
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA                                         00000000764e9179 5 bytes JMP 00000001735b6a41
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey                                               00000000764e9186 5 bytes JMP 00000001735b70c9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey                                               00000000764ec4d2 5 bytes JMP 00000001735b7291
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                 00000000764ec9ec 5 bytes JMP 00000001735b3c89
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW                                         00000000764edeb4 5 bytes JMP 00000001735b6ad9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData                                                00000000764eded6 5 bytes JMP 00000001735b71f9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash                                              00000000764edeee 5 bytes JMP 00000001735b7031
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam                                            00000000764edf1e 5 bytes JMP 00000001735b7161
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                                                 00000000764f2b50 5 bytes JMP 00000001735b3bf1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                           00000000764f35fc 5 bytes JMP 00000001735b40b1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222                                          00000000764f494d 5 bytes JMP 00000001735b7919
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                               0000000076507154 5 bytes JMP 00000001735b4311
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                               000000007650716c 5 bytes JMP 00000001735b3e51
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                                                0000000076507184 5 bytes JMP 00000001735b3ee9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt                                                 00000000765077cb 5 bytes JMP 00000001735b6c09
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA                                         00000000765233bc 5 bytes JMP 00000001735b3f81
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW                                         00000000765233cc 5 bytes JMP 00000001735b4019
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA                                            00000000765233dc 5 bytes JMP 00000001735b3d21
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW                                            00000000765233ec 5 bytes JMP 00000001735b3db9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                               000000007652342c 5 bytes JMP 00000001735b4279
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW                                             0000000075830179 5 bytes JMP 00000001735b4d29
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!closesocket                                                    0000000076a13918 5 bytes JMP 00000001735b5741
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!WSASocketW                                                     0000000076a13cd3 5 bytes JMP 00000001735b56a9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!socket                                                         0000000076a13eb8 5 bytes JMP 00000001735b6ca1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!WSASend                                                        0000000076a14406 5 bytes JMP 00000001735b2139
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW                                                   0000000076a14889 5 bytes JMP 00000001735b4dc1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!recv                                                           0000000076a16b0e 5 bytes JMP 00000001735b6e69
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!connect                                                        0000000076a16bdd 1 byte JMP 00000001735b41e1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!connect + 2                                                    0000000076a16bdf 3 bytes {CALL RBP}
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!send                                                           0000000076a16f01 5 bytes JMP 00000001735b20a1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!WSARecv                                                        0000000076a17089 5 bytes JMP 00000001735b6f01
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                     0000000076a1cc3f 5 bytes JMP 00000001735b6dd1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW                                                 0000000076a1d1ea 5 bytes JMP 00000001735b4e59
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\WS2_32.dll!gethostbyname                                                  0000000076a27673 5 bytes JMP 00000001735b4ef1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                       0000000074ea1401 2 bytes JMP 7543b21b C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                         0000000074ea1419 2 bytes JMP 7543b346 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                       0000000074ea1431 2 bytes JMP 754b8f29 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                       0000000074ea144a 2 bytes CALL 7541489d C:\Windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                     * 9
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                          0000000074ea14dd 2 bytes JMP 754b8822 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                   0000000074ea14f5 2 bytes JMP 754b89f8 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                          0000000074ea150d 2 bytes JMP 754b8718 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                   0000000074ea1525 2 bytes JMP 754b8ae2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                         0000000074ea153d 2 bytes JMP 7542fca8 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                              0000000074ea1555 2 bytes JMP 754368ef C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                       0000000074ea156d 2 bytes JMP 754b8fe3 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                         0000000074ea1585 2 bytes JMP 754b8b42 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                            0000000074ea159d 2 bytes JMP 754b86dc C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                         0000000074ea15b5 2 bytes JMP 7542fd41 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                       0000000074ea15cd 2 bytes JMP 7543b2dc C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                   0000000074ea16b2 2 bytes JMP 754b8ea4 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                   0000000074ea16bd 2 bytes JMP 754b8671 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\urlmon.dll!CreateUri + 128                                                0000000075532b40 5 bytes JMP 00000001735b7b79
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW                                        0000000075561f90 5 bytes JMP 00000001735b4149
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW                                             0000000075562770 5 bytes JMP 00000001735b21d1
.text    C:\Program Files (x86)\EPSON\MyEpson Portal\mep.exe[3076] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA                                             00000000755ee460 5 bytes JMP 00000001735b2ab9
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                             00000000772e8731 11 bytes [B8, B9, 06, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                            00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                           00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                     000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                 000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                     000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                 000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                                     000000007730ddc0 6 bytes [48, B8, F9, 04, B4, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                                 000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                               000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                           000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                          000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                      000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                        000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                    000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                          000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                      000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                        000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                    000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                           000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                       000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                     000000007730dfc0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                                                                 000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                            000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                        000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                           000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                       000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                              000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                          000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                000000007730e100 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                            000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                             000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                         000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                            000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                        000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                            000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                          000000007730eb70 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                                      000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                            000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                        000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                          000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                      000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                      000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                  000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                            000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                                        000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                             000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                         000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                000000007730f480 6 bytes [48, B8, F9, 0B, B4, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                            000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                      000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                       00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                 00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                          00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                         00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                   00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                      00000000770c0941 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                    00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                    00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                             000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                             000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                                000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                                000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                          000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                         000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                        000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                        000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                     000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                                       000007fefd215370 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                                      000007fefd215eb1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                           000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                                 000007fefd2197a1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                                    000007fefd21a0e1 11 bytes [B8, F9, E1, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                         000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                     000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                         000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                     000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                                   000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                 000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                       000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                                       000007fefdf3ae81 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                                 000007fefdf3aee1 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                                       000007fefdf3e6e9 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                                 000007fefdf4048d 11 bytes [B8, F9, E8, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                                      000007fefdf40579 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                                    000007fefdf405b1 11 bytes [B8, 39, FC, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                                   000007fefdf405f9 5 bytes [B8, F9, FD, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                                       000007fefdf54e21 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                           000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                         000007fefdf6b9c1 7 bytes [B8, 79, EC, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                                        000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                           000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                                     000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                                     000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                        000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                              000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                                    000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                              000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                         000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                                     000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                                     000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                            00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                           00000000771ca405 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                         00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                            00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                            00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                        00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                    00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                      00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                      00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                            00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!ShowWindow                                                                                 00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                             00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                           00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                            00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                            00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                         00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                           00000000771d76e5 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                           00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!GetMessageW                                                                                00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
         

Alt 14.07.2015, 12:42   #9
McFly87
 
Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7) - Standard

GMER Teil 6



Code:
ATTFilter
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                00000000771da2c9 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                             00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                          00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                            00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                            00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                      00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                     00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                          00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                          00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                          0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                          0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                         000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                          000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                          000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                                      000007fefdb9b039 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                             000007fefdbc8fd9 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                                     000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                                000007fefdee13b1 11 bytes [B8, B9, AB, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!closesocket                                                                                000007fefdee18e0 12 bytes [48, B8, F9, A9, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                             000007fefdee1bd1 11 bytes [B8, 39, A8, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                                000007fefdee2201 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                               000007fefdee23c0 12 bytes [48, B8, 39, 8C, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!connect                                                                                    000007fefdee45c0 12 bytes [48, B8, 79, 67, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!send + 1                                                                                   000007fefdee8001 11 bytes [B8, 79, A6, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                              000007fefdee8df0 7 bytes [48, B8, B9, 8F, B3, 75, 00]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                          000007fefdee8df9 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW                                                                             000007fefdeec090 12 bytes [48, B8, F9, 8D, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!socket + 1                                                                                 000007fefdeede91 11 bytes [B8, 39, EE, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!recv + 1                                                                                   000007fefdeedf41 11 bytes [B8, 79, F3, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                             000007fefdf0e0f1 11 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8                                                                              000007fefc6456e0 12 bytes [48, B8, 39, CB, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\DNSAPI.dll!DnsQuery_W                                                                                 000007fefc65010c 12 bytes [48, B8, 79, C9, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3088] C:\Windows\system32\DNSAPI.dll!DnsQuery_A                                                                                 000007fefc66daa0 12 bytes [48, B8, B9, C7, B3, 75, 00, ...]
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtClose                                   00000000774bfa2c 5 bytes JMP 00000001735b5e61
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                   00000000774bfb74 5 bytes JMP 00000001735b5871
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken                   00000000774bfbf4 5 bytes JMP 00000001735b7459
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                             00000000774bfc6c 5 bytes JMP 00000001735b31d9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                        00000000774bfc9c 5 bytes JMP 00000001735b15f1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                      00000000774bfccc 5 bytes JMP 00000001735b1689
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                        00000000774bfcfc 5 bytes JMP 00000001735b57d9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                      00000000774bfe60 5 bytes JMP 00000001735b30a9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                         00000000774bfe90 5 bytes JMP 00000001735b3309
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                   00000000774bff0c 5 bytes JMP 00000001735b67e1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                          00000000774bff70 5 bytes JMP 00000001735b3271
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                         00000000774c0038 5 bytes JMP 00000001735b2ee1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                            00000000774c0050 5 bytes JMP 00000001735b2db1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                              00000000774c0100 5 bytes JMP 00000001735b1ed9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                             00000000774c0210 5 bytes JMP 00000001735b2301
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                           00000000774c0860 5 bytes JMP 00000001735b2e49
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                          00000000774c08f0 5 bytes JMP 00000001735b2d19
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                              00000000774c0e40 5 bytes JMP 00000001735b5ef9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken                        00000000774c110c 5 bytes JMP 00000001735b73c1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                          00000000774c1650 5 bytes JMP 00000001735b4ac9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                        00000000774c196c 5 bytes JMP 00000001735b3141
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                    00000000774c1c30 5 bytes JMP 00000001735b5f91
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess                          00000000774c1da0 5 bytes JMP 00000001735b3439
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                           00000000774c1dbc 5 bytes JMP 00000001735b33a1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                              00000000774c1f34 5 bytes JMP 00000001735b7589
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                00000000774d4964 5 bytes JMP 00000001735b1ab1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid                               00000000774e0fe1 5 bytes JMP 00000001735b74f1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx              0000000077500f4b 5 bytes JMP 00000001735b2009
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                        00000000775488cf 5 bytes JMP 00000001735b4b61
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                000000007754eb6b 5 bytes JMP 00000001735b1f71
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                        0000000075410e00 5 bytes JMP 00000001735b1da9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessA                         0000000075411072 5 bytes JMP 00000001735b2a21
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                           000000007541498f 5 bytes JMP 00000001735b25f9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                 0000000075423bab 5 bytes JMP 00000001735b3011
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW                  0000000075429aa4 5 bytes JMP 00000001735b6749
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileExW                            0000000075429b05 5 bytes JMP 00000001735b64e9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot               0000000075437327 5 bytes JMP 00000001735b2729
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!Process32NextW                         00000000754388da 5 bytes JMP 00000001735b5dc9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileExA                            000000007543ccb1 5 bytes JMP 00000001735b63b9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA                  000000007543ccd1 5 bytes JMP 00000001735b6619
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!WinExec                                0000000075493051 5 bytes JMP 00000001735b28f1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                      00000000754b751b 5 bytes JMP 00000001735b46a1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                      00000000754b753e 5 bytes JMP 00000001735b47d1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                           00000000754b78e9 5 bytes JMP 00000001735b4901
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                           00000000754b7962 5 bytes JMP 00000001735b4a31
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime              0000000076f58f8d 5 bytes JMP 00000001735b1a19
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                          0000000076f5c436 5 bytes JMP 00000001735b3b59
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl                      0000000076f5d0af 5 bytes JMP 00000001735b6879
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                   0000000076f5eca6 5 bytes JMP 00000001735b3601
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                          0000000076f5f206 5 bytes JMP 00000001735b2399
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                      0000000076f5fa89 5 bytes JMP 00000001735b1e41
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW                     0000000076f5fbb7 5 bytes JMP 00000001735b6289
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                         0000000076f61358 5 bytes JMP 00000001735b3ac1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                           0000000076f6137f 5 bytes JMP 00000001735b3a29
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                     0000000076f61d29 5 bytes JMP 00000001735b1981
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                       0000000076f61e15 5 bytes JMP 00000001735b24c9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                       0000000076f62ab1 5 bytes JMP 00000001735b59a1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                       0000000076f62cdf 5 bytes JMP 00000001735b5909
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                          0000000076f62d1d 5 bytes JMP 00000001735b5a39
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                     0000000076f62e80 5 bytes JMP 00000001735b18e9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                              0000000076f63b76 5 bytes JMP 00000001735b2269
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                0000000076f6449c 5 bytes JMP 00000001735b2431
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                         0000000076f6460e 5 bytes JMP 00000001735b3569
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                   0000000076f64637 5 bytes JMP 00000001735b2c81
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW                        0000000076f6a217 5 bytes JMP 00000001735b69a9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW                     0000000076f6a500 5 bytes JMP 00000001735b6911
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                          0000000076f6c73a 5 bytes JMP 00000001735b27c1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid                   0000000076f6e2a4 5 bytes JMP 00000001735b7329
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!GetMessageW                              0000000074ed78e2 5 bytes JMP 00000001735b4441
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!GetMessageA                              0000000074ed7bd3 5 bytes JMP 00000001735b43a9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!CreateWindowExW                          0000000074ed8a29 5 bytes JMP 00000001735b4f89
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowW                              0000000074ed98fd 1 byte JMP 00000001735b5c01
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowW + 2                          0000000074ed98ff 3 bytes {JMP 0xfffffffffe6dc304}
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                  0000000074edb6ed 5 bytes JMP 00000001735b7751
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!CreateWindowExA                          0000000074edd22e 5 bytes JMP 00000001735b5021
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!SetWinEventHook                          0000000074edee09 5 bytes JMP 00000001735b34d1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowA                              0000000074edffe6 5 bytes JMP 00000001735b5ad1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowExA                            0000000074ee00d9 5 bytes JMP 00000001735b5b69
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!PeekMessageW                             0000000074ee05ba 5 bytes JMP 00000001735b4571
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!ShowWindow                               0000000074ee0dfb 5 bytes JMP 00000001735b50b9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageW                             0000000074ee12a5 5 bytes JMP 00000001735b76b9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowTextW                           0000000074ee20ec 5 bytes JMP 00000001735b5449
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageA                             0000000074ee3baa 5 bytes JMP 00000001735b7621
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!PeekMessageA                             0000000074ee5f74 5 bytes JMP 00000001735b44d9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!CallNextHookEx                           0000000074ee6285 5 bytes JMP 00000001735b4bf9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                        0000000074ee7603 5 bytes JMP 00000001735b2be9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowTextA                           0000000074ee7aee 5 bytes JMP 00000001735b53b1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                        0000000074ee835c 5 bytes JMP 00000001735b2b51
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW               0000000074efce54 5 bytes JMP 00000001735b51e9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                      0000000074eff52b 5 bytes JMP 00000001735b4c91
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!FindWindowExW                            0000000074eff588 5 bytes JMP 00000001735b5c99
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW            0000000074f010a0 5 bytes JMP 00000001735b5151
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!MessageBoxExA                            0000000074f2fcd6 2 bytes JMP 00000001735b5281
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3                        0000000074f2fcd9 2 bytes [68, FE]
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\USER32.dll!MessageBoxExW                            0000000074f2fcfa 5 bytes JMP 00000001735b5319
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512                00000000767d6343 5 bytes JMP 00000001735b77e9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\GDI32.dll!NamedEscape                               0000000076803fd7 5 bytes JMP 00000001735b6f99
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\msvcrt.dll!_lock + 41                               00000000766ca472 5 bytes JMP 00000001735b7881
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\msvcrt.dll!__p__fmode                               00000000766d27ce 5 bytes JMP 00000001735b1be1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\msvcrt.dll!__p__environ                             00000000766de6cf 5 bytes JMP 00000001735b1b49
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey                            00000000764e8e89 5 bytes JMP 00000001735b6b71
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA                   00000000764e9179 5 bytes JMP 00000001735b6a41
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey                         00000000764e9186 5 bytes JMP 00000001735b70c9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey                         00000000764ec4d2 5 bytes JMP 00000001735b7291
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                           00000000764ec9ec 5 bytes JMP 00000001735b3c89
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW                   00000000764edeb4 5 bytes JMP 00000001735b6ad9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData                          00000000764eded6 5 bytes JMP 00000001735b71f9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash                        00000000764edeee 5 bytes JMP 00000001735b7031
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam                      00000000764edf1e 5 bytes JMP 00000001735b7161
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                           00000000764f2b50 5 bytes JMP 00000001735b3bf1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                     00000000764f35fc 5 bytes JMP 00000001735b40b1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222                    00000000764f494d 5 bytes JMP 00000001735b7919
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                         0000000076507154 5 bytes JMP 00000001735b4311
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ControlService                         000000007650716c 5 bytes JMP 00000001735b3e51
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                          0000000076507184 5 bytes JMP 00000001735b3ee9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt                           00000000765077cb 5 bytes JMP 00000001735b6c09
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA                   00000000765233bc 5 bytes JMP 00000001735b3f81
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW                   00000000765233cc 5 bytes JMP 00000001735b4019
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA                      00000000765233dc 5 bytes JMP 00000001735b3d21
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW                      00000000765233ec 5 bytes JMP 00000001735b3db9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                         000000007652342c 5 bytes JMP 00000001735b4279
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW                       0000000075830179 5 bytes JMP 00000001735b4d29
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!closesocket                              0000000076a13918 5 bytes JMP 00000001735b5741
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSASocketW                               0000000076a13cd3 5 bytes JMP 00000001735b56a9
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!socket                                   0000000076a13eb8 5 bytes JMP 00000001735b6ca1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSASend                                  0000000076a14406 5 bytes JMP 00000001735b2139
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW                             0000000076a14889 5 bytes JMP 00000001735b4dc1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!recv                                     0000000076a16b0e 5 bytes JMP 00000001735b6e69
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!connect                                  0000000076a16bdd 1 byte JMP 00000001735b41e1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!connect + 2                              0000000076a16bdf 3 bytes {CALL RBP}
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!send                                     0000000076a16f01 5 bytes JMP 00000001735b20a1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSARecv                                  0000000076a17089 5 bytes JMP 00000001735b6f01
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!WSAConnect                               0000000076a1cc3f 5 bytes JMP 00000001735b6dd1
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW                           0000000076a1d1ea 5 bytes JMP 00000001735b4e59
.text    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[3096] C:\Windows\syswow64\WS2_32.dll!gethostbyname                            0000000076a27673 5 bytes JMP 00000001735b4ef1
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                     00000000772e8731 11 bytes [B8, B9, 06, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                    00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                   00000000772f676a 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                             000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                         000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                             000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                         000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                             000000007730ddc0 6 bytes [48, B8, F9, 04, B4, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                         000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                       000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                   000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                  000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                              000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                            000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                  000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                              000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                            000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                   000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                               000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                             000000007730dfc0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                         000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                    000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                   000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                               000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                      000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                  000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                        000000007730e100 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                    000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                     000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                 000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                    000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                        000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                    000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                  000000007730eb70 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                              000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                    000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                  000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                              000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                              000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                          000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                    000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                     000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                 000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                        000000007730f480 6 bytes [48, B8, F9, 0B, B4, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                    000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                              000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!Process32NextW + 1                               00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                         00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                  00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                 00000000770a2b6a 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                           00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                              00000000770c0941 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                            00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                            00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!ReadConsoleW                                     000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!ReadConsoleA                                     000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                        000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                        000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                  000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                 000000007712f73a 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                             000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                               000007fefd215370 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                              000007fefd215eb1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                   000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                         000007fefd2197a1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                            000007fefd21a0e1 11 bytes [B8, F9, E1, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                 000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                             000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                 000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                             000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                           000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                         000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                        000007fefd25283a 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                               000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!WSASend + 1                                        000007fefdee13b1 11 bytes [B8, B9, AB, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!closesocket                                        000007fefdee18e0 12 bytes [48, B8, F9, A9, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                     000007fefdee1bd1 11 bytes [B8, 39, A8, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                        000007fefdee2201 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                       000007fefdee23c0 12 bytes [48, B8, 39, 8C, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!connect                                            000007fefdee45c0 12 bytes [48, B8, 79, 67, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!send + 1                                           000007fefdee8001 11 bytes [B8, 79, A6, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!gethostbyname                                      000007fefdee8df0 7 bytes [48, B8, B9, 8F, B3, 75, 00]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                  000007fefdee8df9 3 bytes [00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW                                     000007fefdeec090 12 bytes [48, B8, F9, 8D, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!socket + 1                                         000007fefdeede91 11 bytes [B8, 39, EE, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!recv + 1                                           000007fefdeedf41 11 bytes [B8, 79, F3, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                     000007fefdf0e0f1 11 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                              000007fefdb9b039 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                     000007fefdbc8fd9 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!CreateWindowExA                                    00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!PostMessageA + 1                                   00000000771ca405 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                 00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!FindWindowW + 1                                    00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!FindWindowW + 9                                    00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                            00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                              00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                              00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!CreateWindowExW                                    00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!ShowWindow                                         00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!ShowWindow + 8                                     00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                   00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!SetWinEventHook                                    00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!GetMessageA + 1                                    00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                 00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!PostMessageW + 1                                   00000000771d76e5 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                   00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!GetMessageW                                        00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                        00000000771da2c9 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                     00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                  00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!FindWindowA + 1                                    00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!FindWindowA + 9                                    00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                              00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                             00000000771e8c2a 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                  00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                  00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                  0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                  0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                 000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                  000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                  000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                             000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                      000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                            000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                      000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                 000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                             000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                             000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                               000007fefdf3ae81 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                         000007fefdf3aee1 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                               000007fefdf3e6e9 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                         000007fefdf4048d 11 bytes [B8, F9, E8, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                              000007fefdf40579 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                            000007fefdf405b1 11 bytes [B8, 39, FC, B3, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                           000007fefdf405f9 5 bytes [B8, F9, FD, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                               000007fefdf54e21 11 bytes [B8, 39, 18, B4, 75, 00, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                   000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                 000007fefdf6b9c1 7 bytes [B8, 79, EC, B3, 75, 00, 00]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                   000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                             000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3172] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                             000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                             00000000772e8731 11 bytes [B8, B9, 22, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1            00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10           00000000772f676a 2 bytes [50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                     000000007730dca0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                 000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                     000000007730dd70 6 bytes [48, B8, 39, CB, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                 000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                     000000007730ddc0 6 bytes [48, B8, F9, 20, B4, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                 000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                               000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                           000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                          000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                      000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                        000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                    000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                          000000007730de70 6 bytes [48, B8, 79, C9, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                      000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                        000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                    000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                           000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                       000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                     000000007730dfc0 6 bytes [48, B8, 79, FA, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                 000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                            000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                        000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                           000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                       000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                              000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                          000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                000000007730e100 6 bytes [48, B8, 39, FC, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                            000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                             000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                         000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                            000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                        000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                000000007730e9a0 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                            000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                          000000007730eb70 6 bytes [48, B8, 39, 1F, B4, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                      000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                            000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                        000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                          000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                      000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                      000000007730f2a0 6 bytes [48, B8, F9, E1, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                  000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                            000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                        000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                             000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                         000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                000000007730f480 6 bytes [48, B8, F9, 27, B4, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                            000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                      000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!Process32NextW + 1                       00000000770a1b21 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                 00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                          00000000770a2b61 8 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                         00000000770a2b6a 2 bytes [50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                   00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                      00000000770c0941 11 bytes [B8, 39, 26, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                    00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                    00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleW                             000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleA                             000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                000000007712f501 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                000000007712f701 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                          000000007712f731 8 bytes [B8, 39, EE, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                         000000007712f73a 2 bytes [50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                        000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                        000007fefd212db1 11 bytes [B8, 79, D0, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                     000007fefd213461 11 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                       000007fefd215370 12 bytes [48, B8, B9, FF, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                      000007fefd215eb1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                           000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                 000007fefd2197a1 11 bytes [B8, 79, 1D, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                    000007fefd21a0e1 11 bytes [B8, F9, FD, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                         000007fefd21aec0 12 bytes [48, B8, B9, CE, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                     000007fefd21ca31 11 bytes [B8, F9, CC, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                         000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                     000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                   000007fefd250bd1 11 bytes [B8, B9, EA, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                 000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                000007fefd25283a 2 bytes [50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                       000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!CreateWindowExA                            00000000771ca2e0 12 bytes [48, B8, 39, AF, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!PostMessageA + 1                           00000000771ca405 11 bytes [B8, B9, 29, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                         00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!FindWindowW + 1                            00000000771cd265 7 bytes [B8, 79, D7, B3, 75, 00, 00]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!FindWindowW + 9                            00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                        00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                    00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                      00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                      00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!CreateWindowExW                            00000000771d0810 12 bytes [48, B8, 79, AD, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!ShowWindow                                 00000000771d1930 6 bytes [48, B8, F9, B0, B3, 75]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!ShowWindow + 8                             00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!PeekMessageA + 1                           00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!SetWinEventHook                            00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!GetMessageA + 1                            00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                         00000000771d7055 11 bytes [B8, 79, BB, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!PostMessageW + 1                           00000000771d76e5 11 bytes [B8, 79, 2B, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!PeekMessageW + 1                           00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!GetMessageW                                00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                00000000771da2c9 11 bytes [B8, 39, 2D, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1             00000000771e4efd 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1          00000000771e7469 11 bytes [B8, B9, B2, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!FindWindowA + 1                            00000000771e8271 7 bytes [B8, F9, D3, B3, 75, 00, 00]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!FindWindowA + 9                            00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                      00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                     00000000771e8c2a 2 bytes [50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!FindWindowExW + 1                          00000000771e8d21 7 bytes [B8, 39, D9, B3, 75, 00, 00]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!FindWindowExW + 9                          00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                          0000000077231371 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                          0000000077231395 11 bytes [B8, F9, B7, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                         000000007723d379 11 bytes [B8, B9, B9, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!FindWindowExA + 1                          000000007723dae1 7 bytes [B8, B9, D5, B3, 75, 00, 00]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\USER32.dll!FindWindowExA + 9                          000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                      000007fefdb9b039 11 bytes [B8, F9, 2E, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\GDI32.dll!NamedEscape + 1                             000007fefdbc8fd9 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                       000007fefdf3ae81 11 bytes [B8, 79, 16, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                 000007fefdf3aee1 11 bytes [B8, 39, 03, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                       000007fefdf3e6e9 11 bytes [B8, B9, 1B, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                 000007fefdf4048d 11 bytes [B8, F9, 04, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                      000007fefdf40579 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                    000007fefdf405b1 11 bytes [B8, 39, 18, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                   000007fefdf405f9 5 bytes [B8, F9, 19, B4, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                       000007fefdf54e21 11 bytes [B8, B9, 30, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                           000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                         000007fefdf6b9c1 7 bytes [B8, 79, 08, B4, 75, 00, 00]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                        000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                           000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                     000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                     000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                        000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                              000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                    000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                              000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                         000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                     000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                     000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!WSASend + 1                                000007fefdee13b1 11 bytes [B8, B9, C7, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!closesocket                                000007fefdee18e0 12 bytes [48, B8, F9, C5, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                             000007fefdee1bd1 11 bytes [B8, 39, C4, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                000007fefdee2201 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                               000007fefdee23c0 12 bytes [48, B8, 39, A8, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!connect                                    000007fefdee45c0 12 bytes [48, B8, 79, 67, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!send + 1                                   000007fefdee8001 11 bytes [B8, 79, C2, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!gethostbyname                              000007fefdee8df0 7 bytes [48, B8, B9, AB, B3, 75, 00]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                          000007fefdee8df9 3 bytes [00, 50, C3]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW                             000007fefdeec090 12 bytes [48, B8, F9, A9, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!socket + 1                                 000007fefdeede91 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!recv + 1                                   000007fefdeedf41 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                             000007fefdf0e0f1 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                     000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8                              000007fefc6456e0 12 bytes [48, B8, 39, E7, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\DNSAPI.dll!DnsQuery_W                                 000007fefc65010c 12 bytes [48, B8, 79, E5, B3, 75, 00, ...]
.text    C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe[3220] C:\Windows\system32\DNSAPI.dll!DnsQuery_A                                 000007fefc66daa0 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                     00000000772e8731 11 bytes [B8, F9, 04, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                    00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                   00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                             000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                         000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                             000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                         000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                             000000007730ddc0 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                         000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                       000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                   000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                  000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                              000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                            000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                  000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                              000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                            000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                   000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                               000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                    000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                   000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                               000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                      000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                  000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                        000000007730e100 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                    000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                     000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                 000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                    000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                        000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                    000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                  000000007730eb70 6 bytes [48, B8, 79, 01, B4, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                              000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                    000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                  000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                              000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                              000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                          000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                    000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                                000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                     000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                 000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                              000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                               00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                         00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                  00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                 00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                           00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                              00000000770c0941 11 bytes [B8, 79, 08, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                            00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                            00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                     000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                     000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                        000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                        000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                  000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                 000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                             000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                               000007fefd215370 12 bytes [48, B8, F9, E1, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                              000007fefd215eb1 11 bytes [B8, B9, E3, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                   000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                         000007fefd2197a1 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                            000007fefd21a0e1 11 bytes [B8, 39, E0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                 000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                             000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                 000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                             000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                           000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                         000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                        000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                               000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                      000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                            000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                      000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                 000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                             000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                             000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
         

Alt 14.07.2015, 12:43   #10
McFly87
 
Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7) - Standard

GMER Teil 7



Code:
ATTFilter
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                               000007fefdf3ae81 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                         000007fefdf3aee1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                               000007fefdf3e6e9 11 bytes [B8, F9, FD, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                         000007fefdf4048d 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                              000007fefdf40579 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                            000007fefdf405b1 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                           000007fefdf405f9 5 bytes [B8, 39, FC, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                               000007fefdf54e21 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                   000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                 000007fefdf6b9c1 7 bytes [B8, B9, EA, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                                000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                   000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                             000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                             000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                    00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                 00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                    00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                    00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                            00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                              00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                              00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                    00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!ShowWindow                                                                         00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                     00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                   00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                    00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                    00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                 00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                   00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!GetMessageW                                                                        00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                        00000000771da2c9 11 bytes [B8, F9, 0B, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                     00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                  00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                    00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                    00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                              00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                             00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                  00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                  00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                  0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                  0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                 000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                  000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                  000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                              000007fefdb9b039 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\svchost.exe[3348] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                     000007fefdbc8fd9 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtClose                                           00000000774bfa2c 5 bytes JMP 00000001735b5e61
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                           00000000774bfb74 5 bytes JMP 00000001735b5871
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken                           00000000774bfbf4 5 bytes JMP 00000001735b73c1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                     00000000774bfc6c 5 bytes JMP 00000001735b31d9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                00000000774bfc9c 5 bytes JMP 00000001735b15f1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                              00000000774bfccc 5 bytes JMP 00000001735b1689
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                00000000774bfcfc 5 bytes JMP 00000001735b57d9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                              00000000774bfe60 5 bytes JMP 00000001735b30a9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                 00000000774bfe90 5 bytes JMP 00000001735b3309
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                  00000000774bff70 5 bytes JMP 00000001735b3271
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                 00000000774c0038 5 bytes JMP 00000001735b2ee1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                    00000000774c0050 5 bytes JMP 00000001735b2db1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                      00000000774c0100 5 bytes JMP 00000001735b1ed9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                     00000000774c0210 5 bytes JMP 00000001735b2301
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                   00000000774c0860 5 bytes JMP 00000001735b2e49
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                  00000000774c08f0 5 bytes JMP 00000001735b2d19
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                      00000000774c0e40 5 bytes JMP 00000001735b5ef9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken                                00000000774c110c 5 bytes JMP 00000001735b7329
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                  00000000774c1650 5 bytes JMP 00000001735b4ac9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                00000000774c196c 5 bytes JMP 00000001735b3141
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                            00000000774c1c30 5 bytes JMP 00000001735b5f91
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess                                  00000000774c1da0 5 bytes JMP 00000001735b3439
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                   00000000774c1dbc 5 bytes JMP 00000001735b33a1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                      00000000774c1f34 5 bytes JMP 00000001735b74f1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                        00000000774d4964 5 bytes JMP 00000001735b1ab1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid                                       00000000774e0fe1 5 bytes JMP 00000001735b7459
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                      0000000077500f4b 5 bytes JMP 00000001735b2009
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                00000000775488cf 5 bytes JMP 00000001735b4b61
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                        000000007754eb6b 5 bytes JMP 00000001735b1f71
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                0000000075410e00 5 bytes JMP 00000001735b1da9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                 0000000075411072 5 bytes JMP 00000001735b2a21
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                   000000007541498f 5 bytes JMP 00000001735b25f9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                         0000000075423bab 5 bytes JMP 00000001735b3011
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW                          0000000075429aa4 5 bytes JMP 00000001735b6749
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!MoveFileExW                                    0000000075429b05 5 bytes JMP 00000001735b64e9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                       0000000075437327 5 bytes JMP 00000001735b2729
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!Process32NextW                                 00000000754388da 5 bytes JMP 00000001735b5dc9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!MoveFileExA                                    000000007543ccb1 5 bytes JMP 00000001735b63b9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA                          000000007543ccd1 5 bytes JMP 00000001735b6619
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!WinExec                                        0000000075493051 5 bytes JMP 00000001735b28f1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                              00000000754b751b 5 bytes JMP 00000001735b46a1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                              00000000754b753e 5 bytes JMP 00000001735b47d1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                   00000000754b78e9 5 bytes JMP 00000001735b4901
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                   00000000754b7962 5 bytes JMP 00000001735b4a31
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                      0000000076f58f8d 5 bytes JMP 00000001735b1a19
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                  0000000076f5c436 5 bytes JMP 00000001735b3b59
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl                              0000000076f5d0af 5 bytes JMP 00000001735b67e1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                           0000000076f5eca6 5 bytes JMP 00000001735b3601
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                  0000000076f5f206 5 bytes JMP 00000001735b2399
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                              0000000076f5fa89 5 bytes JMP 00000001735b1e41
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW                             0000000076f5fbb7 5 bytes JMP 00000001735b6289
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                 0000000076f61358 5 bytes JMP 00000001735b3ac1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                   0000000076f6137f 5 bytes JMP 00000001735b3a29
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                             0000000076f61d29 5 bytes JMP 00000001735b1981
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                               0000000076f61e15 5 bytes JMP 00000001735b24c9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                               0000000076f62ab1 5 bytes JMP 00000001735b59a1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                               0000000076f62cdf 5 bytes JMP 00000001735b5909
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                  0000000076f62d1d 5 bytes JMP 00000001735b5a39
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                             0000000076f62e80 5 bytes JMP 00000001735b18e9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                      0000000076f63b76 5 bytes JMP 00000001735b2269
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                        0000000076f6449c 5 bytes JMP 00000001735b2431
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                 0000000076f6460e 5 bytes JMP 00000001735b3569
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                           0000000076f64637 5 bytes JMP 00000001735b2c81
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW                                0000000076f6a217 5 bytes JMP 00000001735b6911
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW                             0000000076f6a500 5 bytes JMP 00000001735b6879
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                  0000000076f6c73a 5 bytes JMP 00000001735b27c1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid                           0000000076f6e2a4 5 bytes JMP 00000001735b7291
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\msvcrt.dll!_lock + 41                                       00000000766ca472 5 bytes JMP 00000001735b7751
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\msvcrt.dll!__p__fmode                                       00000000766d27ce 5 bytes JMP 00000001735b1be1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\msvcrt.dll!__p__environ                                     00000000766de6cf 5 bytes JMP 00000001735b1b49
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey                                    00000000764e8e89 5 bytes JMP 00000001735b6ad9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA                           00000000764e9179 5 bytes JMP 00000001735b69a9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey                                 00000000764e9186 5 bytes JMP 00000001735b7031
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey                                 00000000764ec4d2 5 bytes JMP 00000001735b71f9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                   00000000764ec9ec 5 bytes JMP 00000001735b3c89
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW                           00000000764edeb4 5 bytes JMP 00000001735b6a41
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData                                  00000000764eded6 5 bytes JMP 00000001735b7161
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash                                00000000764edeee 5 bytes JMP 00000001735b6f99
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam                              00000000764edf1e 5 bytes JMP 00000001735b70c9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                                   00000000764f2b50 5 bytes JMP 00000001735b3bf1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                             00000000764f35fc 5 bytes JMP 00000001735b40b1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222                            00000000764f494d 5 bytes JMP 00000001735b77e9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                 0000000076507154 5 bytes JMP 00000001735b4311
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                 000000007650716c 5 bytes JMP 00000001735b3e51
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                                  0000000076507184 5 bytes JMP 00000001735b3ee9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt                                   00000000765077cb 5 bytes JMP 00000001735b6b71
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA                           00000000765233bc 5 bytes JMP 00000001735b3f81
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW                           00000000765233cc 5 bytes JMP 00000001735b4019
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA                              00000000765233dc 5 bytes JMP 00000001735b3d21
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW                              00000000765233ec 5 bytes JMP 00000001735b3db9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                 000000007652342c 5 bytes JMP 00000001735b4279
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!GetMessageW                                      0000000074ed78e2 5 bytes JMP 00000001735b4441
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!GetMessageA                                      0000000074ed7bd3 5 bytes JMP 00000001735b43a9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                  0000000074ed8a29 5 bytes JMP 00000001735b4f89
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!FindWindowW                                      0000000074ed98fd 1 byte JMP 00000001735b5c01
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!FindWindowW + 2                                  0000000074ed98ff 3 bytes {JMP 0xfffffffffe6dc304}
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                          0000000074edb6ed 5 bytes JMP 00000001735b7881
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                  0000000074edd22e 5 bytes JMP 00000001735b5021
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                  0000000074edee09 5 bytes JMP 00000001735b34d1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!FindWindowA                                      0000000074edffe6 5 bytes JMP 00000001735b5ad1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!FindWindowExA                                    0000000074ee00d9 5 bytes JMP 00000001735b5b69
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!PeekMessageW                                     0000000074ee05ba 5 bytes JMP 00000001735b4571
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!ShowWindow                                       0000000074ee0dfb 5 bytes JMP 00000001735b50b9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!PostMessageW                                     0000000074ee12a5 5 bytes JMP 00000001735b7621
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                   0000000074ee20ec 5 bytes JMP 00000001735b5449
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!PostMessageA                                     0000000074ee3baa 5 bytes JMP 00000001735b7589
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!PeekMessageA                                     0000000074ee5f74 5 bytes JMP 00000001735b44d9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                   0000000074ee6285 5 bytes JMP 00000001735b4bf9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                0000000074ee7603 5 bytes JMP 00000001735b2be9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                   0000000074ee7aee 5 bytes JMP 00000001735b53b1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                0000000074ee835c 5 bytes JMP 00000001735b2b51
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                       0000000074efce54 5 bytes JMP 00000001735b51e9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                              0000000074eff52b 5 bytes JMP 00000001735b4c91
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!FindWindowExW                                    0000000074eff588 5 bytes JMP 00000001735b5c99
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                    0000000074f010a0 5 bytes JMP 00000001735b5151
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                    0000000074f2fcd6 2 bytes JMP 00000001735b5281
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3                                0000000074f2fcd9 2 bytes [68, FE]
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                    0000000074f2fcfa 5 bytes JMP 00000001735b5319
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512                        00000000767d6343 5 bytes JMP 00000001735b7919
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\GDI32.dll!NamedEscape                                       0000000076803fd7 5 bytes JMP 00000001735b6f01
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW                               0000000075830179 5 bytes JMP 00000001735b4d29
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!closesocket                                      0000000076a13918 5 bytes JMP 00000001735b5741
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!WSASocketW                                       0000000076a13cd3 5 bytes JMP 00000001735b56a9
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!socket                                           0000000076a13eb8 5 bytes JMP 00000001735b6c09
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!WSASend                                          0000000076a14406 5 bytes JMP 00000001735b2139
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW                                     0000000076a14889 5 bytes JMP 00000001735b4dc1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!recv                                             0000000076a16b0e 5 bytes JMP 00000001735b6dd1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!connect                                          0000000076a16bdd 1 byte JMP 00000001735b41e1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!connect + 2                                      0000000076a16bdf 3 bytes {CALL RBP}
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!send                                             0000000076a16f01 5 bytes JMP 00000001735b20a1
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!WSARecv                                          0000000076a17089 5 bytes JMP 00000001735b6e69
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                       0000000076a1cc3f 5 bytes JMP 00000001735b6d39
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW                                   0000000076a1d1ea 5 bytes JMP 00000001735b4e59
.text    C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[3392] C:\Windows\syswow64\WS2_32.dll!gethostbyname                                    0000000076a27673 5 bytes JMP 00000001735b4ef1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtReadFile                                                             00000000774bf93c 5 bytes JMP 00000001735b6911
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                00000000774bfa2c 5 bytes JMP 00000001735b5e61
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                00000000774bfb74 5 bytes JMP 00000001735b5871
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken                                                00000000774bfbf4 5 bytes JMP 00000001735b74f1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                          00000000774bfc6c 5 bytes JMP 00000001735b31d9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                                     00000000774bfc9c 5 bytes JMP 00000001735b15f1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                                   00000000774bfccc 5 bytes JMP 00000001735b1689
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                     00000000774bfcfc 5 bytes JMP 00000001735b57d9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                   00000000774bfe60 5 bytes JMP 00000001735b30a9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                      00000000774bfe90 5 bytes JMP 00000001735b3309
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                00000000774bff0c 5 bytes JMP 00000001735b67e1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                                       00000000774bff70 5 bytes JMP 00000001735b3271
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                      00000000774c0038 5 bytes JMP 00000001735b2ee1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                         00000000774c0050 5 bytes JMP 00000001735b2db1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                           00000000774c0100 5 bytes JMP 00000001735b1ed9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                          00000000774c0210 5 bytes JMP 00000001735b2301
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                        00000000774c0860 5 bytes JMP 00000001735b2e49
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                       00000000774c08f0 5 bytes JMP 00000001735b2d19
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                           00000000774c0e40 5 bytes JMP 00000001735b5ef9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken                                                     00000000774c110c 5 bytes JMP 00000001735b7459
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                                       00000000774c1650 5 bytes JMP 00000001735b4ac9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                     00000000774c196c 5 bytes JMP 00000001735b3141
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                 00000000774c1c30 5 bytes JMP 00000001735b5f91
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess                                                       00000000774c1da0 5 bytes JMP 00000001735b3439
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                        00000000774c1dbc 5 bytes JMP 00000001735b33a1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                                           00000000774c1f34 5 bytes JMP 00000001735b7621
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                             00000000774d4964 5 bytes JMP 00000001735b1ab1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid                                                            00000000774e0fe1 5 bytes JMP 00000001735b7589
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                                           0000000077500f4b 5 bytes JMP 00000001735b2009
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                                     00000000775488cf 5 bytes JMP 00000001735b4b61
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                             000000007754eb6b 5 bytes JMP 00000001735b1f71
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                                     0000000075410e00 5 bytes JMP 00000001735b1da9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                      0000000075411072 5 bytes JMP 00000001735b2a21
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                                        000000007541498f 5 bytes JMP 00000001735b25f9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                              0000000075423bab 5 bytes JMP 00000001735b3011
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW                                               0000000075429aa4 5 bytes JMP 00000001735b6749
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!MoveFileExW                                                         0000000075429b05 5 bytes JMP 00000001735b64e9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                            0000000075437327 5 bytes JMP 00000001735b2729
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!Process32NextW                                                      00000000754388da 5 bytes JMP 00000001735b5dc9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!MoveFileExA                                                         000000007543ccb1 5 bytes JMP 00000001735b63b9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA                                               000000007543ccd1 5 bytes JMP 00000001735b6619
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!WinExec                                                             0000000075493051 5 bytes JMP 00000001735b28f1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                                   00000000754b751b 5 bytes JMP 00000001735b46a1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                                   00000000754b753e 5 bytes JMP 00000001735b47d1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                                        00000000754b78e9 5 bytes JMP 00000001735b4901
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                                        00000000754b7962 5 bytes JMP 00000001735b4a31
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                                           0000000076f58f8d 5 bytes JMP 00000001735b1a19
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                                       0000000076f5c436 5 bytes JMP 00000001735b3b59
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl                                                   0000000076f5d0af 5 bytes JMP 00000001735b6879
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                                0000000076f5eca6 5 bytes JMP 00000001735b3601
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                                       0000000076f5f206 5 bytes JMP 00000001735b2399
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                                   0000000076f5fa89 5 bytes JMP 00000001735b1e41
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW                                                  0000000076f5fbb7 5 bytes JMP 00000001735b6289
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                                      0000000076f61358 5 bytes JMP 00000001735b3ac1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                                        0000000076f6137f 5 bytes JMP 00000001735b3a29
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                                  0000000076f61d29 5 bytes JMP 00000001735b1981
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                                    0000000076f61e15 5 bytes JMP 00000001735b24c9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                                    0000000076f62ab1 5 bytes JMP 00000001735b59a1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                                    0000000076f62cdf 5 bytes JMP 00000001735b5909
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                       0000000076f62d1d 5 bytes JMP 00000001735b5a39
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                                  0000000076f62e80 5 bytes JMP 00000001735b18e9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                                           0000000076f63b76 5 bytes JMP 00000001735b2269
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                             0000000076f6449c 5 bytes JMP 00000001735b2431
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                                      0000000076f6460e 5 bytes JMP 00000001735b3569
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                                0000000076f64637 5 bytes JMP 00000001735b2c81
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW                                                     0000000076f6a217 5 bytes JMP 00000001735b6a41
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW                                                  0000000076f6a500 5 bytes JMP 00000001735b69a9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                                       0000000076f6c73a 5 bytes JMP 00000001735b27c1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid                                                0000000076f6e2a4 5 bytes JMP 00000001735b73c1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey                                                         00000000764e8e89 5 bytes JMP 00000001735b6c09
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA                                                00000000764e9179 5 bytes JMP 00000001735b6ad9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey                                                      00000000764e9186 5 bytes JMP 00000001735b7161
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey                                                      00000000764ec4d2 5 bytes JMP 00000001735b7329
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                        00000000764ec9ec 5 bytes JMP 00000001735b3c89
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW                                                00000000764edeb4 5 bytes JMP 00000001735b6b71
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData                                                       00000000764eded6 5 bytes JMP 00000001735b7291
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash                                                     00000000764edeee 5 bytes JMP 00000001735b70c9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam                                                   00000000764edf1e 5 bytes JMP 00000001735b71f9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                                                        00000000764f2b50 5 bytes JMP 00000001735b3bf1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                  00000000764f35fc 5 bytes JMP 00000001735b40b1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222                                                 00000000764f494d 5 bytes JMP 00000001735b77e9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                      0000000076507154 5 bytes JMP 00000001735b4311
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                      000000007650716c 5 bytes JMP 00000001735b3e51
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                                                       0000000076507184 5 bytes JMP 00000001735b3ee9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt                                                        00000000765077cb 5 bytes JMP 00000001735b6ca1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA                                                00000000765233bc 5 bytes JMP 00000001735b3f81
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW                                                00000000765233cc 5 bytes JMP 00000001735b4019
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA                                                   00000000765233dc 5 bytes JMP 00000001735b3d21
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW                                                   00000000765233ec 5 bytes JMP 00000001735b3db9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                      000000007652342c 5 bytes JMP 00000001735b4279
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\msvcrt.dll!_lock + 41                                                            00000000766ca472 5 bytes JMP 00000001735b7881
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\msvcrt.dll!__p__fmode                                                            00000000766d27ce 5 bytes JMP 00000001735b1be1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\msvcrt.dll!__p__environ                                                          00000000766de6cf 5 bytes JMP 00000001735b1b49
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW                                                    0000000075830179 5 bytes JMP 00000001735b4d29
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 512                                             00000000767d6343 5 bytes JMP 00000001735b79b1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\GDI32.dll!NamedEscape                                                            0000000076803fd7 5 bytes JMP 00000001735b7031
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!GetMessageW                                                           0000000074ed78e2 5 bytes JMP 00000001735b4441
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!GetMessageA                                                           0000000074ed7bd3 5 bytes JMP 00000001735b43a9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                                       0000000074ed8a29 5 bytes JMP 00000001735b4f89
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!FindWindowW                                                           0000000074ed98fd 1 byte JMP 00000001735b5c01
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!FindWindowW + 2                                                       0000000074ed98ff 3 bytes {JMP 0xfffffffffe6dc304}
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                                               0000000074edb6ed 5 bytes JMP 00000001735b7a49
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                                       0000000074edd22e 5 bytes JMP 00000001735b5021
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                       0000000074edee09 5 bytes JMP 00000001735b34d1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!FindWindowA                                                           0000000074edffe6 5 bytes JMP 00000001735b5ad1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!FindWindowExA                                                         0000000074ee00d9 5 bytes JMP 00000001735b5b69
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!PeekMessageW                                                          0000000074ee05ba 5 bytes JMP 00000001735b4571
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!ShowWindow                                                            0000000074ee0dfb 5 bytes JMP 00000001735b50b9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!PostMessageW                                                          0000000074ee12a5 5 bytes JMP 00000001735b7751
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                                        0000000074ee20ec 5 bytes JMP 00000001735b5449
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!PostMessageA                                                          0000000074ee3baa 5 bytes JMP 00000001735b76b9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!PeekMessageA                                                          0000000074ee5f74 5 bytes JMP 00000001735b44d9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                                        0000000074ee6285 5 bytes JMP 00000001735b4bf9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                     0000000074ee7603 5 bytes JMP 00000001735b2be9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                                        0000000074ee7aee 5 bytes JMP 00000001735b53b1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                     0000000074ee835c 5 bytes JMP 00000001735b2b51
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                                            0000000074efce54 5 bytes JMP 00000001735b51e9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                   0000000074eff52b 5 bytes JMP 00000001735b4c91
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!FindWindowExW                                                         0000000074eff588 5 bytes JMP 00000001735b5c99
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                                         0000000074f010a0 5 bytes JMP 00000001735b5151
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                                         0000000074f2fcd6 2 bytes JMP 00000001735b5281
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 3                                                     0000000074f2fcd9 2 bytes [68, FE]
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                                         0000000074f2fcfa 5 bytes JMP 00000001735b5319
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!closesocket                                                           0000000076a13918 5 bytes JMP 00000001735b5741
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!WSASocketW                                                            0000000076a13cd3 5 bytes JMP 00000001735b56a9
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!socket                                                                0000000076a13eb8 5 bytes JMP 00000001735b6d39
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!WSASend                                                               0000000076a14406 5 bytes JMP 00000001735b2139
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW                                                          0000000076a14889 5 bytes JMP 00000001735b4dc1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!recv                                                                  0000000076a16b0e 5 bytes JMP 00000001735b6f01
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!connect                                                               0000000076a16bdd 1 byte JMP 00000001735b41e1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!connect + 2                                                           0000000076a16bdf 3 bytes {CALL RBP}
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!send                                                                  0000000076a16f01 5 bytes JMP 00000001735b20a1
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!WSARecv                                                               0000000076a17089 5 bytes JMP 00000001735b6f99
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                            0000000076a1cc3f 5 bytes JMP 00000001735b6e69
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW                                                        0000000076a1d1ea 5 bytes JMP 00000001735b4e59
.text    C:\Users\******\AppData\Local\WikiUpdate.exe[3476] C:\Windows\syswow64\WS2_32.dll!gethostbyname                                                         0000000076a27673 5 bytes JMP 00000001735b4ef1
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                    00000000772e8731 11 bytes [B8, B9, 06, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                   00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                  00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                            000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                        000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                            000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                        000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                            000000007730ddc0 6 bytes [48, B8, F9, 04, B4, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                        000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                      000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                  000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                 000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                             000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                               000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                           000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                 000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                             000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                               000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                           000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                  000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                              000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                            000000007730dfc0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                                                        000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                   000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                               000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                  000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                              000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                     000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                 000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                       000000007730e100 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                   000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                    000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                   000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                               000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                       000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                   000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                 000000007730eb70 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                             000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                   000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                               000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                 000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                             000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                             000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                         000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                   000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                               000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                    000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                       000000007730f480 6 bytes [48, B8, F9, 0B, B4, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                   000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                             000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                              00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                        00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                 00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                          00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                             00000000770c0941 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                           00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                           00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                    000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                    000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                       000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                       000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                 000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                               000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                               000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                            000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                              000007fefd215370 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                             000007fefd215eb1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                  000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                        000007fefd2197a1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                           000007fefd21a0e1 11 bytes [B8, F9, E1, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                            000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                            000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                          000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                        000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                       000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                              000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                   00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                  00000000771ca405 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                   00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                   00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                               00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                           00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                             00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                             00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                   00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!ShowWindow                                                                        00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                    00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                  00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                   00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                   00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                  00000000771d76e5 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                  00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!GetMessageW                                                                       00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                       00000000771da2c9 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                    00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                 00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                   00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                   00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                             00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                            00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                 00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                 00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                 0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                 0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                 000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                 000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                             000007fefdb9b039 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                    000007fefdbc8fd9 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                              000007fefdf3ae81 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                        000007fefdf3aee1 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                              000007fefdf3e6e9 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                        000007fefdf4048d 11 bytes [B8, F9, E8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                             000007fefdf40579 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                           000007fefdf405b1 11 bytes [B8, 39, FC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                          000007fefdf405f9 5 bytes [B8, F9, FD, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                              000007fefdf54e21 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                  000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                000007fefdf6b9c1 7 bytes [B8, 79, EC, B3, 75, 00, 00]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                               000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                  000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                            000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                            000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                               000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                     000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                           000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                     000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                            000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                            000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\EscSvc64.exe[3620] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                            000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                 00000000774bfa2c 5 bytes JMP 00000001735b67e1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                 00000000774bfb74 5 bytes JMP 00000001735b61f1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken                                 00000000774bfbf4 5 bytes JMP 00000001735b7dd9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                           00000000774bfc6c 5 bytes JMP 00000001735b31d9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                      00000000774bfc9c 5 bytes JMP 00000001735b15f1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                    00000000774bfccc 5 bytes JMP 00000001735b1689
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                      00000000774bfcfc 5 bytes JMP 00000001735b6159
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                    00000000774bfe60 5 bytes JMP 00000001735b30a9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                       00000000774bfe90 5 bytes JMP 00000001735b3309
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                 00000000774bff0c 5 bytes JMP 00000001735b7161
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                        00000000774bff70 5 bytes JMP 00000001735b3271
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                       00000000774c0038 5 bytes JMP 00000001735b2ee1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                          00000000774c0050 5 bytes JMP 00000001735b2db1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                            00000000774c0100 5 bytes JMP 00000001735b1ed9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                           00000000774c0210 5 bytes JMP 00000001735b2301
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                         00000000774c0860 5 bytes JMP 00000001735b2e49
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                        00000000774c08f0 5 bytes JMP 00000001735b2d19
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                            00000000774c0e40 5 bytes JMP 00000001735b6879
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken                                      00000000774c110c 5 bytes JMP 00000001735b7d41
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                        00000000774c1650 5 bytes JMP 00000001735b4ac9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                      00000000774c196c 5 bytes JMP 00000001735b3141
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                  00000000774c1c30 5 bytes JMP 00000001735b6911
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess                                        00000000774c1da0 5 bytes JMP 00000001735b3439
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                         00000000774c1dbc 5 bytes JMP 00000001735b33a1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                            00000000774c1f34 5 bytes JMP 00000001735b7f09
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                              00000000774d4964 5 bytes JMP 00000001735b1ab1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid                                             00000000774e0fe1 5 bytes JMP 00000001735b7e71
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                            0000000077500f4b 5 bytes JMP 00000001735b2009
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                      00000000775488cf 5 bytes JMP 00000001735b4b61
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                              000000007754eb6b 5 bytes JMP 00000001735b1f71
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!GetStartupInfoA                                      0000000075410e00 5 bytes JMP 00000001735b1da9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA                                       0000000075411072 5 bytes JMP 00000001735b2a21
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryA                                         000000007541498f 5 bytes JMP 00000001735b25f9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW                               0000000075423bab 5 bytes JMP 00000001735b3011
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressW                                0000000075429aa4 5 bytes JMP 00000001735b70c9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!MoveFileExW                                          0000000075429b05 5 bytes JMP 00000001735b6e69
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!CreateToolhelp32Snapshot                             0000000075437327 5 bytes JMP 00000001735b2729
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!Process32NextW                                       00000000754388da 5 bytes JMP 00000001735b6749
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!MoveFileExA                                          000000007543ccb1 5 bytes JMP 00000001735b6d39
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!MoveFileWithProgressA                                000000007543ccd1 5 bytes JMP 00000001735b6f99
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!WinExec                                              0000000075493051 5 bytes JMP 00000001735b28f1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputA                                    00000000754b751b 5 bytes JMP 00000001735b46a1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleInputW                                    00000000754b753e 5 bytes JMP 00000001735b47d1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleA                                         00000000754b78e9 5 bytes JMP 00000001735b4901
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNEL32.dll!ReadConsoleW                                         00000000754b7962 5 bytes JMP 00000001735b4a31
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                            0000000076f58f8d 5 bytes JMP 00000001735b1a19
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                        0000000076f5c436 5 bytes JMP 00000001735b3b59
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!DeviceIoControl                                    0000000076f5d0af 5 bytes JMP 00000001735b71f9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                 0000000076f5eca6 5 bytes JMP 00000001735b3601
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                        0000000076f5f206 5 bytes JMP 00000001735b2399
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                    0000000076f5fa89 5 bytes JMP 00000001735b1e41
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW                                   0000000076f5fbb7 5 bytes JMP 00000001735b6c09
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                       0000000076f61358 5 bytes JMP 00000001735b3ac1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                         0000000076f6137f 5 bytes JMP 00000001735b3a29
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                   0000000076f61d29 5 bytes JMP 00000001735b1981
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                     0000000076f61e15 5 bytes JMP 00000001735b24c9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                     0000000076f62ab1 5 bytes JMP 00000001735b6321
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                     0000000076f62cdf 5 bytes JMP 00000001735b6289
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                        0000000076f62d1d 5 bytes JMP 00000001735b63b9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                   0000000076f62e80 5 bytes JMP 00000001735b18e9
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                            0000000076f63b76 5 bytes JMP 00000001735b2269
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                              0000000076f6449c 5 bytes JMP 00000001735b2431
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                       0000000076f6460e 5 bytes JMP 00000001735b3569
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                 0000000076f64637 5 bytes JMP 00000001735b2c81
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW                                      0000000076f6a217 5 bytes JMP 00000001735b7329
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW                                   0000000076f6a500 5 bytes JMP 00000001735b7291
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                        0000000076f6c73a 5 bytes JMP 00000001735b27c1
.text    C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe[3652] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid                                 0000000076f6e2a4 5 bytes JMP 00000001735b7ca9
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                               00000000772e8731 11 bytes [B8, F9, 04, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                              00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                             00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                       000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                   000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                       000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                   000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                       000000007730ddc0 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                   000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                 000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                             000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                            000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                        000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                          000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                      000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                            000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                        000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                          000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                      000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                             000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                         000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                              000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                          000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                             000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                         000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                            000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                  000000007730e100 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                              000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                               000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                           000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                              000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                          000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                  000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                              000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                            000000007730eb70 6 bytes [48, B8, 79, 01, B4, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                        000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                              000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                          000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                            000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                        000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                        000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                    000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                              000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
         

Alt 14.07.2015, 12:44   #11
McFly87
 
Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7) - Standard

Windows 7 nach Datei download Virenbefall (ADWARE/SuperFish.342192 und ADWARE/CrossRider.Gen7)



Code:
ATTFilter
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                          000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                               000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                           000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                  000000007730f480 6 bytes [48, B8, 39, 0A, B4, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                              000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                        000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                         00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                   00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                            00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                           00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                     00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                        00000000770c0941 11 bytes [B8, 79, 08, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                      00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                      00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                               000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                               000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                  000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                  000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                            000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                           000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                          000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                          000007fefd212db1 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                       000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                         000007fefd215370 12 bytes [48, B8, F9, E1, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                        000007fefd215eb1 11 bytes [B8, B9, E3, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                             000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                   000007fefd2197a1 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                      000007fefd21a0e1 11 bytes [B8, 39, E0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                           000007fefd21aec0 12 bytes [48, B8, B9, B2, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                       000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                           000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                       000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                     000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                   000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                  000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                         000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                         000007fefdf3ae81 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                   000007fefdf3aee1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                         000007fefdf3e6e9 11 bytes [B8, F9, FD, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                   000007fefdf4048d 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                        000007fefdf40579 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                      000007fefdf405b1 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                     000007fefdf405f9 5 bytes [B8, 39, FC, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                         000007fefdf54e21 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                             000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                           000007fefdf6b9c1 7 bytes [B8, B9, EA, B3, 75, 00, 00]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                          000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                             000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                       000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                       000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                          000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                      000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                           000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                       000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                       000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!CreateWindowExA                                                              00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                             00000000771ca405 11 bytes [B8, F9, 0B, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                           00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                              00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                              00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                          00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                      00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                        00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                        00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!CreateWindowExW                                                              00000000771d0810 12 bytes [48, B8, 79, 91, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!ShowWindow                                                                   00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                               00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                             00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!SetWinEventHook                                                              00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                              00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                           00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                             00000000771d76e5 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                             00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!GetMessageW                                                                  00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                  00000000771da2c9 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                               00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                            00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                              00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                              00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                        00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                       00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                            00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                            00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                            0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                            0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                           000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                            000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                            000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                        000007fefdb9b039 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                               000007fefdbc8fd9 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                  000007fefdee13b1 11 bytes [B8, B9, AB, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!closesocket                                                                  000007fefdee18e0 12 bytes [48, B8, F9, A9, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                               000007fefdee1bd1 11 bytes [B8, 39, A8, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                  000007fefdee2201 11 bytes [B8, 79, F3, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                 000007fefdee23c0 12 bytes [48, B8, 39, 8C, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!connect                                                                      000007fefdee45c0 12 bytes [48, B8, 79, 67, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!send + 1                                                                     000007fefdee8001 11 bytes [B8, 79, A6, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                000007fefdee8df0 7 bytes [48, B8, B9, 8F, B3, 75, 00]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                            000007fefdee8df9 3 bytes [00, 50, C3]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW                                                               000007fefdeec090 12 bytes [48, B8, F9, 8D, B3, 75, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!socket + 1                                                                   000007fefdeede91 11 bytes [B8, 79, EC, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!recv + 1                                                                     000007fefdeedf41 11 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Windows\system32\wbem\wmiprvse.exe[3760] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                               000007fefdf0e0f1 11 bytes [B8, F9, EF, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                                                             00000000772e8731 11 bytes [B8, B9, 06, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                            00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                                                           00000000772f676a 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                     000000007730dca0 6 bytes [48, B8, 79, C2, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                 000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                     000000007730dd70 6 bytes [48, B8, 39, AF, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                 000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                                                     000000007730ddc0 6 bytes [48, B8, F9, 04, B4, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                                                                 000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                               000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                           000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                          000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                      000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                        000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                    000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                          000000007730de70 6 bytes [48, B8, 79, AD, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                      000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                        000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                    000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                           000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                       000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                     000000007730dfc0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                                                                 000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                            000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                        000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                           000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                       000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                              000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                          000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                000000007730e100 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                            000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                             000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                         000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                            000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                        000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                000000007730e9a0 6 bytes [48, B8, 39, C4, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                            000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                                                          000000007730eb70 6 bytes [48, B8, 39, 03, B4, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                                                      000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                            000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                        000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                          000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                      000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                      000000007730f2a0 6 bytes [48, B8, F9, C5, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                  000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                                                            000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                                                        000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                                                             000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                                                         000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                000000007730f480 6 bytes [48, B8, F9, 0B, B4, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                            000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                      000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                       00000000770a1b21 11 bytes [B8, B9, C0, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                 00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                                                          00000000770a2b61 8 bytes [B8, B9, D5, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                                                         00000000770a2b6a 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!RegSetValueExW                                                                           00000000770aa3e0 7 bytes JMP 000000016fff0228
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!RegQueryValueExW                                                                         00000000770b3f00 5 bytes JMP 000000016fff0180
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                   00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                      00000000770c0941 11 bytes [B8, 39, 0A, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!RegDeleteValueW                                                                          00000000770cffd0 5 bytes JMP 000000016fff01b8
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                                                                    00000000770df350 5 bytes JMP 000000016fff0110
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                    00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                    00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                                                                  0000000077109aa0 7 bytes JMP 000000016fff00d8
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                             000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                             000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                                                                  0000000077119530 5 bytes JMP 000000016fff0148
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                                                                000000007712f501 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                                                                000000007712f701 11 bytes [B8, 39, D9, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                                                          000000007712f731 8 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                                                         000000007712f73a 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\kernel32.dll!RegSetValueExA                                                                           0000000077138850 7 bytes JMP 000000016fff01f0
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                        000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                                                            000007fefd212db0 12 bytes JMP 000007fffd200180
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                     000007fefd213461 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                                                       000007fefd2137d0 7 bytes JMP 000007fffd2000d8
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                                                       000007fefd215370 12 bytes [48, B8, B9, E3, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                                                      000007fefd215eb1 11 bytes [B8, 79, E5, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                           000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                                                                 000007fefd2197a1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                                                    000007fefd21a0e1 11 bytes [B8, F9, E1, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                                                     000007fefd21a410 2 bytes JMP 000007fffd200110
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW + 3                                                                 000007fefd21a413 2 bytes [FE, FF]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                         000007fefd21aec0 12 bytes JMP 000007fffd200148
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                     000007fefd21ca31 11 bytes [B8, F9, B0, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                         000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                     000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                                   000007fefd250bd1 11 bytes [B8, B9, CE, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                 000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                000007fefd25283a 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                       000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                                                       000007fefdf3ae81 11 bytes [B8, 79, FA, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                                                 000007fefdf3aee1 11 bytes [B8, 39, E7, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                                                       000007fefdf3e6e9 11 bytes [B8, B9, FF, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                                                 000007fefdf4048d 11 bytes [B8, F9, E8, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                                                      000007fefdf40579 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                                    000007fefdf405b1 11 bytes [B8, 39, FC, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                                                   000007fefdf405f9 5 bytes [B8, F9, FD, B3, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                                                       000007fefdf54e21 11 bytes [B8, 39, 11, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                           000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                                                         000007fefdf6b9c1 7 bytes [B8, 79, EC, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                                                        000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                           000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                                     000007fefdf6bbc0 12 bytes [48, B8, 79, 60, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                                     000007fefdf6bc2c 12 bytes [48, B8, B9, 5E, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                        000007fefdd1642d 11 bytes [B8, 39, 5B, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                              000007fefdd16484 12 bytes [48, B8, F9, 55, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                                    000007fefdd16519 11 bytes [B8, 39, 62, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                              000007fefdd16c34 12 bytes [48, B8, 39, 54, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                         000007fefdd17ab5 11 bytes [B8, F9, 5C, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                                     000007fefdd18b01 11 bytes [B8, B9, 57, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                                     000007fefdd18c39 11 bytes [B8, 79, 59, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW                                                                        00000000771c6c80 5 bytes JMP 000000016fff02d0
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                            00000000771ca2e0 12 bytes [48, B8, 39, 93, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                           00000000771ca405 11 bytes [B8, B9, 0D, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA                                                                        00000000771ca5b4 5 bytes JMP 000000016fff0298
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                         00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                            00000000771cd265 7 bytes [B8, 79, BB, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                            00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                        00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                    00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                      00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                      00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                            00000000771d0810 7 bytes JMP 000000016fff0308
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!ShowWindow                                                                                 00000000771d1930 6 bytes [48, B8, F9, 94, B3, 75]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                             00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                           00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                            00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                            00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                         00000000771d7055 11 bytes [B8, 79, 9F, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                           00000000771d76e5 11 bytes [B8, 79, 0F, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                           00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!GetMessageW                                                                                00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                00000000771da2c9 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo                                                                 00000000771dccec 9 bytes JMP 000000016fff0260
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                             00000000771e4efd 11 bytes [B8, 79, 98, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                          00000000771e7469 11 bytes [B8, B9, 96, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                            00000000771e8271 7 bytes [B8, F9, B7, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                            00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                      00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                     00000000771e8c2a 2 bytes [50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                          00000000771e8d21 7 bytes [B8, 39, BD, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                          00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!ChangeDisplaySettingsExW                                                                   0000000077210700 5 bytes JMP 000000016fff0340
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                          0000000077231371 11 bytes [B8, 39, 9A, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                          0000000077231395 11 bytes [B8, F9, 9B, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                         000000007723d379 11 bytes [B8, B9, 9D, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                          000000007723dae1 7 bytes [B8, B9, B9, B3, 75, 00, 00]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                          000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                                                      000007fefdb989e0 8 bytes JMP 000007fffd2001f0
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                                                      000007fefdb9b039 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                                                    000007fefdb9be40 8 bytes JMP 000007fffd2001b8
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                                                             000007fefdbc8fd9 11 bytes [B8, F9, F6, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                            000007fefd947490 11 bytes JMP 000007fffd200228
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                                                           000007fefd95bf00 7 bytes JMP 000007fffd200260
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                                     000007fefe49dd61 11 bytes [B8, 79, 8A, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                                000007fefdee13b1 11 bytes [B8, B9, AB, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!closesocket                                                                                000007fefdee18e0 12 bytes [48, B8, F9, A9, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                             000007fefdee1bd1 11 bytes [B8, 39, A8, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                                000007fefdee2201 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                               000007fefdee23c0 12 bytes [48, B8, 39, 8C, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!connect                                                                                    000007fefdee45c0 12 bytes [48, B8, 79, 67, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!send + 1                                                                                   000007fefdee8001 11 bytes [B8, 79, A6, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                              000007fefdee8df0 7 bytes [48, B8, B9, 8F, B3, 75, 00]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                          000007fefdee8df9 3 bytes [00, 50, C3]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW                                                                             000007fefdeec090 12 bytes [48, B8, F9, 8D, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!socket + 1                                                                                 000007fefdeede91 11 bytes [B8, 39, EE, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!recv + 1                                                                                   000007fefdeedf41 11 bytes [B8, 79, F3, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                             000007fefdf0e0f1 11 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8                                                                              000007fefc6456e0 12 bytes [48, B8, 39, CB, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\DNSAPI.dll!DnsQuery_W                                                                                 000007fefc65010c 12 bytes [48, B8, 79, C9, B3, 75, 00, ...]
.text    C:\Windows\splwow64.exe[3824] C:\Windows\system32\DNSAPI.dll!DnsQuery_A                                                                                 000007fefc66daa0 12 bytes [48, B8, B9, C7, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1                                           00000000772e8731 11 bytes [B8, B9, 22, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                          00000000772f6761 7 bytes [B8, 39, 69, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10                         00000000772f676a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                   000000007730dca0 6 bytes [48, B8, 79, DE, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                               000000007730dca8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                   000000007730dd70 6 bytes [48, B8, 39, CB, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                               000000007730dd78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken                                   000000007730ddc0 6 bytes [48, B8, F9, 20, B4, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken + 8                               000000007730ddc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                             000000007730de10 6 bytes [48, B8, F9, 32, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                         000000007730de18 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                        000000007730de30 6 bytes [48, B8, 39, 1C, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                    000000007730de38 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                      000000007730de50 6 bytes [48, B8, F9, 1D, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                  000000007730de58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                        000000007730de70 6 bytes [48, B8, 79, C9, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                    000000007730de78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                      000000007730df50 6 bytes [48, B8, 79, 2F, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                  000000007730df58 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                         000000007730df70 6 bytes [48, B8, 79, 36, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                     000000007730df78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                   000000007730dfc0 6 bytes [48, B8, 79, FA, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken + 8                               000000007730dfc8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                          000000007730e000 6 bytes [48, B8, B9, 34, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                      000000007730e008 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                         000000007730e080 6 bytes [48, B8, 39, 2A, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                     000000007730e088 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                            000000007730e090 6 bytes [48, B8, B9, 26, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                        000000007730e098 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                              000000007730e100 6 bytes [48, B8, 39, FC, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                          000000007730e108 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                           000000007730e5d0 6 bytes [48, B8, 79, 28, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                       000000007730e5d8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                          000000007730e630 6 bytes [48, B8, F9, 24, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                      000000007730e638 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                              000000007730e9a0 6 bytes [48, B8, 39, E0, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                          000000007730e9a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken                                        000000007730eb70 6 bytes [48, B8, 39, 1F, B4, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8                                    000000007730eb78 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                          000000007730eee0 6 bytes [48, B8, 79, 83, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                      000000007730eee8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                        000000007730f0e0 6 bytes [48, B8, 39, 31, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                    000000007730f0e8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                    000000007730f2a0 6 bytes [48, B8, F9, E1, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                000000007730f2a8 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess                                          000000007730f380 6 bytes [48, B8, 79, 3D, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8                                      000000007730f388 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread                                           000000007730f390 6 bytes [48, B8, B9, 3B, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8                                       000000007730f398 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                              000000007730f480 6 bytes [48, B8, F9, 27, B4, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                          000000007730f488 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                    000000007737ed21 11 bytes [B8, 39, 85, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                     00000000770a1b21 11 bytes [B8, B9, DC, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                               00000000770a1c10 12 bytes [48, B8, F9, 39, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!MoveFileExW + 1                                        00000000770a2b61 8 bytes [B8, B9, F1, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!MoveFileExW + 10                                       00000000770a2b6a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                 00000000770bdbc0 12 bytes [48, B8, B9, 2D, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                    00000000770c0941 11 bytes [B8, 39, 26, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                  00000000770f5321 11 bytes [B8, B9, 7A, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                  00000000770f5341 11 bytes [B8, 39, 77, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!ReadConsoleW                                           000000007710a650 12 bytes [48, B8, B9, 81, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!ReadConsoleA                                           000000007710a760 12 bytes [48, B8, 39, 7E, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1                              000000007712f501 11 bytes [B8, B9, F8, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1                              000000007712f701 11 bytes [B8, 39, F5, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!MoveFileExA + 1                                        000000007712f731 8 bytes [B8, 39, EE, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\kernel32.dll!MoveFileExA + 10                                       000000007712f73a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                      000007fefd211861 11 bytes [B8, 79, 52, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                      000007fefd212db1 11 bytes [B8, 79, D0, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                   000007fefd213461 11 bytes [B8, 39, D2, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW                                     000007fefd215370 12 bytes [48, B8, B9, FF, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1                                    000007fefd215eb1 11 bytes [B8, 79, 01, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                         000007fefd218f20 12 bytes [48, B8, B9, 50, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1                               000007fefd2197a1 11 bytes [B8, 79, 1D, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!DeviceIoControl + 1                                  000007fefd21a0e1 11 bytes [B8, F9, FD, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                       000007fefd21aec0 12 bytes [48, B8, B9, CE, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                   000007fefd21ca31 11 bytes [B8, F9, CC, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                       000007fefd2237d1 11 bytes [B8, F9, 4E, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                   000007fefd244310 12 bytes [48, B8, B9, 42, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                 000007fefd250bd1 11 bytes [B8, B9, EA, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                               000007fefd252831 8 bytes [B8, 39, 23, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                              000007fefd25283a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                     000007fefd252871 11 bytes [B8, F9, 40, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!CreateWindowExA                                          00000000771ca2e0 12 bytes [48, B8, 39, AF, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!PostMessageA + 1                                         00000000771ca405 11 bytes [B8, B9, 29, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                       00000000771cbae1 11 bytes [B8, F9, 86, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!FindWindowW + 1                                          00000000771cd265 7 bytes [B8, 79, D7, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!FindWindowW + 9                                          00000000771cd26d 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                      00000000771cd440 6 bytes [48, B8, B9, 88, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                  00000000771cd448 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                    00000000771cf875 7 bytes [B8, 79, 21, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                    00000000771cf87d 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!CreateWindowExW                                          00000000771d0810 12 bytes [48, B8, 79, AD, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!ShowWindow                                               00000000771d1930 6 bytes [48, B8, F9, B0, B3, 75]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!ShowWindow + 8                                           00000000771d1938 4 bytes [00, 00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                         00000000771d3a19 11 bytes [B8, F9, 71, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!SetWinEventHook                                          00000000771d4d4c 12 bytes [48, B8, 39, 3F, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!GetMessageA + 1                                          00000000771d6111 11 bytes [B8, 79, 6E, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                       00000000771d7055 11 bytes [B8, 79, BB, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!PostMessageW + 1                                         00000000771d76e5 11 bytes [B8, 79, 2B, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                         00000000771d8fd1 11 bytes [B8, B9, 73, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!GetMessageW                                              00000000771d9e74 12 bytes [48, B8, 39, 70, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                              00000000771da2c9 11 bytes [B8, 39, 2D, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                           00000000771e4efd 11 bytes [B8, 79, B4, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                        00000000771e7469 11 bytes [B8, B9, B2, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!FindWindowA + 1                                          00000000771e8271 7 bytes [B8, F9, D3, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!FindWindowA + 9                                          00000000771e8279 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                    00000000771e8c21 8 bytes [B8, B9, 1F, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                   00000000771e8c2a 2 bytes [50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                        00000000771e8d21 7 bytes [B8, 39, D9, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                        00000000771e8d29 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                        0000000077231371 11 bytes [B8, 39, B6, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                        0000000077231395 11 bytes [B8, F9, B7, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                       000000007723d379 11 bytes [B8, B9, B9, B3, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                        000000007723dae1 7 bytes [B8, B9, D5, B3, 75, 00, 00]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                        000000007723dae9 3 bytes [00, 50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349                                    000007fefdb9b039 11 bytes [B8, F9, 2E, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\GDI32.dll!NamedEscape + 1                                           000007fefdbc8fd9 11 bytes [B8, F9, 12, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1                                     000007fefdf3ae81 11 bytes [B8, 79, 16, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1                               000007fefdf3aee1 11 bytes [B8, 39, 03, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1                                     000007fefdf3e6e9 11 bytes [B8, B9, 1B, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1                               000007fefdf4048d 11 bytes [B8, F9, 04, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1                                    000007fefdf40579 11 bytes [B8, B9, 14, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1                                  000007fefdf405b1 11 bytes [B8, 39, 18, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 73                                 000007fefdf405f9 5 bytes [B8, F9, 19, B4, 75]
.text    ...                                                                                                                                                     * 2
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49                                     000007fefdf54e21 11 bytes [B8, B9, 30, B4, 75, 00, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                         000007fefdf55538 12 bytes [48, B8, B9, 6C, B3, 75, 00, ...]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1                                       000007fefdf6b9c1 7 bytes [B8, 79, 08, B4, 75, 00, 00]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10                                      000007fefdf6b9ca 2 bytes [50, C3]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe[4440] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                         000007fefdf6ba4c 12 bytes [48, B8, F9, 6A, B3, 75, 00, ...]