| |
| |||||||
Log-Analyse und Auswertung: Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exeWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
18.06.2014, 12:51
| #1 |
 |  Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe Hallo da ich schon einiges versucht habe und unterschiedliche Infos aus dem Web gefunden habe die mir leider nicht weitergeholfen haben möchte ich mich jetzt an euch wenden. Es geht um folgendes ich wurde am Montag in WoW 4x gehacked nach Rücksprache mit dem Kundensupport und dem Einsatz verschiedener Anti-Spyware/Malware tools wurde mir folgende Info gegeben: In meiner MsInfo datei wird ein Programm unter dem Reiter [Autostartprogramme aufgeführt: Doctor2 rundll32.exe c:\users\alex\appdata\local\temp\dw64.dll,w Alex-PC\Alex Start Dieses Programm ist laut dem Kundensupport ein Keylogger/Rootkit Ich habe Unteranderem mit den Antivirenprogrammen Avast, Bitdefender, Malwarebytes,tdsskiller, hijackthis und GMER einen suchlauf gemacht. Nachdem Malewarebytes einige bedrohungen identifiziert und in Quarantäne verschoben hat, hat kein Programm mehr eine Infektion angezeigt. Doctor2 ist allerdings nach erneutem Exportieren immer noch in der MsInfo. Ist das wirklich ein Virus? Wenn ja kann mir jemand weiterhelfen? anbei die benötigten logfiles das GMER logfile musste ich zippen da es zu Groß war Vielen Dank schonmal  |
|
18.06.2014, 12:51
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe Hi und
__________________ Logs bitte nicht anhängen, notfalls splitten und über mehrere Postings verteilt posten  Lesestoff:Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR oder 7Z-Archiv zu packen erschwert mir massiv die Arbeit. Auch wenn die Logs für einen Beitrag zu groß sein sollten, bitte ich dich die Logs direkt und notfalls über mehrere Beiträge verteilt zu posten. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
|
18.06.2014, 13:00
| #3 |
| | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe Sorry! Dachte das wäre so rumm richtig.
__________________Hier alles in Codes Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 13:19 on 18/06/2014 (Alex)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-06-2014 Ran by Alex (administrator) on ALEX-PC on 18-06-2014 13:22:26 Running from C:\Users\Alex\Downloads Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard Internet Explorer Version 11 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (Bitdefender) C:\Program Files\Bitdefender\Bitdefender\vsserv.exe (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe (Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe () C:\Windows\SysWOW64\PnkBstrA.exe (Bitdefender) C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe (Bitdefender) C:\Program Files\Bitdefender\Bitdefender Safebox\safeboxservice.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe (Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe (Bitdefender) C:\Program Files\Bitdefender\Bitdefender\bdagent.exe (Bitdefender) C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe (Bitdefender) C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe (FNet Co., Ltd.) C:\Program Files (x86)\XFastUSB\XFastUsb.exe (Logitech Inc.) C:\Program Files\Logitech Gaming Software\Applets\LCDClock.exe (Logitech Inc.) C:\Program Files\Logitech Gaming Software\Applets\LCDCountdown.exe (Logitech Inc.) C:\Program Files\Logitech Gaming Software\Applets\LCDMedia.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe () C:\Users\Alex\Downloads\Defogger.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13636824 2013-07-26] (Realtek Semiconductor) HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [8290584 2013-08-01] (Logitech Inc.) HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\nvspcap64.dll [1279480 2014-05-30] (NVIDIA Corporation) HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2352072 2014-05-30] (NVIDIA Corporation) HKLM\...\Run: [Bdagent] => C:\Program Files\Bitdefender\Bitdefender\bdagent.exe [1743088 2014-05-21] (Bitdefender) HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe [134616 2013-03-12] (Intel Corporation) HKLM-x32\...\Run: [XFastUSB] => C:\Program Files (x86)\XFastUSB\XFastUsb.exe [4936968 2013-11-02] (FNet Co., Ltd.) HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated) HKU\.DEFAULT\...\Run: [Bitdefender-Geldbörse-Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [568400 2014-05-20] (Bitdefender) HKU\.DEFAULT\...\Run: [Bitdefender-Geldbörse] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [1002048 2014-04-09] (Bitdefender) HKU\.DEFAULT\...\Run: [Bitdefender-Geldbörse-Anwendungs-Agent] => C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe [614744 2014-04-09] (Bitdefender) HKU\S-1-5-21-2514585675-1378572018-3791475494-1000\...\Run: [Doctor2] => rundll32.exe C:\Users\Alex\AppData\Local\Temp\Dw64.dll,W <===== ATTENTION HKU\S-1-5-21-2514585675-1378572018-3791475494-1000\...\Run: [Bitdefender-Geldbörse-Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [568400 2014-05-20] (Bitdefender) HKU\S-1-5-21-2514585675-1378572018-3791475494-1000\...\Run: [Bitdefender-Geldbörse] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [1002048 2014-04-09] (Bitdefender) HKU\S-1-5-21-2514585675-1378572018-3791475494-1000\...\Run: [Bitdefender-Geldbörse-Anwendungs-Agent] => C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe [614744 2014-04-09] (Bitdefender) Startup: C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Samsung Magician.lnk ShortcutTarget: Samsung Magician.lnk -> C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe (Samsung Electronics.) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x65B23CA2D9D7CE01 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank BHO: Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender\pmbxie.dll (Bitdefender) BHO-x32: Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender\Antispam32\pmbxie.dll (Bitdefender) Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 FireFox: ======== FF ProfilePath: C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\f2vgn55p.default FF Homepage: https://www.google.de/ FF NetworkProxy: "autoconfig_url", "data:text/javascript,function%20FindProxyForURL(url%2C%20host)%20%7Bif%20(shExpMatch(url%2C%20'https%3A%2F%2Faccount.beatsmusic.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.beatsmusic.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.crunchyroll.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.iheart.com*')%20%7C%7C%20url.indexOf('play.google.com')%20!%3D%20-1%20%7C%7C%20(url.indexOf('youtube.com%2Fvideoplayback')%20!%3D%20-1%20%26%26%20url.indexOf('%26gcr%3Dus')%20!%3D%20-1%20%26%26%20url.indexOf('%26ptchn')%20!%3D%20-1)%20%7C%7C%20url.indexOf('southparkstudios.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fsongza.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fnew.songza.com*')%20%7C%7C%20url.indexOf('discoverymedia.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fdsc.discovery.com%2F*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.daisuki.net*')%20%7C%7C%20(url.indexOf('proxmate%3Dactive')%20!%3D%20-1%20%26%26%20url.indexOf('amazonaws.com')%20%3D%3D%20-1)%20%7C%7C%20(url.indexOf('proxmate%3Dus')%20!%3D%20-1)%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.funimation.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fsecure.funimation.com*')%20%7C%7C%20host%20%3D%3D%20's.hulu.com'%20%7C%7C%20url.indexOf('vevo.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fgrooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fretro.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fhtml5.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Flisten.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fpreview.grooveshark.com*')%20%7C%7C%20host%20%3D%3D%20'www.pandora.com'%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fext.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.rdio.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.mtv.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fmedia.mtvnservices.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fpiki.fm*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fpiki.fm*'))%20%7B%20return%20'PROXY%20nq-us06.personalitycores.com%3A8000%3B%20PROXY%20nq-us04.personalitycores.com%3A8000%3B%20PROXY%20nq-us05.personalitycores.com%3A8000%3B%20PROXY%20nq-us11.personalitycores.com%3A8000%3B%20PROXY%20nq-us10.personalitycores.com%3A8000%3B%20PROXY%20nq-us08.personalitycores.com%3A8000%3B%20PROXY%20nq-us09.personalitycores.com%3A8000%3B%20PROXY%20nq-us12.personalitycores.com%3A8000%3B%20PROXY%20nq-us07.personalitycores.com%3A8000'%3B%7D%20%20else%20%7B%20return%20'DIRECT'%3B%20%7D%7D" FF NetworkProxy: "ftp", "71.56.183.237" FF NetworkProxy: "ftp_port", 8080 FF NetworkProxy: "no_proxies_on", "localhost, 127.0.0.1, stealthy.co" FF NetworkProxy: "share_proxy_settings", true FF NetworkProxy: "socks", "71.56.183.237" FF NetworkProxy: "socks_port", 8080 FF NetworkProxy: "ssl", "71.56.183.237" FF NetworkProxy: "ssl_port", 8080 FF NetworkProxy: "type", 2 FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_125.dll () FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_125.dll () FF Plugin-x32: @esn/npbattlelog,version=2.3.1 - C:\Program Files (x86)\Battlelog Web Plugins\2.3.1\npbattlelog.dll No File FF Plugin-x32: @esn/npbattlelog,version=2.4.0 - C:\Program Files (x86)\Battlelog Web Plugins\2.4.0\npbattlelog.dll (EA Digital Illusions CE AB) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.0.72 - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation) FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml FF Extension: ProxMate - Proxy on steroids! - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\f2vgn55p.default\Extensions\jid1-QpHD8URtZWJC2A@jetpack.xpi [2014-01-26] FF Extension: Adblock Plus - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\f2vgn55p.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-11-02] FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender\Antispam32\ffpwdman [2014-06-16] FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\bdtbext FF Extension: bdToolbar - C:\Program Files\Bitdefender\Bitdefender\bdtbext [2014-06-16] FF HKLM-x32\...\Firefox\Extensions: [ffpwdman@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\Antispam32\ffpwdman\ FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender\Antispam32\ffpwdman\ [] FF HKLM-x32\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\bdtbext FF Extension: bdToolbar - C:\Program Files\Bitdefender\Bitdefender\bdtbext [2014-06-16] ==================== Services (Whitelisted) ================= S4 BdDesktopParental; C:\Program Files\Bitdefender\Bitdefender\bdparentalservice.exe [77632 2013-11-21] (Bitdefender) R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [731648 2013-02-13] (Intel(R) Corporation) [File not signed] S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel(R) Corporation) R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-03-12] (Intel Corporation) S3 iumsvc; C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [174368 2014-02-28] () R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-03-12] (Intel Corporation) R2 MBAMScheduler; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation) R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1631008 2014-05-30] (NVIDIA Corporation) R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21055432 2014-05-30] (NVIDIA Corporation) R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2013-11-21] () R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-06-10] () R2 SafeBox; C:\Program Files\Bitdefender\Bitdefender SafeBox\safeboxservice.exe [94624 2013-07-08] (Bitdefender) R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe [67320 2013-10-07] (Bitdefender) R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender\vsserv.exe [1526800 2014-05-21] (Bitdefender) S2 avgwd; F:\AVG\avgwdsvc.exe [X] ==================== Drivers (Whitelisted) ==================== R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [893440 2013-12-02] (BitDefender) R3 avchv; C:\Windows\System32\DRIVERS\avchv.sys [261056 2012-11-02] (BitDefender) R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [635392 2013-12-02] (BitDefender) R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [192824 2013-09-02] (AVG Technologies CZ, s.r.o.) R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [294712 2013-09-02] (AVG Technologies CZ, s.r.o.) R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [251192 2013-08-01] (AVG Technologies CZ, s.r.o.) R1 BdfNdisf; c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [93600 2013-11-13] (BitDefender LLC) R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [103504 2011-11-14] (BitDefender LLC) S3 bdfwfpf_pc; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf_pc.sys [121928 2013-07-02] (Bitdefender SRL) S3 BDSandBox; C:\Windows\system32\drivers\bdsandbox.sys [82824 2013-11-04] (BitDefender SRL) R1 BDVEDISK; C:\Windows\System32\DRIVERS\bdvedisk.sys [76944 2012-04-17] (BitDefender) R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [495376 2013-05-30] (Intel Corporation) S3 FNETTBOH_305; C:\Windows\System32\drivers\FNETTBOH_305.SYS [32320 2013-11-02] (FNet Co., Ltd.) R1 FNETURPX; C:\Windows\System32\drivers\FNETURPX.SYS [16648 2013-11-02] (FNet Co., Ltd.) R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [150256 2013-08-23] (BitDefender LLC) R3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [64280 2013-05-30] (Logitech Inc.) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation) R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-06-18] (Malwarebytes Corporation) R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation) R3 Neo_VPN; C:\Windows\System32\DRIVERS\Neo_0116.sys [28768 2014-03-12] (SoftEther VPN Project at University of Tsukuba, Japan.) R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [20256 2014-05-30] (NVIDIA Corporation) R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [40392 2014-03-31] (NVIDIA Corporation) R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [389240 2013-08-07] (BitDefender S.R.L.) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-06-18 13:22 - 2014-06-18 13:22 - 00017754 _____ () C:\Users\Alex\Downloads\FRST.txt 2014-06-18 13:21 - 2014-06-18 13:22 - 00000000 ____D () C:\FRST 2014-06-18 13:21 - 2014-06-18 13:21 - 02081280 _____ (Farbar) C:\Users\Alex\Downloads\FRST64.exe 2014-06-18 13:19 - 2014-06-18 13:19 - 00050477 _____ () C:\Users\Alex\Downloads\Defogger.exe 2014-06-18 13:19 - 2014-06-18 13:19 - 00000470 _____ () C:\Users\Alex\Downloads\defogger_disable.log 2014-06-18 13:19 - 2014-06-18 13:19 - 00000000 _____ () C:\Users\Alex\defogger_reenable 2014-06-18 11:33 - 2014-06-18 11:33 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\Alex\Desktop\tdsskiller.exe 2014-06-18 11:11 - 2014-06-18 11:11 - 00380416 _____ () C:\Users\Alex\Downloads\Gmer-19357.exe 2014-06-18 10:27 - 2014-06-18 10:27 - 01039096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys.1403080315885 2014-06-18 10:27 - 2014-06-18 10:27 - 00423240 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys.1403080315885 2014-06-18 10:26 - 2014-06-18 10:26 - 94714880 _____ (AVAST Software) C:\Users\Alex\Downloads\avast_free_antivirus_setup_21514.exe 2014-06-17 23:22 - 2014-06-17 23:22 - 00577058 _____ () C:\Users\Alex\Downloads\Skada-1.4-17.zip 2014-06-17 22:57 - 2014-06-17 22:57 - 00029081 _____ () C:\Users\Alex\Desktop\dxdiag.txt 2014-06-17 22:53 - 2014-06-18 12:34 - 00000000 ____D () C:\Users\Alex\AppData\Local\Battle.net 2014-06-17 22:53 - 2014-06-17 22:55 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Battle.net 2014-06-17 22:53 - 2014-06-17 22:53 - 00000634 _____ () C:\Users\Public\Desktop\Battle.net.lnk 2014-06-17 22:53 - 2014-06-17 22:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battle.net 2014-06-17 22:52 - 2014-06-17 22:53 - 00000000 ____D () C:\ProgramData\Battle.net 2014-06-17 22:46 - 2014-06-17 22:46 - 02907552 _____ (Blizzard Entertainment) C:\Users\Alex\Downloads\Battle.net-Setup-deDE(1).exe 2014-06-17 22:01 - 2014-06-18 11:40 - 00009171 _____ () C:\Users\Alex\Desktop\hijackthis.log 2014-06-17 21:56 - 2014-06-18 11:35 - 05707292 _____ () C:\Users\Alex\Desktop\msinfo.txt 2014-06-17 21:22 - 2014-06-17 22:53 - 00000000 ____D () C:\ProgramData\Blizzard Entertainment 2014-06-16 15:47 - 2014-06-16 15:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft 2014-06-16 14:58 - 2014-06-16 14:58 - 00000000 ____D () C:\Users\Alex\AppData\Local\Blizzard Entertainment 2014-06-16 13:58 - 2014-06-16 13:58 - 00388608 _____ (Trend Micro Inc.) C:\Users\Alex\Desktop\HiJackThis204.exe 2014-06-16 13:56 - 2014-06-18 12:11 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-06-16 13:56 - 2014-06-16 13:56 - 00001109 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-06-16 13:56 - 2014-06-16 13:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-06-16 13:56 - 2014-06-16 13:56 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-06-16 13:56 - 2014-06-16 13:56 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-06-16 13:56 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2014-06-16 13:56 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2014-06-16 13:56 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2014-06-16 13:55 - 2014-06-16 13:56 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Alex\Downloads\mbam-setup-2.0.2.1012.exe 2014-06-16 12:30 - 2014-06-16 12:32 - 00001154 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk 2014-06-16 12:28 - 2014-06-16 12:29 - 00284288 _____ (Mozilla) C:\Users\Alex\Downloads\Firefox Setup Stub 30.0.exe 2014-06-16 11:35 - 2014-06-16 11:35 - 03361884 _____ () C:\Users\Alex\Downloads\elvui-6.9997.zip 2014-06-16 09:53 - 2014-06-16 09:53 - 00523036 _____ () C:\ProgramData\1402905056.bdinstall.bin 2014-06-16 09:53 - 2014-06-16 09:53 - 00002193 _____ () C:\Users\Public\Desktop\Bitdefender Safepay.lnk 2014-06-16 09:53 - 2014-06-16 09:53 - 00002074 _____ () C:\Users\Public\Desktop\Bitdefender Total Security.lnk 2014-06-16 09:53 - 2014-06-16 09:53 - 00000684 ____H () C:\bdr-cf01 2014-06-16 09:53 - 2014-06-16 09:53 - 00000385 _____ () C:\Windows\system32\user_gensett.xml 2014-06-16 09:53 - 2014-06-16 09:53 - 00000385 _____ () C:\Users\Alex\AppData\Roaminguser_gensett.xml 2014-06-16 09:53 - 2014-06-16 09:53 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_avchv_01009.Wdf 2014-06-16 09:53 - 2014-06-16 09:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bitdefender 2014-06-16 09:53 - 2014-06-16 09:53 - 00000000 ____D () C:\ProgramData\BDLogging 2014-06-16 09:53 - 2013-12-02 12:58 - 00635392 _____ (BitDefender) C:\Windows\system32\Drivers\avckf.sys 2014-06-16 09:53 - 2013-12-02 12:56 - 00893440 _____ (BitDefender) C:\Windows\system32\Drivers\avc3.sys 2014-06-16 09:53 - 2013-11-13 16:41 - 00093600 _____ (BitDefender LLC) C:\Windows\system32\Drivers\BdfNdisf6.sys 2014-06-16 09:53 - 2013-11-04 16:47 - 00082824 _____ (BitDefender SRL) C:\Windows\system32\Drivers\bdsandbox.sys 2014-06-16 09:53 - 2013-11-04 16:47 - 00074512 _____ (BitDefender SRL) C:\Windows\SysWOW64\bdsandboxuiskin32.dll 2014-06-16 09:53 - 2012-11-02 14:17 - 00261056 _____ (BitDefender) C:\Windows\system32\Drivers\avchv.sys 2014-06-16 09:53 - 2012-04-17 14:34 - 00076944 _____ (BitDefender) C:\Windows\system32\Drivers\bdvedisk.sys 2014-06-16 09:53 - 2007-04-11 11:11 - 00511328 _____ (Microsoft Corporation) C:\Windows\capicom.dll 2014-06-16 09:52 - 2014-06-16 09:53 - 00253404 ____H () C:\bdr-ld01 2014-06-16 09:52 - 2014-06-16 09:53 - 00009216 ____H () C:\bdr-ld01.mbr 2014-06-16 09:52 - 2014-06-16 09:53 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Bitdefender 2014-06-16 09:52 - 2013-09-24 16:38 - 46879860 ____H () C:\bdr-im01.gz 2014-06-16 09:52 - 2013-08-13 13:38 - 03271472 ____H () C:\bdr-bz01 2014-06-16 09:51 - 2014-06-16 11:18 - 00074512 _____ (BitDefender SRL) C:\Windows\system32\bdsandboxuiskin32.dll 2014-06-16 09:51 - 2014-06-16 09:53 - 00000000 ____D () C:\ProgramData\Bitdefender 2014-06-16 09:51 - 2014-06-16 09:52 - 00000000 ____D () C:\Program Files\Bitdefender 2014-06-16 09:51 - 2013-11-04 16:47 - 00084848 _____ (BitDefender SRL) C:\Windows\system32\BDSandBoxUISkin.dll 2014-06-16 09:51 - 2013-11-04 16:46 - 00034384 _____ (BitDefender SRL) C:\Windows\system32\BDSandBoxUH.dll 2014-06-16 09:51 - 2013-08-23 13:48 - 00150256 _____ (BitDefender LLC) C:\Windows\system32\Drivers\gzflt.sys 2014-06-16 09:51 - 2013-08-07 13:46 - 00389240 _____ (BitDefender S.R.L.) C:\Windows\system32\Drivers\trufos.sys 2014-06-16 09:50 - 2014-06-16 09:50 - 07304560 _____ () C:\Users\Alex\Downloads\bitdefender_tsecurity(1).exe 2014-06-16 09:50 - 2014-06-16 09:50 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\QuickScan 2014-06-16 09:49 - 2014-06-16 09:51 - 00000000 ____D () C:\Program Files\Common Files\Bitdefender 2014-06-16 09:49 - 2014-06-16 09:49 - 07304560 _____ () C:\Users\Alex\Downloads\bitdefender_tsecurity.exe 2014-06-16 00:43 - 2014-06-17 22:43 - 00000000 ____D () C:\Users\Alex\Documents\My Curse 2014-06-16 00:43 - 2014-06-16 00:44 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Curse Advertising 2014-06-16 00:43 - 2014-06-16 00:43 - 00003110 _____ () C:\Windows\System32\Tasks\{70495B33-1C5A-432C-98DA-FEB4468E8575} 2014-06-16 00:43 - 2014-06-16 00:43 - 00000000 ____D () C:\Users\Alex\AppData\Local\Apps\2.0 2014-06-16 00:42 - 2014-06-17 22:43 - 00000000 ____D () C:\Users\Alex\AppData\Local\Deployment 2014-06-16 00:42 - 2014-06-16 00:42 - 00402696 _____ () C:\Users\Alex\Downloads\setup.exe 2014-06-15 23:49 - 2014-06-15 23:49 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\LavasoftStatistics 2014-06-15 23:48 - 2014-06-15 23:48 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Lavasoft 2014-06-15 23:43 - 2014-06-15 23:43 - 00000000 ____D () C:\ProgramData\Lavasoft 2014-06-15 23:43 - 2014-06-15 23:43 - 00000000 ____D () C:\Program Files\Common Files\Lavasoft 2014-06-15 23:42 - 2014-06-15 23:42 - 01707144 _____ () C:\Users\Alex\Downloads\Adaware_Installer.exe 2014-06-15 21:33 - 2014-06-18 11:56 - 00386620 _____ () C:\Windows\PFRO.log 2014-06-15 19:50 - 2014-06-15 20:25 - 00000000 ____D () C:\Users\Alex\AppData\Local\._LiveCode_ 2014-06-15 19:50 - 2014-06-15 19:50 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Acreon 2014-06-15 12:30 - 2014-06-15 12:30 - 02247960 _____ () C:\Users\Alex\Downloads\battlelog-web-plugins_2.4.0_141(1).exe 2014-06-15 10:11 - 2014-06-18 11:56 - 00002315 _____ () C:\Windows\setupact.log 2014-06-15 10:11 - 2014-06-15 10:11 - 00000000 _____ () C:\Windows\setuperr.log 2014-06-14 17:05 - 2014-06-14 17:06 - 04748896 _____ (Piriform Ltd) C:\Users\Alex\Downloads\ccsetup414.exe 2014-06-14 09:38 - 2014-06-14 09:38 - 00000000 ____D () C:\Users\Alex\AppData\Local\Adobe 2014-06-11 16:50 - 2014-06-08 11:13 - 00506368 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll 2014-06-11 16:50 - 2014-06-08 11:08 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll 2014-06-11 16:50 - 2014-05-30 12:21 - 23414784 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-06-11 16:50 - 2014-05-30 12:02 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-06-11 16:50 - 2014-05-30 12:02 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2014-06-11 16:50 - 2014-05-30 11:45 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2014-06-11 16:50 - 2014-05-30 11:39 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2014-06-11 16:50 - 2014-05-30 11:39 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2014-06-11 16:50 - 2014-05-30 11:38 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2014-06-11 16:50 - 2014-05-30 11:28 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2014-06-11 16:50 - 2014-05-30 11:27 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2014-06-11 16:50 - 2014-05-30 11:24 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2014-06-11 16:50 - 2014-05-30 11:21 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2014-06-11 16:50 - 2014-05-30 11:21 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2014-06-11 16:50 - 2014-05-30 11:20 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2014-06-11 16:50 - 2014-05-30 11:18 - 17271296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2014-06-11 16:50 - 2014-05-30 11:11 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe 2014-06-11 16:50 - 2014-05-30 11:08 - 05782528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2014-06-11 16:50 - 2014-05-30 11:06 - 00452096 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2014-06-11 16:50 - 2014-05-30 11:02 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2014-06-11 16:50 - 2014-05-30 10:55 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll 2014-06-11 16:50 - 2014-05-30 10:49 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2014-06-11 16:50 - 2014-05-30 10:46 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2014-06-11 16:50 - 2014-05-30 10:44 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2014-06-11 16:50 - 2014-05-30 10:44 - 00295424 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2014-06-11 16:50 - 2014-05-30 10:43 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2014-06-11 16:50 - 2014-05-30 10:42 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll 2014-06-11 16:50 - 2014-05-30 10:38 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2014-06-11 16:50 - 2014-05-30 10:35 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2014-06-11 16:50 - 2014-05-30 10:34 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2014-06-11 16:50 - 2014-05-30 10:33 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2014-06-11 16:50 - 2014-05-30 10:30 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2014-06-11 16:50 - 2014-05-30 10:29 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2014-06-11 16:50 - 2014-05-30 10:28 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2014-06-11 16:50 - 2014-05-30 10:27 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll 2014-06-11 16:50 - 2014-05-30 10:24 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll 2014-06-11 16:50 - 2014-05-30 10:23 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2014-06-11 16:50 - 2014-05-30 10:16 - 00368128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll 2014-06-11 16:50 - 2014-05-30 10:10 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll 2014-06-11 16:50 - 2014-05-30 10:06 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2014-06-11 16:50 - 2014-05-30 10:04 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2014-06-11 16:50 - 2014-05-30 10:02 - 00242688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll 2014-06-11 16:50 - 2014-05-30 09:56 - 04244992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2014-06-11 16:50 - 2014-05-30 09:56 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2014-06-11 16:50 - 2014-05-30 09:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2014-06-11 16:50 - 2014-05-30 09:50 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll 2014-06-11 16:50 - 2014-05-30 09:49 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2014-06-11 16:50 - 2014-05-30 09:43 - 13522944 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2014-06-11 16:50 - 2014-05-30 09:40 - 11725312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2014-06-11 16:50 - 2014-05-30 09:30 - 01398272 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2014-06-11 16:50 - 2014-05-30 09:21 - 01790976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2014-06-11 16:50 - 2014-05-30 09:15 - 01143296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2014-06-11 16:50 - 2014-05-30 09:13 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2014-06-11 16:50 - 2014-05-30 09:13 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll 2014-06-11 16:50 - 2014-04-25 04:34 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll 2014-06-11 16:50 - 2014-04-25 04:06 - 00626688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll 2014-06-11 16:50 - 2014-04-05 04:47 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys 2014-06-11 16:50 - 2014-04-05 04:47 - 00288192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS 2014-06-11 16:50 - 2014-03-26 16:44 - 02002432 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll 2014-06-11 16:50 - 2014-03-26 16:44 - 01882112 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll 2014-06-11 16:50 - 2014-03-26 16:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll 2014-06-11 16:50 - 2014-03-26 16:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll 2014-06-11 16:50 - 2014-03-26 16:27 - 01389056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2014-06-11 16:50 - 2014-03-26 16:27 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2014-06-11 16:50 - 2014-03-26 16:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6r.dll 2014-06-11 16:50 - 2014-03-26 16:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll 2014-06-10 20:00 - 2014-06-10 20:03 - 00000000 ____D () C:\Users\Alex\Documents\BFH.Beta 2014-06-10 19:48 - 2014-06-10 19:48 - 00000827 _____ () C:\Users\Public\Desktop\Battlefield Hardline Beta.lnk 2014-06-10 19:48 - 2014-06-10 19:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battlefield Hardline Beta 2014-06-02 17:42 - 2014-05-30 01:07 - 01715176 _____ (NVIDIA Corporation) C:\Windows\system32\nvspbridge64.dll 2014-06-02 17:42 - 2014-05-30 01:07 - 01291232 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspbridge.dll 2014-05-29 22:16 - 2014-05-29 22:16 - 02247960 _____ () C:\Users\Alex\Downloads\battlelog-web-plugins_2.4.0_141.exe 2014-05-26 18:50 - 2014-05-20 01:10 - 00601432 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe 2014-05-26 18:49 - 2014-05-20 04:44 - 25256224 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 24025376 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 17561544 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 12688328 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys 2014-05-26 18:49 - 2014-05-20 04:44 - 11644928 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 11599072 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 09735256 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 09697640 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 03141976 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 02953672 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 02785568 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvenc.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 02412376 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 01889112 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6433788.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 01541576 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6433788.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00895776 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00892704 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00867784 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00861128 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00837056 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00492376 _____ (NVIDIA Corporation) C:\Windows\system32\nvEncodeAPI64.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00416712 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00382240 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFROpenGL.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00354016 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00335704 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFROpenGL.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00305600 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00166568 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll 2014-05-26 18:49 - 2014-05-20 04:44 - 00146480 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll 2014-05-22 22:59 - 2014-05-22 22:59 - 00000000 __SHD () C:\Users\Alex\AppData\Local\EmieUserList 2014-05-22 22:59 - 2014-05-22 22:59 - 00000000 __SHD () C:\Users\Alex\AppData\Local\EmieSiteList ==================== One Month Modified Files and Folders ======= 2014-06-18 13:22 - 2014-06-18 13:22 - 00017754 _____ () C:\Users\Alex\Downloads\FRST.txt 2014-06-18 13:22 - 2014-06-18 13:21 - 00000000 ____D () C:\FRST 2014-06-18 13:22 - 2013-11-02 16:00 - 00000000 ____D () C:\Users\Alex\AppData\Local\Temp 2014-06-18 13:21 - 2014-06-18 13:21 - 02081280 _____ (Farbar) C:\Users\Alex\Downloads\FRST64.exe 2014-06-18 13:19 - 2014-06-18 13:19 - 00050477 _____ () C:\Users\Alex\Downloads\Defogger.exe 2014-06-18 13:19 - 2014-06-18 13:19 - 00000470 _____ () C:\Users\Alex\Downloads\defogger_disable.log 2014-06-18 13:19 - 2014-06-18 13:19 - 00000000 _____ () C:\Users\Alex\defogger_reenable 2014-06-18 13:19 - 2013-11-02 16:00 - 00000000 ____D () C:\Users\Alex 2014-06-18 13:09 - 2013-11-02 18:09 - 00000288 _____ () C:\Windows\Tasks\UpdaterEX.job 2014-06-18 12:48 - 2014-01-16 17:03 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-06-18 12:34 - 2014-06-17 22:53 - 00000000 ____D () C:\Users\Alex\AppData\Local\Battle.net 2014-06-18 12:11 - 2014-06-16 13:56 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-06-18 12:03 - 2013-11-10 00:11 - 01844773 _____ () C:\Windows\WindowsUpdate.log 2014-06-18 12:03 - 2009-07-14 19:58 - 00699416 _____ () C:\Windows\system32\perfh007.dat 2014-06-18 12:03 - 2009-07-14 19:58 - 00149556 _____ () C:\Windows\system32\perfc007.dat 2014-06-18 12:03 - 2009-07-14 07:13 - 01620612 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-06-18 12:03 - 2009-07-14 06:45 - 00015632 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-06-18 12:03 - 2009-07-14 06:45 - 00015632 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-06-18 11:56 - 2014-06-15 21:33 - 00386620 _____ () C:\Windows\PFRO.log 2014-06-18 11:56 - 2014-06-15 10:11 - 00002315 _____ () C:\Windows\setupact.log 2014-06-18 11:56 - 2013-11-02 18:10 - 00000000 ____D () C:\ProgramData\AVAST Software 2014-06-18 11:56 - 2013-11-02 16:46 - 00000000 ____D () C:\ProgramData\NVIDIA 2014-06-18 11:56 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-06-18 11:40 - 2014-06-17 22:01 - 00009171 _____ () C:\Users\Alex\Desktop\hijackthis.log 2014-06-18 11:35 - 2014-06-17 21:56 - 05707292 _____ () C:\Users\Alex\Desktop\msinfo.txt 2014-06-18 11:33 - 2014-06-18 11:33 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\Alex\Desktop\tdsskiller.exe 2014-06-18 11:11 - 2014-06-18 11:11 - 00380416 _____ () C:\Users\Alex\Downloads\Gmer-19357.exe 2014-06-18 10:33 - 2013-11-02 18:11 - 00000000 ____D () C:\Users\Alex\AppData\Local\Google 2014-06-18 10:33 - 2013-11-02 18:11 - 00000000 ____D () C:\Program Files (x86)\Google 2014-06-18 10:27 - 2014-06-18 10:27 - 01039096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys.1403080315885 2014-06-18 10:27 - 2014-06-18 10:27 - 00423240 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys.1403080315885 2014-06-18 10:26 - 2014-06-18 10:26 - 94714880 _____ (AVAST Software) C:\Users\Alex\Downloads\avast_free_antivirus_setup_21514.exe 2014-06-17 23:22 - 2014-06-17 23:22 - 00577058 _____ () C:\Users\Alex\Downloads\Skada-1.4-17.zip 2014-06-17 22:57 - 2014-06-17 22:57 - 00029081 _____ () C:\Users\Alex\Desktop\dxdiag.txt 2014-06-17 22:55 - 2014-06-17 22:53 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Battle.net 2014-06-17 22:53 - 2014-06-17 22:53 - 00000634 _____ () C:\Users\Public\Desktop\Battle.net.lnk 2014-06-17 22:53 - 2014-06-17 22:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battle.net 2014-06-17 22:53 - 2014-06-17 22:52 - 00000000 ____D () C:\ProgramData\Battle.net 2014-06-17 22:53 - 2014-06-17 21:22 - 00000000 ____D () C:\ProgramData\Blizzard Entertainment 2014-06-17 22:46 - 2014-06-17 22:46 - 02907552 _____ (Blizzard Entertainment) C:\Users\Alex\Downloads\Battle.net-Setup-deDE(1).exe 2014-06-17 22:43 - 2014-06-16 00:43 - 00000000 ____D () C:\Users\Alex\Documents\My Curse 2014-06-17 22:43 - 2014-06-16 00:42 - 00000000 ____D () C:\Users\Alex\AppData\Local\Deployment 2014-06-17 22:43 - 2013-11-02 16:00 - 00000000 ___RD () C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 2014-06-17 22:42 - 2013-11-02 16:54 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\TS3Client 2014-06-16 16:46 - 2014-02-12 21:35 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\MediaMonkey 2014-06-16 15:48 - 2014-06-16 15:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft 2014-06-16 15:48 - 2009-07-14 07:32 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games 2014-06-16 15:02 - 2013-11-02 18:34 - 00000000 ___RD () C:\Users\Alex\Desktop\Favoriten 2014-06-16 14:58 - 2014-06-16 14:58 - 00000000 ____D () C:\Users\Alex\AppData\Local\Blizzard Entertainment 2014-06-16 14:03 - 2014-05-10 03:11 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox 2014-06-16 14:03 - 2013-11-02 18:09 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service 2014-06-16 14:03 - 2009-07-14 07:32 - 00000000 ____D () C:\Windows\addins 2014-06-16 13:58 - 2014-06-16 13:58 - 00388608 _____ (Trend Micro Inc.) C:\Users\Alex\Desktop\HiJackThis204.exe 2014-06-16 13:58 - 2013-11-02 16:00 - 00000000 ____D () C:\Users\Alex\AppData\Local\VirtualStore 2014-06-16 13:56 - 2014-06-16 13:56 - 00001109 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk 2014-06-16 13:56 - 2014-06-16 13:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 2014-06-16 13:56 - 2014-06-16 13:56 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-06-16 13:56 - 2014-06-16 13:56 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 2014-06-16 13:56 - 2014-06-16 13:55 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Alex\Downloads\mbam-setup-2.0.2.1012.exe 2014-06-16 12:32 - 2014-06-16 12:30 - 00001154 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk 2014-06-16 12:32 - 2013-11-02 18:09 - 00001166 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk 2014-06-16 12:29 - 2014-06-16 12:28 - 00284288 _____ (Mozilla) C:\Users\Alex\Downloads\Firefox Setup Stub 30.0.exe 2014-06-16 11:35 - 2014-06-16 11:35 - 03361884 _____ () C:\Users\Alex\Downloads\elvui-6.9997.zip 2014-06-16 11:18 - 2014-06-16 09:51 - 00074512 _____ (BitDefender SRL) C:\Windows\system32\bdsandboxuiskin32.dll 2014-06-16 09:53 - 2014-06-16 09:53 - 00523036 _____ () C:\ProgramData\1402905056.bdinstall.bin 2014-06-16 09:53 - 2014-06-16 09:53 - 00002193 _____ () C:\Users\Public\Desktop\Bitdefender Safepay.lnk 2014-06-16 09:53 - 2014-06-16 09:53 - 00002074 _____ () C:\Users\Public\Desktop\Bitdefender Total Security.lnk 2014-06-16 09:53 - 2014-06-16 09:53 - 00000684 ____H () C:\bdr-cf01 2014-06-16 09:53 - 2014-06-16 09:53 - 00000385 _____ () C:\Windows\system32\user_gensett.xml 2014-06-16 09:53 - 2014-06-16 09:53 - 00000385 _____ () C:\Users\Alex\AppData\Roaminguser_gensett.xml 2014-06-16 09:53 - 2014-06-16 09:53 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_avchv_01009.Wdf 2014-06-16 09:53 - 2014-06-16 09:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bitdefender 2014-06-16 09:53 - 2014-06-16 09:53 - 00000000 ____D () C:\ProgramData\BDLogging 2014-06-16 09:53 - 2014-06-16 09:52 - 00253404 ____H () C:\bdr-ld01 2014-06-16 09:53 - 2014-06-16 09:52 - 00009216 ____H () C:\bdr-ld01.mbr 2014-06-16 09:53 - 2014-06-16 09:52 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Bitdefender 2014-06-16 09:53 - 2014-06-16 09:51 - 00000000 ____D () C:\ProgramData\Bitdefender 2014-06-16 09:52 - 2014-06-16 09:51 - 00000000 ____D () C:\Program Files\Bitdefender 2014-06-16 09:51 - 2014-06-16 09:49 - 00000000 ____D () C:\Program Files\Common Files\Bitdefender 2014-06-16 09:50 - 2014-06-16 09:50 - 07304560 _____ () C:\Users\Alex\Downloads\bitdefender_tsecurity(1).exe 2014-06-16 09:50 - 2014-06-16 09:50 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\QuickScan 2014-06-16 09:49 - 2014-06-16 09:49 - 07304560 _____ () C:\Users\Alex\Downloads\bitdefender_tsecurity.exe 2014-06-16 00:44 - 2014-06-16 00:43 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Curse Advertising 2014-06-16 00:43 - 2014-06-16 00:43 - 00003110 _____ () C:\Windows\System32\Tasks\{70495B33-1C5A-432C-98DA-FEB4468E8575} 2014-06-16 00:43 - 2014-06-16 00:43 - 00000000 ____D () C:\Users\Alex\AppData\Local\Apps\2.0 2014-06-16 00:42 - 2014-06-16 00:42 - 00402696 _____ () C:\Users\Alex\Downloads\setup.exe 2014-06-15 23:49 - 2014-06-15 23:49 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\LavasoftStatistics 2014-06-15 23:48 - 2014-06-15 23:48 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Lavasoft 2014-06-15 23:43 - 2014-06-15 23:43 - 00000000 ____D () C:\ProgramData\Lavasoft 2014-06-15 23:43 - 2014-06-15 23:43 - 00000000 ____D () C:\Program Files\Common Files\Lavasoft 2014-06-15 23:42 - 2014-06-15 23:42 - 01707144 _____ () C:\Users\Alex\Downloads\Adaware_Installer.exe 2014-06-15 21:26 - 2013-11-02 19:18 - 00000000 ____D () C:\ProgramData\Origin 2014-06-15 20:25 - 2014-06-15 19:50 - 00000000 ____D () C:\Users\Alex\AppData\Local\._LiveCode_ 2014-06-15 19:50 - 2014-06-15 19:50 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Acreon 2014-06-15 12:30 - 2014-06-15 12:30 - 02247960 _____ () C:\Users\Alex\Downloads\battlelog-web-plugins_2.4.0_141(1).exe 2014-06-15 10:11 - 2014-06-15 10:11 - 00000000 _____ () C:\Windows\setuperr.log 2014-06-14 17:16 - 2014-03-09 20:19 - 00000000 ____D () C:\Windows\Minidump 2014-06-14 17:06 - 2014-06-14 17:05 - 04748896 _____ (Piriform Ltd) C:\Users\Alex\Downloads\ccsetup414.exe 2014-06-14 17:06 - 2013-11-02 19:15 - 00000000 ____D () C:\Program Files\CCleaner 2014-06-14 09:38 - 2014-06-14 09:38 - 00000000 ____D () C:\Users\Alex\AppData\Local\Adobe 2014-06-12 19:57 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache 2014-06-11 23:20 - 2013-11-04 18:56 - 95414520 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe 2014-06-11 23:20 - 2013-11-04 18:56 - 00000000 ____D () C:\Windows\system32\MRT 2014-06-11 23:19 - 2014-04-30 22:26 - 00000000 ___SD () C:\Windows\system32\CompatTel 2014-06-11 23:15 - 2014-01-16 17:03 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater 2014-06-11 23:15 - 2013-11-02 18:19 - 00699056 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2014-06-11 23:15 - 2013-11-02 18:19 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2014-06-11 15:13 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\NDF 2014-06-10 20:03 - 2014-06-10 20:00 - 00000000 ____D () C:\Users\Alex\Documents\BFH.Beta 2014-06-10 19:48 - 2014-06-10 19:48 - 00000827 _____ () C:\Users\Public\Desktop\Battlefield Hardline Beta.lnk 2014-06-10 19:48 - 2014-06-10 19:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battlefield Hardline Beta 2014-06-10 19:48 - 2013-11-02 20:44 - 00281872 _____ () C:\Windows\SysWOW64\PnkBstrB.exe 2014-06-10 19:48 - 2013-11-02 20:44 - 00281872 _____ () C:\Windows\SysWOW64\PnkBstrB.ex0 2014-06-10 19:48 - 2013-11-02 20:44 - 00076888 _____ () C:\Windows\SysWOW64\PnkBstrA.exe 2014-06-08 11:13 - 2014-06-11 16:50 - 00506368 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll 2014-06-08 11:08 - 2014-06-11 16:50 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll 2014-06-02 17:42 - 2013-11-02 16:44 - 00000000 ____D () C:\Program Files\NVIDIA Corporation 2014-05-30 17:45 - 2013-11-02 20:45 - 00000000 ____D () C:\Program Files (x86)\Battlelog Web Plugins 2014-05-30 12:21 - 2014-06-11 16:50 - 23414784 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-05-30 12:02 - 2014-06-11 16:50 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-05-30 12:02 - 2014-06-11 16:50 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll 2014-05-30 11:45 - 2014-06-11 16:50 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2014-05-30 11:39 - 2014-06-11 16:50 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2014-05-30 11:39 - 2014-06-11 16:50 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2014-05-30 11:38 - 2014-06-11 16:50 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll 2014-05-30 11:28 - 2014-06-11 16:50 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2014-05-30 11:27 - 2014-06-11 16:50 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2014-05-30 11:24 - 2014-06-11 16:50 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2014-05-30 11:21 - 2014-06-11 16:50 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2014-05-30 11:21 - 2014-06-11 16:50 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe 2014-05-30 11:20 - 2014-06-11 16:50 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll 2014-05-30 11:18 - 2014-06-11 16:50 - 17271296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2014-05-30 11:11 - 2014-06-11 16:50 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe 2014-05-30 11:08 - 2014-06-11 16:50 - 05782528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2014-05-30 11:06 - 2014-06-11 16:50 - 00452096 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2014-05-30 11:02 - 2014-06-11 16:50 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2014-05-30 10:55 - 2014-06-11 16:50 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll 2014-05-30 10:49 - 2014-06-11 16:50 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll 2014-05-30 10:46 - 2014-06-11 16:50 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2014-05-30 10:44 - 2014-06-11 16:50 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2014-05-30 10:44 - 2014-06-11 16:50 - 00295424 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2014-05-30 10:43 - 2014-06-11 16:50 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2014-05-30 10:42 - 2014-06-11 16:50 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll 2014-05-30 10:38 - 2014-06-11 16:50 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2014-05-30 10:35 - 2014-06-11 16:50 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2014-05-30 10:34 - 2014-06-11 16:50 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2014-05-30 10:33 - 2014-06-11 16:50 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2014-05-30 10:30 - 2014-06-11 16:50 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2014-05-30 10:29 - 2014-06-11 16:50 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2014-05-30 10:28 - 2014-06-11 16:50 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2014-05-30 10:27 - 2014-06-11 16:50 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll 2014-05-30 10:24 - 2014-06-11 16:50 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll 2014-05-30 10:23 - 2014-06-11 16:50 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2014-05-30 10:16 - 2014-06-11 16:50 - 00368128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll 2014-05-30 10:10 - 2014-06-11 16:50 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll 2014-05-30 10:06 - 2014-06-11 16:50 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2014-05-30 10:04 - 2014-06-11 16:50 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2014-05-30 10:02 - 2014-06-11 16:50 - 00242688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll 2014-05-30 09:56 - 2014-06-11 16:50 - 04244992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2014-05-30 09:56 - 2014-06-11 16:50 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2014-05-30 09:54 - 2014-06-11 16:50 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2014-05-30 09:50 - 2014-06-11 16:50 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll 2014-05-30 09:49 - 2014-06-11 16:50 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2014-05-30 09:43 - 2014-06-11 16:50 - 13522944 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2014-05-30 09:40 - 2014-06-11 16:50 - 11725312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2014-05-30 09:30 - 2014-06-11 16:50 - 01398272 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2014-05-30 09:21 - 2014-06-11 16:50 - 01790976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2014-05-30 09:15 - 2014-06-11 16:50 - 01143296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2014-05-30 09:13 - 2014-06-11 16:50 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll 2014-05-30 09:13 - 2014-06-11 16:50 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll 2014-05-30 01:07 - 2014-06-02 17:42 - 01715176 _____ (NVIDIA Corporation) C:\Windows\system32\nvspbridge64.dll 2014-05-30 01:07 - 2014-06-02 17:42 - 01291232 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspbridge.dll 2014-05-30 01:07 - 2013-11-12 22:28 - 01279480 _____ (NVIDIA Corporation) C:\Windows\system32\nvspcap64.dll 2014-05-30 01:07 - 2013-11-12 22:28 - 01122312 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspcap.dll 2014-05-29 22:16 - 2014-05-29 22:16 - 02247960 _____ () C:\Users\Alex\Downloads\battlelog-web-plugins_2.4.0_141.exe 2014-05-26 18:50 - 2013-11-02 16:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation 2014-05-26 18:50 - 2013-11-02 16:46 - 00000000 ____D () C:\Program Files (x86)\NVIDIA Corporation 2014-05-22 22:59 - 2014-05-22 22:59 - 00000000 __SHD () C:\Users\Alex\AppData\Local\EmieUserList 2014-05-22 22:59 - 2014-05-22 22:59 - 00000000 __SHD () C:\Users\Alex\AppData\Local\EmieSiteList 2014-05-20 04:44 - 2014-05-26 18:49 - 25256224 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 24025376 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 17561544 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 12688328 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys 2014-05-20 04:44 - 2014-05-26 18:49 - 11644928 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 11599072 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 09735256 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 09697640 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 03141976 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 02953672 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 02785568 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvenc.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 02412376 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 01889112 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6433788.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 01541576 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6433788.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00895776 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00892704 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00867784 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00861128 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00837056 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00492376 _____ (NVIDIA Corporation) C:\Windows\system32\nvEncodeAPI64.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00416712 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00382240 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFROpenGL.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00354016 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00335704 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFROpenGL.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00305600 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00166568 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll 2014-05-20 04:44 - 2014-05-26 18:49 - 00146480 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll 2014-05-20 04:44 - 2014-04-22 17:06 - 17480432 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll 2014-05-20 04:44 - 2014-03-14 19:40 - 18531568 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2umx.dll 2014-05-20 04:44 - 2014-03-14 19:40 - 16003912 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll 2014-05-20 04:44 - 2013-11-02 16:46 - 00061216 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll 2014-05-20 04:44 - 2013-11-02 16:46 - 00052056 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll 2014-05-20 04:44 - 2013-11-02 16:44 - 31387936 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll 2014-05-20 04:44 - 2013-11-02 16:44 - 14434704 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll 2014-05-20 04:44 - 2013-11-02 16:44 - 03109248 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi64.dll 2014-05-20 04:44 - 2013-11-02 16:44 - 02730208 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll 2014-05-20 04:44 - 2013-11-02 16:44 - 00952952 _____ (NVIDIA Corporation) C:\Windows\system32\nvumdshimx.dll 2014-05-20 04:44 - 2013-11-02 16:44 - 00026069 _____ () C:\Windows\system32\nvinfo.pb 2014-05-20 03:25 - 2013-11-02 16:46 - 06769096 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll 2014-05-20 03:25 - 2013-11-02 16:46 - 03514144 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc64.dll 2014-05-20 03:25 - 2013-11-02 16:46 - 02560968 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvcr.dll 2014-05-20 03:25 - 2013-11-02 16:46 - 00927520 _____ (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe 2014-05-20 03:25 - 2013-11-02 16:46 - 00387528 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll 2014-05-20 03:25 - 2013-11-02 16:46 - 00062808 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll 2014-05-20 01:10 - 2014-05-26 18:50 - 00601432 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe Some content of TEMP: ==================== C:\Users\Alex\AppData\Local\Temp\avgnt.exe C:\Users\Alex\AppData\Local\Temp\Dw64.dll ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-06-08 22:51 ==================== End Of Log ============================ --- --- --- Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16-06-2014
Ran by Alex at 2014-06-18 13:22:47
Running from C:\Users\Alex\Downloads
Boot Mode: Normal
==========================================================
==================== Security Center ========================
AV: Bitdefender Antivirus (Enabled - Up to date) {9A0813D8-CED6-F86B-072E-28D2AF25A83D}
AS: Bitdefender Spyware-Schutz (Enabled - Up to date) {2169F23C-E8EC-F7E5-3D9E-13A0D4A2E280}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Bitdefender Firewall (Enabled) {A23392FD-84B9-F933-2C71-81E751F6EF46}
==================== Installed Programs ======================
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Flash Player 14 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 14.0.0.125 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Age of Empires II: HD Edition (HKLM-x32\...\Steam App 221380) (Version: - Hidden Path Entertainment, Ensemble Studios)
AVG 2014 (Version: 14.0.3615 - AVG Technologies) Hidden
AVG 2014 (Version: 14.0.4158 - AVG Technologies) Hidden
Battle.net (HKLM-x32\...\Battle.net) (Version: - Blizzard Entertainment)
Battlefield 4™ (HKLM-x32\...\{ABADE36E-EC37-413B-8179-B432AD3FACE7}) (Version: 1.2.0.2 - Electronic Arts)
Battlefield™ Hardline Beta (HKLM-x32\...\{599276A7-F45D-40B1-A0B6-CF132A1CAD49}) (Version: 1.0.0.4 - Electronic Arts)
Bitdefender Total Security (HKLM\...\Bitdefender) (Version: 17.28.0.1191 - Bitdefender)
Canon MG2100 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG2100_series) (Version: - )
CCleaner (HKLM\...\CCleaner) (Version: 4.14 - Piriform)
Company of Heroes 2 (HKLM-x32\...\Steam App 231430) (Version: - Relic Entertainment)
Core Temp 1.0 RC6 (HKLM\...\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1) (Version: 1.0 - Alcpu)
Counter-Strike: Global Offensive (HKLM-x32\...\Steam App 730) (Version: - Valve)
Dead Island: Epidemic (HKLM-x32\...\Steam App 222900) (Version: - Stunlock Studios)
Extended Update (HKCU\...\UpdaterEX) (Version: - ) <==== ATTENTION
Free YouTube to MP3 Converter version 3.12.17.1125 (HKLM-x32\...\Free YouTube to MP3 Converter_is1) (Version: 3.12.17.1125 - DVDVideoSoft Ltd.)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.0.0.1323 - Intel Corporation)
Intel(R) Network Connections 18.5.54.0 (HKLM\...\PROSetDX) (Version: 18.5.54.0 - Intel)
Intel(R) Network Connections 18.5.54.0 (Version: 18.5.54.0 - Intel) Hidden
Intel(R) Update Manager (HKLM-x32\...\{12914061-EB9B-4AE7-AC7E-0B8A607C7DF4}) (Version: 2.3.1338 - Intel Corporation)
Intel® Trusted Connect Service Client (Version: 1.27.798.1 - Intel Corporation) Hidden
Logitech Gaming Software (Version: 8.45.88 - Logitech Inc.) Hidden
Logitech Gaming Software 8.50 (HKLM\...\Logitech Gaming Software) (Version: 8.50.281 - Logitech Inc.)
Malwarebytes Anti-Malware Version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
MediaMonkey 4.1 (HKLM-x32\...\MediaMonkey_is1) (Version: 4.1 - Ventis Media Inc.)
Microsoft .NET Framework 4.5.1 (DEU) (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.60610 (Version: 11.0.60610 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.60610 (Version: 11.0.60610 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610 (x32 Version: 11.0.60610 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610 (x32 Version: 11.0.60610 - Microsoft Corporation) Hidden
Mozilla Firefox 30.0 (x86 de) (HKLM-x32\...\Mozilla Firefox 30.0 (x86 de)) (Version: 30.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 30.0 - Mozilla)
MSI Afterburner 2.3.1 (HKLM-x32\...\Afterburner) (Version: 2.3.1 - MSI Co., LTD)
NVIDIA 3D Vision Controller-Treiber 337.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 337.88 - NVIDIA Corporation)
NVIDIA 3D Vision Treiber 337.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 337.88 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.1 - NVIDIA Corporation)
NVIDIA Grafiktreiber 337.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 337.88 - NVIDIA Corporation)
NVIDIA HD-Audiotreiber 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.157.1165 - NVIDIA Corporation) Hidden
NVIDIA LED Visualizer 1.0 (Version: 1.0 - NVIDIA Corporation) Hidden
NVIDIA Network Service (Version: 1.0 - NVIDIA Corporation) Hidden
NVIDIA PhysX (x32 Version: 9.13.1220 - NVIDIA Corporation) Hidden
NVIDIA PhysX-Systemsoftware 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
NVIDIA ShadowPlay 14.6.22 (Version: 14.6.22 - NVIDIA Corporation) Hidden
NVIDIA Stereoscopic 3D Driver (x32 Version: 7.17.12.6514 - NVIDIA Corporation) Hidden
NVIDIA Systemsteuerung 337.88 (Version: 337.88 - NVIDIA Corporation) Hidden
NVIDIA Update 14.6.22 (Version: 14.6.22 - NVIDIA Corporation) Hidden
NVIDIA Update Core (Version: 14.6.22 - NVIDIA Corporation) Hidden
NVIDIA Virtual Audio 1.2.23 (Version: 1.2.23 - NVIDIA Corporation) Hidden
Open Broadcaster Software (HKLM-x32\...\Open Broadcaster Software) (Version: - )
OpenOffice 4.0.1 (HKLM-x32\...\{0AEC308E-7EB3-47F7-BB59-F2C9C6166B27}) (Version: 4.01.9714 - Apache Software Foundation)
Origin (HKLM-x32\...\Origin) (Version: 9.3.10.4710 - Electronic Arts, Inc.)
PCGH-Skyrim-Tuner Version 2.1 (HKLM-x32\...\{B9A49BF6-3990-4E23-8DB2-6BCED39FAA0C}_is1) (Version: 2.1 - PCGH)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.993 - Even Balance, Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7004 - Realtek Semiconductor Corp.)
Samsung Magician (HKLM-x32\...\{29AE3F9F-7158-4ca7-B1ED-28A73ECDB215}_is1) (Version: 4.3.0 - Samsung Electronics)
SHIELD Streaming (Version: 2.1.214 - NVIDIA Corporation) Hidden
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.14 - TeamSpeak Systems GmbH)
The Elder Scrolls V: Skyrim (HKLM-x32\...\Steam App 72850) (Version: - Bethesda Game Studios)
Titanfall™ (HKLM-x32\...\{347EE0C3-0690-48F6-A231-53853C2A80D6}) (Version: 1.0.3.6 - Electronic Arts)
VC_CRT_x64 (Version: 1.02.0000 - Intel Corporation) Hidden
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version: - Blizzard Entertainment)
XFastUSB (HKLM-x32\...\XFastUSB) (Version: 3.02.31 - ASRock Inc.)
==================== Restore Points =========================
==================== Hosts content: ==========================
2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
Task: {089AFA84-80BE-4CAD-8972-99413A956EDD} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2014-02-28] ()
Task: {11F70035-2EC7-42E7-8569-611D2DCADAC0} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2014-02-28] ()
Task: {8BDA4746-EC05-4C1E-8AF2-4F0822864030} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-06-11] (Adobe Systems Incorporated)
Task: {DC6A98A0-16C6-4D8A-94CD-BD8146E44F94} - System32\Tasks\UpdaterEX => C:\Users\Alex\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {F9B9B4C4-83D1-4E08-B671-4A386784595A} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-05-20] (Piriform Ltd)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\Alex\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
==================== Loaded Modules (whitelisted) =============
2014-06-16 09:53 - 2013-06-19 12:45 - 00265080 _____ () C:\Program Files\Bitdefender\Bitdefender\txmlutil.dll
2014-06-16 09:53 - 2014-05-26 19:03 - 00003072 _____ () C:\Program Files\Bitdefender\Bitdefender\UI\accessl.ui
2014-06-16 09:53 - 2011-11-14 20:17 - 00153680 _____ () C:\Program Files\Bitdefender\Bitdefender\bdfwcore.dll
2014-06-16 09:53 - 2014-05-26 19:03 - 00005120 _____ () C:\Program Files\Bitdefender\Bitdefender\UI\IMSecurityAL.ui
2014-06-18 11:33 - 2014-06-18 11:33 - 00780592 _____ () C:\Program Files\Bitdefender\Bitdefender\otengines_00046_003\ashttpbr.mdl
2014-06-18 11:33 - 2014-06-18 11:33 - 00568400 _____ () C:\Program Files\Bitdefender\Bitdefender\otengines_00046_003\ashttpdsp.mdl
2014-06-18 11:33 - 2014-06-18 11:33 - 02599584 _____ () C:\Program Files\Bitdefender\Bitdefender\otengines_00046_003\ashttpph.mdl
2014-06-18 11:33 - 2014-06-18 11:33 - 01322896 _____ () C:\Program Files\Bitdefender\Bitdefender\otengines_00046_003\ashttprbl.mdl
2013-11-02 16:46 - 2014-05-20 03:25 - 00116568 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2013-11-02 20:44 - 2014-06-10 19:48 - 00076888 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2014-06-16 09:53 - 2013-03-25 16:16 - 01117920 _____ () C:\Program Files\Bitdefender\Bitdefender SafeBox\System.Data.SQLite.dll
2014-06-18 13:19 - 2014-06-18 13:19 - 00050477 _____ () C:\Users\Alex\Downloads\Defogger.exe
2014-06-16 09:53 - 2014-03-15 01:05 - 00204280 _____ () C:\Program Files\Bitdefender\Bitdefender\antispam32\txmlutil.dll
2014-05-10 03:11 - 2014-06-06 06:38 - 03852912 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2014-06-16 09:53 - 2014-03-15 01:10 - 00035896 _____ () C:\Program Files\Bitdefender\Bitdefender\Antispam32\ffpwdman\components\ffpwdman.dll
2013-11-02 16:47 - 2013-03-12 14:19 - 01199576 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\ACE.dll
==================== Alternate Data Streams (whitelisted) =========
AlternateDataStreams: C:\Users\Alex\Desktop\HiJackThis204.exe:BDU
AlternateDataStreams: C:\Users\Alex\Desktop\tdsskiller.exe:BDU
AlternateDataStreams: C:\Users\Alex\Downloads\avast_free_antivirus_setup_21514.exe:BDU
AlternateDataStreams: C:\Users\Alex\Downloads\Battle.net-Setup-deDE(1).exe:BDU
AlternateDataStreams: C:\Users\Alex\Downloads\Defogger.exe:BDU
AlternateDataStreams: C:\Users\Alex\Downloads\Firefox Setup Stub 30.0.exe:BDU
AlternateDataStreams: C:\Users\Alex\Downloads\FRST64.exe:BDU
AlternateDataStreams: C:\Users\Alex\Downloads\Gmer-19357.exe:BDU
AlternateDataStreams: C:\Users\Alex\Downloads\mbam-setup-2.0.2.1012.exe:BDU
==================== Safe Mode (whitelisted) ===================
==================== EXE Association (whitelisted) =============
==================== MSCONFIG/TASK MANAGER disabled items =========
MSCONFIG\startupreg: AVG_UI => "F:\AVG\avgui.exe" /TRAYONLY
MSCONFIG\startupreg: Steam => "C:\Program Files (x86)\Steam\Steam.exe" -silent
==================== Faulty Device Manager Devices =============
Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: SM-Bus-Controller
Description: SM-Bus-Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
==================== Event log errors: =========================
Application errors:
==================
Error: (06/15/2014 08:48:11 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm avscan.exe, Version 14.0.4.632 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: 27c
Startzeit: 01cf88c9d755845d
Endzeit: 60000
Anwendungspfad: C:\Program Files (x86)\Avira\AntiVir Desktop\avscan.exe
Berichts-ID: 6b9da57c-f4bd-11e3-a292-00ac37b31c3d
Error: (06/15/2014 07:50:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: Rundll32.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc637
Name des fehlerhaften Moduls: kernel32.dll, Version: 6.1.7601.18409, Zeitstempel: 0x53159a85
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00013e64
ID des fehlerhaften Prozesses: 0x1624
Startzeit der fehlerhaften Anwendung: 0xRundll32.exe0
Pfad der fehlerhaften Anwendung: Rundll32.exe1
Pfad des fehlerhaften Moduls: Rundll32.exe2
Berichtskennung: Rundll32.exe3
Error: (06/15/2014 07:50:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: rundll32.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc637
Name des fehlerhaften Moduls: kernel32.dll, Version: 6.1.7601.18409, Zeitstempel: 0x53159a85
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00013e64
ID des fehlerhaften Prozesses: 0x1174
Startzeit der fehlerhaften Anwendung: 0xrundll32.exe0
Pfad der fehlerhaften Anwendung: rundll32.exe1
Pfad des fehlerhaften Moduls: rundll32.exe2
Berichtskennung: rundll32.exe3
Error: (06/15/2014 07:50:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: rundll32.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc637
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc00000fd
Fehleroffset: 0x77761234
ID des fehlerhaften Prozesses: 0x1310
Startzeit der fehlerhaften Anwendung: 0xrundll32.exe0
Pfad der fehlerhaften Anwendung: rundll32.exe1
Pfad des fehlerhaften Moduls: rundll32.exe2
Berichtskennung: rundll32.exe3
Error: (06/15/2014 07:50:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: Rundll32.exe, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bc637
Name des fehlerhaften Moduls: SHLWAPI.dll, Version: 6.1.7601.17514, Zeitstempel: 0x4ce7b9e2
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00038996
ID des fehlerhaften Prozesses: 0x14e8
Startzeit der fehlerhaften Anwendung: 0xRundll32.exe0
Pfad der fehlerhaften Anwendung: Rundll32.exe1
Pfad des fehlerhaften Moduls: Rundll32.exe2
Berichtskennung: Rundll32.exe3
Error: (06/15/2014 07:02:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: TitanFall.exe, Version: 1.0.0.0, Zeitstempel: 0x5351c9ea
Name des fehlerhaften Moduls: d3d11.dll_unloaded, Version: 0.0.0.0, Zeitstempel: 0x5153b56b
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000007fef5090c15
ID des fehlerhaften Prozesses: 0xa58
Startzeit der fehlerhaften Anwendung: 0xTitanFall.exe0
Pfad der fehlerhaften Anwendung: TitanFall.exe1
Pfad des fehlerhaften Moduls: TitanFall.exe2
Berichtskennung: TitanFall.exe3
Error: (06/05/2014 07:45:33 PM) (Source: iumsvc) (EventID: 255) (User: )
Description: Exception : ('Device Profile Push Failure', ConnectionError(MaxRetryError("HTTPSConnectionPool(host='servicegateway.intel.com', port=443): Max retries exceeded with url: /DeviceProfile/Service.svc/Rest/DeviceProfileManager?deviceId=d48c5bb7-a312-4321-8880-2562857c9f5d&DomainId=50964a88-ab5f-4c91-b70e-66a2eadb5423 (Caused by <class 'socket.error'>: [Errno 10054] Eine vorhandene Verbindung wurde vom Remotehost geschlossen)",),))
Error: (06/05/2014 07:45:20 PM) (Source: iumsvc) (EventID: 255) (User: )
Description: Exception : ('Device Profile Push Failure', ConnectionError(MaxRetryError("HTTPSConnectionPool(host='servicegateway.intel.com', port=443): Max retries exceeded with url: /DeviceProfile/Service.svc/Rest/DeviceProfileManager?deviceId=d48c5bb7-a312-4321-8880-2562857c9f5d&DomainId=E57B59E7-5862-4250-9CE0-76FB411DC0D2 (Caused by <class 'socket.error'>: [Errno 10054] Eine vorhandene Verbindung wurde vom Remotehost geschlossen)",),))
Error: (06/05/2014 07:45:17 PM) (Source: iumsvc) (EventID: 255) (User: )
Description: Exception : ('Device Profile Push Failure', ConnectionError(MaxRetryError("HTTPSConnectionPool(host='servicegateway.intel.com', port=443): Max retries exceeded with url: /DeviceProfile/Service.svc/Rest/DeviceProfileManager?deviceId=d48c5bb7-a312-4321-8880-2562857c9f5d&DomainId=821fe777-bf67-463b-99f0-b2e0e4d9813b (Caused by <class 'socket.error'>: [Errno 10054] Eine vorhandene Verbindung wurde vom Remotehost geschlossen)",),))
Error: (06/05/2014 07:45:13 PM) (Source: iumsvc) (EventID: 255) (User: )
Description: Exception : (u'Device Profile Push Failure, {"FaultCode":"DPM-22999","IsClientFault":false,"UserMessage":"An error occurred at backend in device profile service"}', HTTPError('500 Server Error: Internal Server Error',))
System errors:
=============
Error: (06/18/2014 11:56:09 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "AVG WatchDog" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error: (06/18/2014 11:49:41 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "AVG WatchDog" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error: (06/18/2014 11:48:59 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst VSSERV erreicht.
Error: (06/18/2014 10:15:25 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "AVG WatchDog" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error: (06/17/2014 10:42:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "AVG WatchDog" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error: (06/17/2014 08:30:43 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "AVG WatchDog" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error: (06/16/2014 02:03:21 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "AVG WatchDog" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error: (06/16/2014 10:17:57 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "AVG WatchDog" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error: (06/16/2014 09:03:42 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom
Error: (06/16/2014 09:03:32 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "AVG WatchDog" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Microsoft Office Sessions:
=========================
Error: (06/15/2014 08:48:11 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: avscan.exe14.0.4.63227c01cf88c9d755845d60000C:\Program Files (x86)\Avira\AntiVir Desktop\avscan.exe6b9da57c-f4bd-11e3-a292-00ac37b31c3d
Error: (06/15/2014 07:50:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Rundll32.exe6.1.7600.163854a5bc637kernel32.dll6.1.7601.1840953159a85c000000500013e64162401cf88c25dd6ce06C:\Windows\SysWOW64\Rundll32.exeC:\Windows\syswow64\kernel32.dll9b954322-f4b5-11e3-843f-00ac37b31c3d
Error: (06/15/2014 07:50:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: rundll32.exe6.1.7600.163854a5bc637kernel32.dll6.1.7601.1840953159a85c000000500013e64117401cf88c25ddbd729C:\Windows\SysWOW64\rundll32.exeC:\Windows\syswow64\kernel32.dll9b951c12-f4b5-11e3-843f-00ac37b31c3d
Error: (06/15/2014 07:50:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: rundll32.exe6.1.7600.163854a5bc637unknown0.0.0.000000000c00000fd77761234131001cf88c25ddf0b85C:\Windows\SysWOW64\rundll32.exeunknown9b9431ae-f4b5-11e3-843f-00ac37b31c3d
Error: (06/15/2014 07:50:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Rundll32.exe6.1.7600.163854a5bc637SHLWAPI.dll6.1.7601.175144ce7b9e2c00000050003899614e801cf88c25ddd0fadC:\Windows\SysWOW64\Rundll32.exeC:\Windows\syswow64\SHLWAPI.dll9b947fcf-f4b5-11e3-843f-00ac37b31c3d
Error: (06/15/2014 07:02:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: TitanFall.exe1.0.0.05351c9ead3d11.dll_unloaded0.0.0.05153b56bc0000005000007fef5090c15a5801cf88bab809508fE:\Program Files (x86)\Origin Games\Titanfall\TitanFall.exed3d11.dllc36cfec5-f4ae-11e3-843f-00ac37b31c3d
Error: (06/05/2014 07:45:33 PM) (Source: iumsvc) (EventID: 255) (User: )
Description: Exception : ('Device Profile Push Failure', ConnectionError(MaxRetryError("HTTPSConnectionPool(host='servicegateway.intel.com', port=443): Max retries exceeded with url: /DeviceProfile/Service.svc/Rest/DeviceProfileManager?deviceId=d48c5bb7-a312-4321-8880-2562857c9f5d&DomainId=50964a88-ab5f-4c91-b70e-66a2eadb5423 (Caused by <class 'socket.error'>: [Errno 10054] Eine vorhandene Verbindung wurde vom Remotehost geschlossen)",),))
Error: (06/05/2014 07:45:20 PM) (Source: iumsvc) (EventID: 255) (User: )
Description: Exception : ('Device Profile Push Failure', ConnectionError(MaxRetryError("HTTPSConnectionPool(host='servicegateway.intel.com', port=443): Max retries exceeded with url: /DeviceProfile/Service.svc/Rest/DeviceProfileManager?deviceId=d48c5bb7-a312-4321-8880-2562857c9f5d&DomainId=E57B59E7-5862-4250-9CE0-76FB411DC0D2 (Caused by <class 'socket.error'>: [Errno 10054] Eine vorhandene Verbindung wurde vom Remotehost geschlossen)",),))
Error: (06/05/2014 07:45:17 PM) (Source: iumsvc) (EventID: 255) (User: )
Description: Exception : ('Device Profile Push Failure', ConnectionError(MaxRetryError("HTTPSConnectionPool(host='servicegateway.intel.com', port=443): Max retries exceeded with url: /DeviceProfile/Service.svc/Rest/DeviceProfileManager?deviceId=d48c5bb7-a312-4321-8880-2562857c9f5d&DomainId=821fe777-bf67-463b-99f0-b2e0e4d9813b (Caused by <class 'socket.error'>: [Errno 10054] Eine vorhandene Verbindung wurde vom Remotehost geschlossen)",),))
Error: (06/05/2014 07:45:13 PM) (Source: iumsvc) (EventID: 255) (User: )
Description: Exception : (u'Device Profile Push Failure, {"FaultCode":"DPM-22999","IsClientFault":false,"UserMessage":"An error occurred at backend in device profile service"}', HTTPError('500 Server Error: Internal Server Error',))
==================== Memory info ===========================
Percentage of memory in use: 27%
Total physical RAM: 8111.46 MB
Available physical RAM: 5877.2 MB
Total Pagefile: 16621.09 MB
Available Pagefile: 14166.98 MB
Total Virtual: 8192 MB
Available Virtual: 8191.8 MB
==================== Drives ================================
Drive c: (SSD) (Fixed) (Total:232.79 GB) (Free:198.91 GB) NTFS
Drive d: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (HDD) (Fixed) (Total:931.41 GB) (Free:707.07 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: E26C8224)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 8EEE2030)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
==================== End Of Log ============================
|
|
18.06.2014, 13:05
| #4 |
| | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe GMER Teil1 Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-06-18 13:38:30
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Samsung_SSD_840_EVO_250GB rev.EXT0BB6Q 232,89GB
Running: Gmer-19357(1).exe; Driver: C:\Users\Alex\AppData\Local\Temp\kxldrpog.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files\Bitdefender\Bitdefender\vsserv.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, F0, 12, 80, 01]
.text C:\Program Files\Bitdefender\Bitdefender\vsserv.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Bitdefender\Bitdefender\vsserv.exe[988] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 0000000076d5b7e1 11 bytes [B8, F0, 12, 74, 01, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff094ea1 11 bytes [B8, 39, E7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff0955c8 12 bytes [48, B8, B9, 6C, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff0ab85c 12 bytes [48, B8, F9, 6A, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff0ab9d0 12 bytes [48, B8, 79, 60, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff0aba3c 12 bytes [48, B8, B9, 5E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff094ea1 11 bytes [B8, F9, E8, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff0955c8 12 bytes [48, B8, B9, 6C, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff0ab85c 12 bytes [48, B8, F9, 6A, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff0ab9d0 12 bytes [48, B8, 79, 60, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff0aba3c 12 bytes [48, B8, B9, 5E, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1336] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\System32\svchost.exe[1384] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1408] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff094ea1 11 bytes [B8, F9, E8, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff0955c8 12 bytes [48, B8, B9, 6C, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff0ab85c 12 bytes [48, B8, F9, 6A, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff0ab9d0 12 bytes [48, B8, 79, 60, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff0aba3c 12 bytes [48, B8, B9, 5E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1440] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1 000007fefe0ddc81 11 bytes [B8, 79, 8A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
|
|
18.06.2014, 13:06
| #5 |
| | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe GMER Teil2 Code:
ATTFilter .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f32b80 6 bytes [48, B8, 39, E7, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076f32b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff094ea1 11 bytes [B8, F9, E8, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff0955c8 12 bytes [48, B8, B9, 6C, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff0ab85c 12 bytes [48, B8, F9, 6A, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff0ab9d0 12 bytes [48, B8, 79, 60, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff0aba3c 12 bytes [48, B8, B9, 5E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770df9e0 5 bytes JMP 00000001756364e9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000770dfb28 5 bytes JMP 0000000175635ef9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000770dfc20 5 bytes JMP 00000001756331d9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770dfc50 5 bytes JMP 00000001756315f1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770dfc80 5 bytes JMP 0000000175631689
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770dfcb0 5 bytes JMP 0000000175635e61
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770dfe14 5 bytes JMP 00000001756330a9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770dfe44 5 bytes JMP 0000000175633309
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000770dff24 5 bytes JMP 0000000175633271
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000770dffec 5 bytes JMP 0000000175632ee1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000770e0004 5 bytes JMP 0000000175632db1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770e00b4 5 bytes JMP 0000000175631ed9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770e01c4 5 bytes JMP 0000000175632301
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000770e0814 5 bytes JMP 0000000175632e49
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770e08a4 5 bytes JMP 0000000175632d19
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000770e0df4 5 bytes JMP 0000000175636581
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000770e1604 5 bytes JMP 0000000175634ac9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770e1920 5 bytes JMP 0000000175633141
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000770e1be4 5 bytes JMP 0000000175636619
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000770e1d54 5 bytes JMP 0000000175633439
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000770e1d70 5 bytes JMP 00000001756333a1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000770e1ee8 5 bytes JMP 00000001756369a9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000770f88c4 5 bytes JMP 0000000175631ab1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077120d3b 5 bytes JMP 0000000175632009
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007716860f 5 bytes JMP 0000000175634b61
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007716e8ab 5 bytes JMP 0000000175631f71
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000074f70e00 5 bytes JMP 0000000075631da9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074f71072 5 bytes JMP 0000000075632a21
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000074f7499f 5 bytes JMP 00000000756325f9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074f83bbb 4 bytes JMP 0000000075633011
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000074f97327 5 bytes JMP 0000000075632729
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000074f988da 5 bytes JMP 0000000075636451
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!WinExec 0000000074ff2ff1 5 bytes JMP 00000000756328f1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007501748b 5 bytes JMP 00000000756346a1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000750174ae 5 bytes JMP 00000000756347d1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075017859 5 bytes JMP 0000000075634901
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000750178d2 5 bytes JMP 0000000075634a31
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c78f8d 5 bytes JMP 0000000175631a19
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c7c436 5 bytes JMP 0000000175633b59
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c7eca6 5 bytes JMP 0000000175633601
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c7f206 5 bytes JMP 0000000175632399
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c7fa89 5 bytes JMP 0000000175631e41
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c81358 5 bytes JMP 0000000175633ac1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c8137f 5 bytes JMP 0000000175633a29
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c81d29 5 bytes JMP 0000000175631981
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c81e15 5 bytes JMP 00000001756324c9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c82ab1 5 bytes JMP 0000000175636029
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c82cd9 5 bytes JMP 0000000175635f91
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c82d17 5 bytes JMP 00000001756360c1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c82e7a 5 bytes JMP 00000001756318e9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c83b70 5 bytes JMP 0000000175632269
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c84496 5 bytes JMP 0000000175632431
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c84608 5 bytes JMP 0000000175633569
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c84631 5 bytes JMP 0000000175632c81
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c8c734 5 bytes JMP 00000001756327c1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074b878e2 5 bytes JMP 0000000075634441
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074b87bd3 5 bytes JMP 00000000756343a9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074b88a29 5 bytes JMP 00000000756357d9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074b898fd 5 bytes JMP 0000000075636289
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074b8b6ed 5 bytes JMP 0000000075636b71
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074b8d22e 5 bytes JMP 0000000075635871
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074b8ee09 5 bytes JMP 00000000756334d1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074b8ffe6 5 bytes JMP 0000000075636159
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074b900d9 5 bytes JMP 00000000756361f1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074b905ba 5 bytes JMP 0000000075634571
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074b90dfb 4 bytes JMP 0000000075635909
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074b912a5 5 bytes JMP 0000000075636ad9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074b920ec 5 bytes JMP 0000000075635c99
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074b93baa 5 bytes JMP 0000000075636a41
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074b95f74 5 bytes JMP 00000000756344d9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074b96285 5 bytes JMP 0000000075634bf9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074b97603 5 bytes JMP 0000000075632be9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074b97aee 5 bytes JMP 0000000075635c01
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074b9835c 5 bytes JMP 0000000075632b51
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074bace54 5 bytes JMP 0000000075635a39
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074baf52b 4 bytes JMP 0000000075634c91
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074baf588 5 bytes JMP 0000000075636321
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074bb10a0 5 bytes JMP 00000000756359a1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074bdfcd6 5 bytes JMP 0000000075635ad1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074bdfcfa 5 bytes JMP 0000000075635b69
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007679a472 5 bytes JMP 0000000175636c09
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000767a27ce 5 bytes JMP 0000000175631be1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000767ae6cf 5 bytes JMP 0000000175631b49
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000766fc9ec 5 bytes JMP 0000000175633c89
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076702b70 5 bytes JMP 0000000175633bf1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007670361c 5 bytes JMP 00000001756340b1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076704965 5 bytes JMP 0000000175636ca1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000767170c4 5 bytes JMP 0000000175634311
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000767170dc 5 bytes JMP 0000000175633e51
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000767170f4 5 bytes JMP 0000000175633ee9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000767331f4 5 bytes JMP 0000000175633f81
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076733204 5 bytes JMP 0000000175634019
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076733214 5 bytes JMP 0000000175633d21
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076733224 5 bytes JMP 0000000175633db9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076733264 5 bytes JMP 0000000175634279
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000006d0179 5 bytes JMP 0000000075634d29
|
|
18.06.2014, 13:07
| #6 |
| | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe GMER Teil 3 Code:
ATTFilter .text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1620] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f32b80 6 bytes [48, B8, 39, E7, 77, 75]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076f32b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\System32\spoolsv.exe[1796] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff094ea1 11 bytes [B8, F9, E8, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff0955c8 12 bytes [48, B8, B9, 6C, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff0ab85c 12 bytes [48, B8, F9, 6A, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff0ab9d0 12 bytes [48, B8, 79, 60, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff0aba3c 12 bytes [48, B8, B9, 5E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[1840] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770df9e0 5 bytes JMP 00000001756364e9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000770dfb28 5 bytes JMP 0000000175635ef9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000770dfc20 5 bytes JMP 00000001756331d9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770dfc50 5 bytes JMP 00000001756315f1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770dfc80 5 bytes JMP 0000000175631689
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770dfcb0 5 bytes JMP 0000000175635e61
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770dfe14 5 bytes JMP 00000001756330a9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770dfe44 5 bytes JMP 0000000175633309
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000770dff24 5 bytes JMP 0000000175633271
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000770dffec 5 bytes JMP 0000000175632ee1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000770e0004 5 bytes JMP 0000000175632db1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770e00b4 5 bytes JMP 0000000175631ed9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770e01c4 5 bytes JMP 0000000175632301
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000770e0814 5 bytes JMP 0000000175632e49
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770e08a4 5 bytes JMP 0000000175632d19
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000770e0df4 5 bytes JMP 0000000175636581
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000770e1604 5 bytes JMP 0000000175634ac9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770e1920 5 bytes JMP 0000000175633141
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000770e1be4 5 bytes JMP 0000000175636619
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000770e1d54 5 bytes JMP 0000000175633439
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000770e1d70 5 bytes JMP 00000001756333a1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000770e1ee8 5 bytes JMP 00000001756369a9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000770f88c4 5 bytes JMP 0000000175631ab1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077120d3b 5 bytes JMP 0000000175632009
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007716860f 5 bytes JMP 0000000175634b61
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007716e8ab 5 bytes JMP 0000000175631f71
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000074f70e00 5 bytes JMP 0000000075631da9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074f71072 5 bytes JMP 0000000075632a21
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000074f7499f 5 bytes JMP 00000000756325f9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074f83bbb 4 bytes JMP 0000000075633011
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000074f97327 5 bytes JMP 0000000075632729
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000074f988da 5 bytes JMP 0000000075636451
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!WinExec 0000000074ff2ff1 5 bytes JMP 00000000756328f1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007501748b 5 bytes JMP 00000000756346a1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000750174ae 5 bytes JMP 00000000756347d1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075017859 5 bytes JMP 0000000075634901
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000750178d2 5 bytes JMP 0000000075634a31
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c78f8d 5 bytes JMP 0000000175631a19
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c7c436 5 bytes JMP 0000000175633b59
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c7eca6 5 bytes JMP 0000000175633601
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c7f206 5 bytes JMP 0000000175632399
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c7fa89 5 bytes JMP 0000000175631e41
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c81358 5 bytes JMP 0000000175633ac1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c8137f 5 bytes JMP 0000000175633a29
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c81d29 5 bytes JMP 0000000175631981
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c81e15 5 bytes JMP 00000001756324c9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c82ab1 5 bytes JMP 0000000175636029
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c82cd9 5 bytes JMP 0000000175635f91
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c82d17 5 bytes JMP 00000001756360c1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c82e7a 5 bytes JMP 00000001756318e9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c83b70 5 bytes JMP 0000000175632269
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c84496 5 bytes JMP 0000000175632431
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c84608 5 bytes JMP 0000000175633569
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c84631 5 bytes JMP 0000000175632c81
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c8c734 5 bytes JMP 00000001756327c1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074b878e2 5 bytes JMP 0000000075634441
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074b87bd3 5 bytes JMP 00000000756343a9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074b88a29 5 bytes JMP 00000000756357d9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074b898fd 5 bytes JMP 0000000075636289
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074b8b6ed 5 bytes JMP 0000000075636b71
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074b8d22e 5 bytes JMP 0000000075635871
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074b8ee09 5 bytes JMP 00000000756334d1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074b8ffe6 5 bytes JMP 0000000075636159
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074b900d9 5 bytes JMP 00000000756361f1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074b905ba 5 bytes JMP 0000000075634571
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074b90dfb 4 bytes JMP 0000000075635909
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074b912a5 5 bytes JMP 0000000075636ad9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074b920ec 5 bytes JMP 0000000075635c99
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074b93baa 5 bytes JMP 0000000075636a41
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074b95f74 5 bytes JMP 00000000756344d9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074b96285 5 bytes JMP 0000000075634bf9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074b97603 5 bytes JMP 0000000075632be9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074b97aee 5 bytes JMP 0000000075635c01
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074b9835c 5 bytes JMP 0000000075632b51
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074bace54 5 bytes JMP 0000000075635a39
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074baf52b 4 bytes JMP 0000000075634c91
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074baf588 5 bytes JMP 0000000075636321
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074bb10a0 5 bytes JMP 00000000756359a1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074bdfcd6 5 bytes JMP 0000000075635ad1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074bdfcfa 5 bytes JMP 0000000075635b69
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007679a472 5 bytes JMP 0000000175636c09
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000767a27ce 5 bytes JMP 0000000175631be1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000767ae6cf 5 bytes JMP 0000000175631b49
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000766fc9ec 5 bytes JMP 0000000175633c89
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076702b70 5 bytes JMP 0000000175633bf1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007670361c 5 bytes JMP 00000001756340b1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076704965 5 bytes JMP 0000000175636ca1
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000767170c4 5 bytes JMP 0000000175634311
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000767170dc 5 bytes JMP 0000000175633e51
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000767170f4 5 bytes JMP 0000000175633ee9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000767331f4 5 bytes JMP 0000000175633f81
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076733204 5 bytes JMP 0000000175634019
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076733214 5 bytes JMP 0000000175633d21
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076733224 5 bytes JMP 0000000175633db9
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076733264 5 bytes JMP 0000000175634279
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1936] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000006d0179 5 bytes JMP 0000000075634d29
|
|
18.06.2014, 13:08
| #7 |
| | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe GMER Teil 4 Code:
ATTFilter .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f32b80 6 bytes [48, B8, 39, E7, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076f32b88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef6d996b0 12 bytes [48, B8, F9, 8D, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff094ea1 11 bytes [B8, 79, F3, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff0955c8 12 bytes [48, B8, B9, 6C, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff0ab85c 12 bytes [48, B8, F9, 6A, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff0ab9d0 12 bytes [48, B8, 79, 60, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2264] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff0aba3c 12 bytes [48, B8, B9, 5E, 77, 75, 00, ...]
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770df9e0 5 bytes JMP 00000001756364e9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000770dfb28 5 bytes JMP 0000000175635ef9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000770dfc20 5 bytes JMP 00000001756331d9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770dfc50 5 bytes JMP 00000001756315f1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770dfc80 5 bytes JMP 0000000175631689
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770dfcb0 5 bytes JMP 0000000175635e61
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770dfe14 5 bytes JMP 00000001756330a9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770dfe44 5 bytes JMP 0000000175633309
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000770dff24 5 bytes JMP 0000000175633271
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000770dffec 5 bytes JMP 0000000175632ee1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000770e0004 5 bytes JMP 0000000175632db1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770e00b4 5 bytes JMP 0000000175631ed9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770e01c4 5 bytes JMP 0000000175632301
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000770e0814 5 bytes JMP 0000000175632e49
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770e08a4 5 bytes JMP 0000000175632d19
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000770e0df4 5 bytes JMP 0000000175636581
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000770e1604 5 bytes JMP 0000000175634ac9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770e1920 5 bytes JMP 0000000175633141
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000770e1be4 5 bytes JMP 0000000175636619
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000770e1d54 5 bytes JMP 0000000175633439
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000770e1d70 5 bytes JMP 00000001756333a1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000770e1ee8 5 bytes JMP 00000001756369a9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000770f88c4 5 bytes JMP 0000000175631ab1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077120d3b 5 bytes JMP 0000000175632009
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007716860f 5 bytes JMP 0000000175634b61
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007716e8ab 5 bytes JMP 0000000175631f71
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000074f70e00 5 bytes JMP 0000000075631da9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074f71072 5 bytes JMP 0000000075632a21
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000074f7499f 5 bytes JMP 00000000756325f9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074f83bbb 4 bytes JMP 0000000075633011
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000074f97327 5 bytes JMP 0000000075632729
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000074f988da 5 bytes JMP 0000000075636451
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\kernel32.dll!WinExec 0000000074ff2ff1 5 bytes JMP 00000000756328f1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007501748b 5 bytes JMP 00000000756346a1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000750174ae 5 bytes JMP 00000000756347d1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075017859 5 bytes JMP 0000000075634901
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000750178d2 5 bytes JMP 0000000075634a31
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c78f8d 5 bytes JMP 0000000175631a19
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c7c436 5 bytes JMP 0000000175633b59
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c7eca6 5 bytes JMP 0000000175633601
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c7f206 5 bytes JMP 0000000175632399
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c7fa89 5 bytes JMP 0000000175631e41
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c81358 5 bytes JMP 0000000175633ac1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c8137f 5 bytes JMP 0000000175633a29
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c81d29 5 bytes JMP 0000000175631981
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c81e15 5 bytes JMP 00000001756324c9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c82ab1 5 bytes JMP 0000000175636029
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c82cd9 5 bytes JMP 0000000175635f91
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c82d17 5 bytes JMP 00000001756360c1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c82e7a 5 bytes JMP 00000001756318e9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c83b70 5 bytes JMP 0000000175632269
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c84496 5 bytes JMP 0000000175632431
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c84608 5 bytes JMP 0000000175633569
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c84631 5 bytes JMP 0000000175632c81
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c8c734 5 bytes JMP 00000001756327c1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074b878e2 5 bytes JMP 0000000075634441
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074b87bd3 5 bytes JMP 00000000756343a9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074b88a29 5 bytes JMP 00000000756357d9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074b898fd 5 bytes JMP 0000000075636289
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074b8b6ed 5 bytes JMP 0000000075636b71
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074b8d22e 5 bytes JMP 0000000075635871
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074b8ee09 5 bytes JMP 00000000756334d1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074b8ffe6 5 bytes JMP 0000000075636159
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074b900d9 5 bytes JMP 00000000756361f1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074b905ba 5 bytes JMP 0000000075634571
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074b90dfb 4 bytes JMP 0000000075635909
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074b912a5 5 bytes JMP 0000000075636ad9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074b920ec 5 bytes JMP 0000000075635c99
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074b93baa 5 bytes JMP 0000000075636a41
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074b95f74 5 bytes JMP 00000000756344d9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074b96285 5 bytes JMP 0000000075634bf9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074b97603 5 bytes JMP 0000000075632be9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074b97aee 5 bytes JMP 0000000075635c01
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074b9835c 5 bytes JMP 0000000075632b51
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074bace54 5 bytes JMP 0000000075635a39
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074baf52b 4 bytes JMP 0000000075634c91
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074baf588 5 bytes JMP 0000000075636321
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074bb10a0 5 bytes JMP 00000000756359a1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074bdfcd6 5 bytes JMP 0000000075635ad1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074bdfcfa 5 bytes JMP 0000000075635b69
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007679a472 5 bytes JMP 0000000175636c09
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000767a27ce 5 bytes JMP 0000000175631be1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000767ae6cf 5 bytes JMP 0000000175631b49
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000766fc9ec 5 bytes JMP 0000000175633c89
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076702b70 5 bytes JMP 0000000175633bf1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007670361c 5 bytes JMP 00000001756340b1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076704965 5 bytes JMP 0000000175636ca1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000767170c4 5 bytes JMP 0000000175634311
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000767170dc 5 bytes JMP 0000000175633e51
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000767170f4 5 bytes JMP 0000000175633ee9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000767331f4 5 bytes JMP 0000000175633f81
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076733204 5 bytes JMP 0000000175634019
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076733214 5 bytes JMP 0000000175633d21
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076733224 5 bytes JMP 0000000175633db9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076733264 5 bytes JMP 0000000175634279
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000007c0179 5 bytes JMP 0000000075634d29
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000712c1a22 2 bytes [2C, 71]
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000712c1ad0 2 bytes [2C, 71]
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000712c1b08 2 bytes [2C, 71]
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000712c1bba 2 bytes [2C, 71]
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000712c1bda 2 bytes [2C, 71]
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075d53918 5 bytes JMP 0000000175635dc9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075d53cd3 5 bytes JMP 0000000175635d31
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!socket 0000000075d53eb8 5 bytes JMP 00000001756366b1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075d54406 5 bytes JMP 0000000175632139
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075d54889 5 bytes JMP 00000001756356a9
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!recv 0000000075d56b0e 5 bytes JMP 0000000175636879
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!connect 0000000075d56bdd 1 byte JMP 00000001756341e1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075d56bdf 3 bytes {CALL RBP}
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!send 0000000075d56f01 5 bytes JMP 00000001756320a1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075d57089 5 bytes JMP 0000000175636911
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075d5cc3f 5 bytes JMP 00000001756367e1
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075d67673 5 bytes JMP 0000000175635741
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b31465 2 bytes [B3, 76]
.text C:\Windows\SysWOW64\PnkBstrA.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b314bb 2 bytes [B3, 76]
.text ... * 2
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2404] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
|
|
18.06.2014, 13:09
| #8 |
| | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe GMER Teil 5 Code:
ATTFilter .text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, F0, 12, 89, 01]
.text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2440] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 0000000076d5b7e1 11 bytes [B8, F0, 12, 98, 01, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f32b80 6 bytes [48, B8, 39, E7, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076f32b88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef6d996b0 12 bytes [48, B8, F9, 8D, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff094ea1 11 bytes [B8, 79, F3, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff0955c8 12 bytes [48, B8, B9, 6C, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff0ab85c 12 bytes [48, B8, F9, 6A, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff0ab9d0 12 bytes [48, B8, 79, 60, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2904] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff0aba3c 12 bytes [48, B8, B9, 5E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\system32\svchost.exe[2960] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f32b80 6 bytes [48, B8, 39, E7, 77, 75]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076f32b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\system32\wbem\wmiprvse.exe[3200] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f32b80 6 bytes [48, B8, 39, E7, 77, 75]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076f32b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff094ea1 11 bytes [B8, 39, EE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff0955c8 12 bytes [48, B8, B9, 6C, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff0ab85c 12 bytes [48, B8, F9, 6A, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 000007feff0ab9d0 12 bytes [48, B8, 79, 60, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff0aba3c 12 bytes [48, B8, B9, 5E, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\Dxva2.dll!DXVA2CreateVideoService + 1 000007feedd73b21 11 bytes [B8, 39, 9A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\Dxva2.dll!DXVAHD_CreateDevice + 1 000007feedd7fbd1 11 bytes [B8, F9, 94, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Windows\system32\taskhost.exe[3772] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
|
|
18.06.2014, 13:10
| #9 |
| | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe GMER Teil6 Code:
ATTFilter .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770df9e0 5 bytes JMP 00000001756364e9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000770dfb28 5 bytes JMP 0000000175635ef9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000770dfc20 5 bytes JMP 00000001756331d9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770dfc50 5 bytes JMP 00000001756315f1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770dfc80 5 bytes JMP 0000000175631689 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770dfcb0 5 bytes JMP 0000000175635e61 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770dfe14 5 bytes JMP 00000001756330a9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770dfe44 5 bytes JMP 0000000175633309 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000770dff24 5 bytes JMP 0000000175633271 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000770dffec 5 bytes JMP 0000000175632ee1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000770e0004 5 bytes JMP 0000000175632db1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770e00b4 5 bytes JMP 0000000175631ed9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770e01c4 5 bytes JMP 0000000175632301 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000770e0814 5 bytes JMP 0000000175632e49 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770e08a4 5 bytes JMP 0000000175632d19 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000770e0df4 5 bytes JMP 0000000175636581 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000770e1604 5 bytes JMP 0000000175634ac9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770e1920 5 bytes JMP 0000000175633141 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000770e1be4 5 bytes JMP 0000000175636619 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000770e1d54 5 bytes JMP 0000000175633439 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000770e1d70 5 bytes JMP 00000001756333a1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000770e1ee8 5 bytes JMP 00000001756369a9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000770f88c4 5 bytes JMP 0000000175631ab1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077120d3b 5 bytes JMP 0000000175632009 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007716860f 5 bytes JMP 0000000175634b61 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007716e8ab 5 bytes JMP 0000000175631f71 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000074f70e00 5 bytes JMP 0000000075631da9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074f71072 5 bytes JMP 0000000075632a21 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000074f7499f 5 bytes JMP 00000000756325f9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074f83bbb 4 bytes JMP 0000000075633011 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000074f97327 5 bytes JMP 0000000075632729 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000074f988da 5 bytes JMP 0000000075636451 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\kernel32.dll!WinExec 0000000074ff2ff1 5 bytes JMP 00000000756328f1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007501748b 5 bytes JMP 00000000756346a1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000750174ae 5 bytes JMP 00000000756347d1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075017859 5 bytes JMP 0000000075634901 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000750178d2 5 bytes JMP 0000000075634a31 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c78f8d 5 bytes JMP 0000000175631a19 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c7c436 5 bytes JMP 0000000175633b59 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c7eca6 5 bytes JMP 0000000175633601 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c7f206 5 bytes JMP 0000000175632399 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c7fa89 5 bytes JMP 0000000175631e41 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c81358 5 bytes JMP 0000000175633ac1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c8137f 5 bytes JMP 0000000175633a29 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c81d29 5 bytes JMP 0000000175631981 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c81e15 5 bytes JMP 00000001756324c9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c82ab1 5 bytes JMP 0000000175636029 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c82cd9 5 bytes JMP 0000000175635f91 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c82d17 5 bytes JMP 00000001756360c1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c82e7a 5 bytes JMP 00000001756318e9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c83b70 5 bytes JMP 0000000175632269 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c84496 5 bytes JMP 0000000175632431 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c84608 5 bytes JMP 0000000175633569 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c84631 5 bytes JMP 0000000175632c81 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c8c734 5 bytes JMP 00000001756327c1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074b878e2 5 bytes JMP 0000000075634441 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074b87bd3 5 bytes JMP 00000000756343a9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074b88a29 5 bytes JMP 00000000756357d9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074b898fd 5 bytes JMP 0000000075636289 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074b8b6ed 5 bytes JMP 0000000075636b71 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074b8d22e 5 bytes JMP 0000000075635871 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074b8ee09 5 bytes JMP 00000000756334d1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074b8ffe6 5 bytes JMP 0000000075636159 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074b900d9 5 bytes JMP 00000000756361f1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074b905ba 5 bytes JMP 0000000075634571 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074b90dfb 4 bytes JMP 0000000075635909 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074b912a5 5 bytes JMP 0000000075636ad9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074b920ec 5 bytes JMP 0000000075635c99 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074b93baa 5 bytes JMP 0000000075636a41 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074b95f74 5 bytes JMP 00000000756344d9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074b96285 5 bytes JMP 0000000075634bf9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074b97603 5 bytes JMP 0000000075632be9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074b97aee 5 bytes JMP 0000000075635c01 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074b9835c 5 bytes JMP 0000000075632b51 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074bace54 5 bytes JMP 0000000075635a39 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074baf52b 4 bytes JMP 0000000075634c91 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074baf588 5 bytes JMP 0000000075636321 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074bb10a0 5 bytes JMP 00000000756359a1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074bdfcd6 5 bytes JMP 0000000075635ad1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074bdfcfa 5 bytes JMP 0000000075635b69 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007679a472 5 bytes JMP 0000000175636c09 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000767a27ce 5 bytes JMP 0000000175631be1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000767ae6cf 5 bytes JMP 0000000175631b49 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000766fc9ec 5 bytes JMP 0000000175633c89 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076702b70 5 bytes JMP 0000000175633bf1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007670361c 5 bytes JMP 00000001756340b1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076704965 5 bytes JMP 0000000175636ca1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000767170c4 5 bytes JMP 0000000175634311 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000767170dc 5 bytes JMP 0000000175633e51 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000767170f4 5 bytes JMP 0000000175633ee9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000767331f4 5 bytes JMP 0000000175633f81 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076733204 5 bytes JMP 0000000175634019 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076733214 5 bytes JMP 0000000175633d21 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076733224 5 bytes JMP 0000000175633db9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076733264 5 bytes JMP 0000000175634279 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000001be0179 5 bytes JMP 0000000075634d29 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075d53918 5 bytes JMP 0000000175635dc9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075d53cd3 5 bytes JMP 0000000175635d31 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!socket 0000000075d53eb8 5 bytes JMP 00000001756366b1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075d54406 5 bytes JMP 0000000175632139 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075d54889 5 bytes JMP 00000001756356a9 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!recv 0000000075d56b0e 5 bytes JMP 0000000175636879 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!connect 0000000075d56bdd 1 byte JMP 00000001756341e1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075d56bdf 3 bytes {CALL RBP} .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!send 0000000075d56f01 5 bytes JMP 00000001756320a1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075d57089 5 bytes JMP 0000000175636911 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075d5cc3f 5 bytes JMP 00000001756367e1 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075d67673 5 bytes JMP 0000000175635741 .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b31465 2 bytes [B3, 76] .text C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe[3864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b314bb 2 bytes [B3, 76] .text ... * 2 .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, F9, 55, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, F9, 5C, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, 39, 5B, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, B9, 5E, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 79, 60, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f32b80 6 bytes [48, B8, B9, 65, 77, 75] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076f32b88 4 bytes [00, 00, 50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, F9, 63, 77, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3] .text C:\Windows\Explorer.EXE[3116] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 79, 4B, 77, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, 39, 46, 77, 75, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 79, 44, 77, 75, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, 39, 4D, 77, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, F9, 47, 77, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, B9, 49, 77, 75, 00, 00, ...] .text C:\Windows\Explorer.EXE[3116] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 39, 54, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...] .text C:\Windows\system32\svchost.exe[3980] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...] text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770df9e0 5 bytes JMP 00000001756364e9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000770dfb28 5 bytes JMP 0000000175635ef9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000770dfc20 5 bytes JMP 00000001756331d9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770dfc50 5 bytes JMP 00000001756315f1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770dfc80 5 bytes JMP 0000000175631689 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770dfcb0 5 bytes JMP 0000000175635e61 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770dfe14 5 bytes JMP 00000001756330a9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770dfe44 5 bytes JMP 0000000175633309 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000770dff24 5 bytes JMP 0000000175633271 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000770dffec 5 bytes JMP 0000000175632ee1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000770e0004 5 bytes JMP 0000000175632db1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770e00b4 5 bytes JMP 0000000175631ed9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770e01c4 5 bytes JMP 0000000175632301 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000770e0814 5 bytes JMP 0000000175632e49 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770e08a4 5 bytes JMP 0000000175632d19 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000770e0df4 5 bytes JMP 0000000175636581 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000770e1604 5 bytes JMP 0000000175634ac9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770e1920 5 bytes JMP 0000000175633141 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000770e1be4 5 bytes JMP 0000000175636619 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000770e1d54 5 bytes JMP 0000000175633439 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000770e1d70 5 bytes JMP 00000001756333a1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000770e1ee8 5 bytes JMP 00000001756369a9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000770f88c4 5 bytes JMP 0000000175631ab1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077120d3b 5 bytes JMP 0000000175632009 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007716860f 5 bytes JMP 0000000175634b61 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007716e8ab 5 bytes JMP 0000000175631f71 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000074f70e00 5 bytes JMP 0000000075631da9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074f71072 5 bytes JMP 0000000075632a21 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000074f7499f 5 bytes JMP 00000000756325f9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074f83bbb 4 bytes JMP 0000000075633011 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000074f97327 5 bytes JMP 0000000075632729 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000074f988da 5 bytes JMP 0000000075636451 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\kernel32.dll!WinExec 0000000074ff2ff1 5 bytes JMP 00000000756328f1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007501748b 5 bytes JMP 00000000756346a1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000750174ae 5 bytes JMP 00000000756347d1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075017859 5 bytes JMP 0000000075634901 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000750178d2 5 bytes JMP 0000000075634a31 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c78f8d 5 bytes JMP 0000000175631a19 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c7c436 5 bytes JMP 0000000175633b59 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c7eca6 5 bytes JMP 0000000175633601 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c7f206 5 bytes JMP 0000000175632399 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c7fa89 5 bytes JMP 0000000175631e41 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c81358 5 bytes JMP 0000000175633ac1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c8137f 5 bytes JMP 0000000175633a29 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c81d29 5 bytes JMP 0000000175631981 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c81e15 5 bytes JMP 00000001756324c9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c82ab1 5 bytes JMP 0000000175636029 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c82cd9 5 bytes JMP 0000000175635f91 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c82d17 5 bytes JMP 00000001756360c1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c82e7a 5 bytes JMP 00000001756318e9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c83b70 5 bytes JMP 0000000175632269 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c84496 5 bytes JMP 0000000175632431 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c84608 5 bytes JMP 0000000175633569 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c84631 5 bytes JMP 0000000175632c81 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c8c734 5 bytes JMP 00000001756327c1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000766fc9ec 5 bytes JMP 0000000175633c89 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076702b70 5 bytes JMP 0000000175633bf1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007670361c 5 bytes JMP 00000001756340b1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076704965 5 bytes JMP 0000000175636b71 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000767170c4 5 bytes JMP 0000000175634311 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000767170dc 5 bytes JMP 0000000175633e51 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000767170f4 5 bytes JMP 0000000175633ee9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000767331f4 5 bytes JMP 0000000175633f81 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076733204 5 bytes JMP 0000000175634019 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076733214 5 bytes JMP 0000000175633d21 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076733224 5 bytes JMP 0000000175633db9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076733264 5 bytes JMP 0000000175634279 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007679a472 5 bytes JMP 0000000175636c09 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000767a27ce 5 bytes JMP 0000000175631be1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000767ae6cf 5 bytes JMP 0000000175631b49 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074b878e2 5 bytes JMP 0000000075634441 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074b87bd3 5 bytes JMP 00000000756343a9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074b88a29 5 bytes JMP 00000000756357d9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074b898fd 5 bytes JMP 0000000075636289 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074b8b6ed 5 bytes JMP 0000000075636ca1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074b8d22e 5 bytes JMP 0000000075635871 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074b8ee09 5 bytes JMP 00000000756334d1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074b8ffe6 5 bytes JMP 0000000075636159 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074b900d9 5 bytes JMP 00000000756361f1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074b905ba 5 bytes JMP 0000000075634571 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074b90dfb 4 bytes JMP 0000000075635909 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074b912a5 5 bytes JMP 0000000075636ad9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074b920ec 5 bytes JMP 0000000075635c99 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074b93baa 5 bytes JMP 0000000075636a41 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074b95f74 5 bytes JMP 00000000756344d9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074b96285 5 bytes JMP 0000000075634bf9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074b97603 5 bytes JMP 0000000075632be9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074b97aee 5 bytes JMP 0000000075635c01 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074b9835c 5 bytes JMP 0000000075632b51 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074bace54 5 bytes JMP 0000000075635a39 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074baf52b 4 bytes JMP 0000000075634c91 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074baf588 5 bytes JMP 0000000075636321 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074bb10a0 5 bytes JMP 00000000756359a1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074bdfcd6 5 bytes JMP 0000000075635ad1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074bdfcfa 5 bytes JMP 0000000075635b69 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000075d53918 5 bytes JMP 0000000175635dc9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!WSASocketW 0000000075d53cd3 5 bytes JMP 0000000175635d31 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!socket 0000000075d53eb8 5 bytes JMP 00000001756366b1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!WSASend 0000000075d54406 5 bytes JMP 0000000175632139 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075d54889 5 bytes JMP 00000001756356a9 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!recv 0000000075d56b0e 5 bytes JMP 0000000175636879 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!connect 0000000075d56bdd 1 byte JMP 00000001756341e1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!connect + 2 0000000075d56bdf 3 bytes {CALL RBP} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!send 0000000075d56f01 5 bytes JMP 00000001756320a1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!WSARecv 0000000075d57089 5 bytes JMP 0000000175636911 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!WSAConnect 0000000075d5cc3f 5 bytes JMP 00000001756367e1 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5004] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075d67673 5 bytes JMP 0000000175635741 |
|
18.06.2014, 13:11
| #10 |
| | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe GMER Teil7 Code:
ATTFilter .text C:\Program Files\Logitech Gaming Software\Applets\LCDMedia.exe[3824] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 00000000008a0179 5 bytes JMP 0000000075634d29
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f32b80 6 bytes [48, B8, 39, E7, 77, 75]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076f32b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchIndexer.exe[5060] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f32b80 6 bytes [48, B8, 39, E7, 77, 75]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076f32b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchProtocolHost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f32b80 6 bytes [48, B8, 39, E7, 77, 75]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076f32b88 4 bytes [00, 00, 50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Windows\system32\SearchFilterHost.exe[4120] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000076f192d1 5 bytes [B8, 39, 69, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7 0000000076f192d7 5 bytes [00, 00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076f313a0 6 bytes [48, B8, B9, D5, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8 0000000076f313a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000076f31470 6 bytes [48, B8, 79, C2, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000076f31478 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f31510 6 bytes [48, B8, F9, 32, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000076f31518 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 6 bytes [48, B8, 39, 1C, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000076f31538 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000076f31550 6 bytes [48, B8, F9, 1D, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000076f31558 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f31570 6 bytes [48, B8, B9, C0, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000076f31578 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 6 bytes [48, B8, 79, 2F, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000076f31658 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f31670 6 bytes [48, B8, 79, 36, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000076f31678 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 6 bytes [48, B8, B9, 34, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000076f31708 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000076f31780 6 bytes [48, B8, 39, 2A, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000076f31788 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f31790 6 bytes [48, B8, B9, 26, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000076f31798 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000076f31cd0 6 bytes [48, B8, 79, 28, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000076f31cd8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 6 bytes [48, B8, F9, 24, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000076f31d38 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f320a0 6 bytes [48, B8, 79, D7, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000076f320a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000076f325e0 6 bytes [48, B8, 79, 83, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000076f325e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 6 bytes [48, B8, 39, 31, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000076f327e8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f329a0 6 bytes [48, B8, 39, D9, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000076f329a8 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f32a80 6 bytes [48, B8, 79, 3D, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000076f32a88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f32a90 6 bytes [48, B8, B9, 3B, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000076f32a98 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f32b80 6 bytes [48, B8, 39, E7, 77, 75]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000076f32b88 4 bytes [00, 00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 0000000076fa3201 11 bytes [B8, 39, 85, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\kernel32.dll!Process32NextW + 1 0000000076cc1b21 11 bytes [B8, F9, D3, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 0000000076cc1c10 12 bytes [48, B8, F9, 39, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076cddb80 12 bytes [48, B8, B9, 2D, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 0000000076ce0931 11 bytes [B8, 79, E5, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000076d152f1 11 bytes [B8, B9, 7A, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000076d15311 11 bytes [B8, 39, 77, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\kernel32.dll!ReadConsoleW 0000000076d2a5e0 12 bytes [48, B8, B9, 81, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\kernel32.dll!ReadConsoleA 0000000076d2a6f0 12 bytes [48, B8, 39, 7E, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcd81861 11 bytes [B8, 79, 52, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcd82db1 11 bytes [B8, B9, C7, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcd83461 11 bytes [B8, 79, C9, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcd88ef0 12 bytes [48, B8, F9, C5, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcd894c0 12 bytes [48, B8, B9, 50, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcd8bfd1 11 bytes [B8, 39, C4, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcd92af1 11 bytes [B8, F9, 4E, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefcdb4350 12 bytes [48, B8, B9, 42, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefcdc2871 8 bytes [B8, 39, 23, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefcdc287a 2 bytes [50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefcdc28b1 11 bytes [B8, F9, 40, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007fefee513b1 11 bytes [B8, F9, BE, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!closesocket 000007fefee518e0 12 bytes [48, B8, 39, BD, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007fefee51bd1 11 bytes [B8, 79, BB, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007fefee52201 11 bytes [B8, F9, E1, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007fefee523c0 12 bytes [48, B8, 79, A6, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!connect 000007fefee545c0 12 bytes [48, B8, 79, 67, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!send + 1 000007fefee58001 11 bytes [B8, B9, B9, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!gethostbyname 000007fefee58df0 7 bytes [48, B8, 39, A8, 77, 75, 00]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007fefee58df9 3 bytes [00, 50, C3]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!socket + 1 000007fefee5de91 11 bytes [B8, F9, DA, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!recv + 1 000007fefee5df41 11 bytes [B8, 39, E0, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007fefee7e0f1 11 bytes [B8, 79, DE, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\system32\d3d9.dll!Direct3DCreate9 000007fef6d996b0 12 bytes [48, B8, F9, 8D, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1 000007fefd4f642d 11 bytes [B8, 39, 5B, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW 000007fefd4f6484 12 bytes [48, B8, F9, 55, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1 000007fefd4f6519 11 bytes [B8, 39, 62, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA 000007fefd4f6c34 12 bytes [48, B8, 39, 54, 77, 75, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1 000007fefd4f7ab5 11 bytes [B8, F9, 5C, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1 000007fefd4f8b01 11 bytes [B8, B9, 57, 77, 75, 00, 00, ...]
.text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[4808] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1 000007fefd4f8c39 11 bytes [B8, 79, 59, 77, 75, 00, 00, ...]
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000770df8f0 5 bytes JMP 00000001756366b1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770df9e0 5 bytes JMP 00000001756364e9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000770dfb28 5 bytes JMP 0000000175635ef9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000770dfc20 5 bytes JMP 00000001756331d9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770dfc50 5 bytes JMP 00000001756315f1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770dfc80 5 bytes JMP 0000000175631689
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770dfcb0 5 bytes JMP 0000000175635e61
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000770dfe14 5 bytes JMP 00000001756330a9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770dfe44 5 bytes JMP 0000000175633309
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000770dff24 5 bytes JMP 0000000175633271
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000770dffec 5 bytes JMP 0000000175632ee1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000770e0004 5 bytes JMP 0000000175632db1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000770e00b4 5 bytes JMP 0000000175631ed9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000770e01c4 5 bytes JMP 0000000175632301
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000770e0814 5 bytes JMP 0000000175632e49
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000770e08a4 5 bytes JMP 0000000175632d19
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000770e0df4 5 bytes JMP 0000000175636581
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000770e1604 5 bytes JMP 0000000175634ac9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000770e1920 5 bytes JMP 0000000175633141
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000770e1be4 5 bytes JMP 0000000175636619
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000770e1d54 5 bytes JMP 0000000175633439
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000770e1d70 5 bytes JMP 00000001756333a1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl 00000000770e1ee8 5 bytes JMP 0000000175636a41
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000770f88c4 5 bytes JMP 0000000175631ab1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 0000000077120d3b 5 bytes JMP 0000000175632009
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007716860f 5 bytes JMP 0000000175634b61
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007716e8ab 5 bytes JMP 0000000175631f71
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 0000000074f70e00 5 bytes JMP 0000000075631da9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074f71072 5 bytes JMP 0000000075632a21
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000074f7499f 5 bytes JMP 00000000756325f9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074f83bbb 4 bytes JMP 0000000075633011
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 0000000074f97327 5 bytes JMP 0000000075632729
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\kernel32.dll!Process32NextW 0000000074f988da 5 bytes JMP 0000000075636451
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\kernel32.dll!WinExec 0000000074ff2ff1 5 bytes JMP 00000000756328f1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 000000007501748b 5 bytes JMP 00000000756346a1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 00000000750174ae 5 bytes JMP 00000000756347d1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075017859 5 bytes JMP 0000000075634901
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 00000000750178d2 5 bytes JMP 0000000075634a31
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000076c78f8d 5 bytes JMP 0000000175631a19
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000076c7c436 5 bytes JMP 0000000175633b59
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000076c7eca6 5 bytes JMP 0000000175633601
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000076c7f206 5 bytes JMP 0000000175632399
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000076c7fa89 5 bytes JMP 0000000175631e41
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000076c81358 5 bytes JMP 0000000175633ac1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000076c8137f 5 bytes JMP 0000000175633a29
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076c81d29 5 bytes JMP 0000000175631981
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000076c81e15 5 bytes JMP 00000001756324c9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076c82ab1 5 bytes JMP 0000000175636029
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000076c82cd9 5 bytes JMP 0000000175635f91
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076c82d17 5 bytes JMP 00000001756360c1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000076c82e7a 5 bytes JMP 00000001756318e9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000076c83b70 5 bytes JMP 0000000175632269
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000076c84496 5 bytes JMP 0000000175632431
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000076c84608 5 bytes JMP 0000000175633569
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000076c84631 5 bytes JMP 0000000175632c81
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000076c8c734 5 bytes JMP 00000001756327c1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 00000000766fc9ec 5 bytes JMP 0000000175633c89
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076702b70 5 bytes JMP 0000000175633bf1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 000000007670361c 5 bytes JMP 00000001756340b1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076704965 5 bytes JMP 0000000175636c09
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000767170c4 5 bytes JMP 0000000175634311
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000767170dc 5 bytes JMP 0000000175633e51
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000767170f4 5 bytes JMP 0000000175633ee9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000767331f4 5 bytes JMP 0000000175633f81
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 0000000076733204 5 bytes JMP 0000000175634019
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 0000000076733214 5 bytes JMP 0000000175633d21
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 0000000076733224 5 bytes JMP 0000000175633db9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076733264 5 bytes JMP 0000000175634279
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\msvcrt.dll!_lock + 41 000000007679a472 5 bytes JMP 0000000175636ca1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\msvcrt.dll!__p__fmode 00000000767a27ce 5 bytes JMP 0000000175631be1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\msvcrt.dll!__p__environ 00000000767ae6cf 5 bytes JMP 0000000175631b49
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!GetMessageW 0000000074b878e2 5 bytes JMP 0000000075634441
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!GetMessageA 0000000074b87bd3 5 bytes JMP 00000000756343a9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074b88a29 5 bytes JMP 00000000756357d9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!FindWindowW 0000000074b898fd 5 bytes JMP 0000000075636289
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 0000000074b8b6ed 5 bytes JMP 0000000075636d39
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074b8d22e 5 bytes JMP 0000000075635871
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074b8ee09 5 bytes JMP 00000000756334d1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!FindWindowA 0000000074b8ffe6 5 bytes JMP 0000000075636159
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!FindWindowExA 0000000074b900d9 5 bytes JMP 00000000756361f1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!PeekMessageW 0000000074b905ba 5 bytes JMP 0000000075634571
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000074b90dfb 4 bytes JMP 0000000075635909
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000074b912a5 5 bytes JMP 0000000075636b71
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowTextW 0000000074b920ec 5 bytes JMP 0000000075635c99
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000074b93baa 5 bytes JMP 0000000075636ad9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000074b95f74 5 bytes JMP 00000000756344d9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074b96285 5 bytes JMP 0000000075634bf9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074b97603 5 bytes JMP 0000000075632be9
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074b97aee 5 bytes JMP 0000000075635c01
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074b9835c 5 bytes JMP 0000000075632b51
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 0000000074bace54 5 bytes JMP 0000000075635a39
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074baf52b 4 bytes JMP 0000000075634c91
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!FindWindowExW 0000000074baf588 5 bytes JMP 0000000075636321
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 0000000074bb10a0 5 bytes JMP 00000000756359a1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074bdfcd6 5 bytes JMP 0000000075635ad1
.text C:\Users\Alex\Desktop\Gmer-19357(1).exe[3384] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074bdfcfa 5 bytes JMP 0000000075635b69
---- Processes - GMER 2.1 ----
Library \\?\C:\Program Files\Common Files\Bitdefender\Bitdefender Threat Scanner\trufos.dll (*** suspicious ***) @ C:\Program Files\Bitdefender\Bitdefender\vsserv.exe [988] (FILE NOT FOUND) 000007fefb610000
Library C:\Users\Alex\AppData\Local\Temp\Dw64.dll (*** suspicious ***) @ C:\Windows\system32\taskhost.exe [3772] (FD/CN)(2014-06-15 17:50:59) 000007fef8a20000
Library C:\Users\Alex\AppData\Local\Temp\Dw64.dll (*** suspicious ***) @ C:\Windows\system32\Dwm.exe [3968] (FD/CN)(2014-06-15 17:50:59) 000007fef8a20000
Library C:\Users\Alex\AppData\Local\Temp\Dw64.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [3116] (FD/CN)(2014-06-15 17:50:59) 000007fef8a20000
Library C:\Users\Alex\AppData\Local\Temp\Dw64.dll (*** suspicious ***) @ C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [3480] (FD/CN)(2014-06-15 17 000007fef8a20000
Library C:\Users\Alex\AppData\Local\Temp\Dw64.dll (*** suspicious ***) @ C:\Windows\System32\rundll32.exe [4640] (FD/CN)(2014-06-15 17:50:59) 000007fef8a20000
Library C:\Users\Alex\AppData\Local\Temp\Dw64.dll (*** suspicious ***) @ C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [4668] (FD/CN)(2014- 000007fef8a20000
Library C:\Users\Alex\AppData\Local\Temp\Dw64.dll (*** suspicious ***) @ C:\Program Files\NVIDIA Corporation\Display\nvtray.exe [4700] (FD/CN) 000007fef8a20000
Library C:\Users\Alex\AppData\Local\Temp\Dw64.dll (*** suspicious ***) @ C:\Program Files\Logitech Gaming Software\Applets\LCDClock.exe [4156] (FD/CN)(2014-06-15 17:50:59) 000007fef8a20000
Library C:\Users\Alex\AppData\Local\Temp\Dw64.dll (*** suspicious ***) @ C:\Program Files\Logitech Gaming Software\Applets\LCDCountdown.exe [4344] (FD/CN)(2014-06-15 17:50:59) 000007fef8a20000
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\ControlSet002\Control@PreshutdownOrder wuauserv?gpsvc?trustedinstaller?
Reg HKLM\SYSTEM\ControlSet002\Control@WaitToKillServiceTimeout 12000
Reg HKLM\SYSTEM\ControlSet002\Control@CurrentUser USERNAME
Reg HKLM\SYSTEM\ControlSet002\Control@BootDriverFlags 0
Reg HKLM\SYSTEM\ControlSet002\Control@ServiceControlManagerExtension %systemroot%\system32\scext.dll
Reg HKLM\SYSTEM\ControlSet002\Control@SystemStartOptions NOEXECUTE=OPTIN
Reg HKLM\SYSTEM\ControlSet002\Control@SystemBootDevice multi(0)disk(0)rdisk(0)partition(2)
Reg HKLM\SYSTEM\ControlSet002\Control@FirmwareBootDevice multi(0)disk(0)rdisk(0)partition(1)
---- EOF - GMER 2.1 ----
 |
|
18.06.2014, 13:24
| #11 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe Hast du noch weitere Logs (mit Funden)? Malwarebytes und/oder andere Virenscanner, sind die mal fündig geworden? Ich frage deswegen nach => http://www.trojaner-board.de/125889-...tml#post941520 Bitte keine neuen Virenscans machen sondern erst nur schon vorhandene Logs in CODE-Tags posten! Relevant sind nur Logs der letzten 7 Tage bzw. seitdem das Problem besteht!
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
18.06.2014, 15:20
| #12 |
| | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe Hi danke für die schnelle antwort. Ich werde zuhause schauen ob der log gespeichert ist und ihn dann posten aktuell bin ich noch unterwegs So hier der Malwarebytes log Code:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 16.06.2014 Scan Time: 13:57:02 Logfile: malwarebytes log.txt Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.06.16.03 Rootkit Database: v2014.06.02.01 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Alex Scan Type: Threat Scan Result: Completed Objects Scanned: 268297 Time Elapsed: 4 min, 20 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 8 PUP.Optional.Wajam.A, HKLM\SOFTWARE\CLASSES\APPID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}, Quarantined, [081b4f2a8fec6fc7424597e0ed15d32d], PUP.Optional.Wajam.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}, Quarantined, [081b4f2a8fec6fc7424597e0ed15d32d], PUP.Optional.BrowseFox.A, HKLM\SOFTWARE\CLASSES\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}, Quarantined, [899a3e3b3d3e4de9814dd6a0eb17f010], PUP.Optional.BrowseFox.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}, Quarantined, [899a3e3b3d3e4de9814dd6a0eb17f010], PUP.Optional.InstallBrain.A, HKLM\SOFTWARE\WOW6432NODE\InstallIQ, Quarantined, [d3502b4ea7d4270f001c04b857ab55ab], PUP.Optional.WebSparkle.A, HKLM\SOFTWARE\WOW6432NODE\WebSparkle, Quarantined, [2ff4adcc106b05316611955aa162a35d], PUP.Optional.WebSparkle.A, HKU\S-1-5-21-2514585675-1378572018-3791475494-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\WebSparkle, Quarantined, [7aa9caafb2c9ac8a3955f7e7cd3639c7], PUP.Optional.Softonic.A, HKU\S-1-5-21-2514585675-1378572018-3791475494-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\SOFTONIC\Universal Downloader, Quarantined, [b76ccfaa4b3090a610a61c94bf439d63], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 2 PUP.Optional.InstallIQ, C:\Users\Alex\Downloads\coretemp_1236.exe, Quarantined, [ab781a5fbebd191d973ba677af52b947], PUP.Optional.OpenCandy.A, C:\Users\Alex\Downloads\winamp565_full_emusic-7plus_de-de.exe, Quarantined, [26fdbcbd39422a0ccaac72d03cc43ac6], Physical Sectors: 0 (No malicious items detected) (end) |
|
18.06.2014, 15:28
| #13 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe Da sind aber nur Adware-Funde, anyway, bitte mal Combofix starten: Scan mit Combofix
__________________ Logfiles bitte immer in CODE-Tags posten |
|
18.06.2014, 16:15
| #14 |
| | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe Ok gemacht. Nach allem was ich sehen konnte wurde die mir vom Kundensupport als Infiziert beschriebene Datei von Combofix gelöscht. Code:
ATTFilter ComboFix 14-06-16.01 - Alex 18.06.2014 17:05:52.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.8111.6263 [GMT 2:00]
ausgeführt von:: c:\users\Alex\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\END
c:\programdata\1402905056.bdinstall.bin
c:\programdata\1403103860.bdinstall.bin
c:\users\Alex\AppData\Local\Temp\Dw64.dll
.
.
((((((((((((((((((((((( Dateien erstellt von 2014-05-18 bis 2014-06-18 ))))))))))))))))))))))))))))))
.
.
2014-06-18 15:07 . 2014-06-18 15:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-06-18 11:21 . 2014-06-18 11:23 -------- d-----w- C:\FRST
2014-06-18 08:27 . 2014-06-18 08:27 423240 ----a-w- c:\windows\system32\drivers\aswsp.sys.1403080315885
2014-06-18 08:27 . 2014-06-18 08:27 1039096 ----a-w- c:\windows\system32\drivers\aswsnx.sys.1403080315885
2014-06-17 20:53 . 2014-06-18 10:34 -------- d-----w- c:\users\Alex\AppData\Local\Battle.net
2014-06-17 20:53 . 2014-06-17 20:55 -------- d-----w- c:\users\Alex\AppData\Roaming\Battle.net
2014-06-17 20:52 . 2014-06-17 20:53 -------- d-----w- c:\programdata\Battle.net
2014-06-17 19:22 . 2014-06-17 20:53 -------- d-----w- c:\programdata\Blizzard Entertainment
2014-06-16 12:58 . 2014-06-16 12:58 -------- d-----w- c:\users\Alex\AppData\Local\Blizzard Entertainment
2014-06-16 11:56 . 2014-06-18 11:35 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-06-16 11:56 . 2014-06-16 11:56 -------- d-----w- c:\program files (x86)\ Malwarebytes Anti-Malware
2014-06-16 11:56 . 2014-06-16 11:56 -------- d-----w- c:\programdata\Malwarebytes
2014-06-16 11:56 . 2014-05-12 05:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-06-16 11:56 . 2014-05-12 05:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-06-16 11:56 . 2014-05-12 05:25 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-06-16 10:32 . 2014-06-06 04:39 46704 ----a-w- c:\program files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2014-06-16 07:53 . 2014-06-16 07:53 -------- d-----w- c:\programdata\BDLogging
2014-06-16 07:53 . 2013-11-04 14:47 82824 ----a-w- c:\windows\system32\drivers\bdsandbox.sys
2014-06-16 07:53 . 2013-11-04 14:47 74512 ----a-w- c:\windows\SysWow64\bdsandboxuiskin32.dll
2014-06-16 07:53 . 2007-04-11 09:11 511328 ----a-w- c:\windows\capicom.dll
2014-06-16 07:53 . 2012-11-02 12:17 261056 ----a-w- c:\windows\system32\drivers\avchv.sys
2014-06-16 07:51 . 2014-06-16 09:18 74512 ----a-w- c:\windows\system32\bdsandboxuiskin32.dll
2014-06-16 07:51 . 2014-06-16 07:52 -------- d-----w- c:\program files\Bitdefender
2014-06-16 07:51 . 2013-11-04 14:47 84848 ----a-w- c:\windows\system32\BDSandBoxUISkin.dll
2014-06-16 07:51 . 2013-11-04 14:46 34384 ----a-w- c:\windows\system32\BDSandBoxUH.dll
2014-06-16 07:50 . 2014-06-16 07:50 -------- d-----w- c:\users\Alex\AppData\Roaming\QuickScan
2014-06-16 07:49 . 2014-06-18 15:04 -------- d-----w- c:\program files\Common Files\Bitdefender
2014-06-16 07:49 . 2014-06-16 07:49 -------- d-----w- c:\program files (x86)\Common Files\Bitdefender
2014-06-15 22:43 . 2014-06-15 22:44 -------- d-----w- c:\users\Alex\AppData\Roaming\Curse Advertising
2014-06-15 22:43 . 2014-06-15 22:43 -------- d-----w- c:\users\Alex\AppData\Local\Apps
2014-06-15 22:42 . 2014-06-17 20:43 -------- d-----w- c:\users\Alex\AppData\Local\Deployment
2014-06-15 21:48 . 2014-06-15 21:48 -------- d-----w- c:\users\Alex\AppData\Roaming\Lavasoft
2014-06-15 21:43 . 2014-06-15 21:43 -------- d-----w- c:\program files\Common Files\Lavasoft
2014-06-15 21:43 . 2014-06-15 21:43 -------- d-----w- c:\programdata\Lavasoft
2014-06-15 17:50 . 2014-06-15 18:25 -------- d-----w- c:\users\Alex\AppData\Local\._LiveCode_
2014-06-15 17:50 . 2014-06-15 17:50 -------- d-----w- c:\users\Alex\AppData\Roaming\Acreon
2014-06-14 07:38 . 2014-06-14 07:38 -------- d-----w- c:\users\Alex\AppData\Local\Adobe
2014-06-02 15:42 . 2014-05-29 23:07 1291232 ----a-w- c:\windows\SysWow64\nvspbridge.dll
2014-06-02 15:42 . 2014-05-29 23:07 1715176 ----a-w- c:\windows\system32\nvspbridge64.dll
2014-05-26 16:50 . 2014-05-19 23:10 601432 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2014-05-22 20:59 . 2014-05-22 20:59 -------- d-sh--w- c:\users\Alex\AppData\Local\EmieUserList
2014-05-22 20:59 . 2014-05-22 20:59 -------- d-sh--w- c:\users\Alex\AppData\Local\EmieSiteList
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-11 21:20 . 2013-11-04 16:56 95414520 ----a-w- c:\windows\system32\MRT.exe
2014-06-11 21:15 . 2013-11-02 16:19 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-06-11 21:15 . 2013-11-02 16:19 699056 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-06-10 17:48 . 2013-11-02 18:44 281872 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2014-06-10 17:48 . 2013-11-02 18:44 281872 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2014-06-10 17:48 . 2013-11-02 18:44 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2014-05-29 23:07 . 2013-11-12 20:28 1122312 ----a-w- c:\windows\SysWow64\nvspcap.dll
2014-05-29 23:07 . 2013-11-12 20:28 1279480 ----a-w- c:\windows\system32\nvspcap64.dll
2014-05-20 02:44 . 2014-04-22 15:06 17480432 ----a-w- c:\windows\system32\nvd3dumx.dll
2014-05-20 02:44 . 2014-03-14 17:40 18531568 ----a-w- c:\windows\system32\nvwgf2umx.dll
2014-05-20 02:44 . 2014-03-14 17:40 16003912 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2014-05-20 02:44 . 2013-11-02 14:46 61216 ----a-w- c:\windows\system32\OpenCL.dll
2014-05-20 02:44 . 2013-11-02 14:46 52056 ----a-w- c:\windows\SysWow64\OpenCL.dll
2014-05-20 02:44 . 2013-11-02 14:44 952952 ----a-w- c:\windows\system32\nvumdshimx.dll
2014-05-20 02:44 . 2013-11-02 14:44 31387936 ----a-w- c:\windows\system32\nvoglv64.dll
2014-05-20 02:44 . 2013-11-02 14:44 3109248 ----a-w- c:\windows\system32\nvapi64.dll
2014-05-20 02:44 . 2013-11-02 14:44 2730208 ----a-w- c:\windows\SysWow64\nvapi.dll
2014-05-20 02:44 . 2013-11-02 14:44 14434704 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2014-05-20 01:25 . 2013-11-02 14:46 6769096 ----a-w- c:\windows\system32\nvcpl.dll
2014-05-20 01:25 . 2013-11-02 14:46 3514144 ----a-w- c:\windows\system32\nvsvc64.dll
2014-05-20 01:25 . 2013-11-02 14:46 927520 ----a-w- c:\windows\system32\nvvsvc.exe
2014-05-20 01:25 . 2013-11-02 14:46 62808 ----a-w- c:\windows\system32\nvshext.dll
2014-05-20 01:25 . 2013-11-02 14:46 387528 ----a-w- c:\windows\system32\nvmctray.dll
2014-05-20 01:25 . 2013-11-02 14:46 2560968 ----a-w- c:\windows\system32\nvsvcr.dll
2014-05-14 23:49 . 2013-11-02 14:46 3774821 ----a-w- c:\windows\system32\nvcoproc.bin
2014-04-12 02:22 . 2014-05-14 17:57 95680 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2014-04-12 02:22 . 2014-05-14 17:57 155072 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-04-12 02:19 . 2014-05-14 17:57 29184 ----a-w- c:\windows\system32\sspisrv.dll
2014-04-12 02:19 . 2014-05-14 17:57 136192 ----a-w- c:\windows\system32\sspicli.dll
2014-04-12 02:19 . 2014-05-14 17:57 28160 ----a-w- c:\windows\system32\secur32.dll
2014-04-12 02:19 . 2014-05-14 17:57 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-04-12 02:19 . 2014-05-14 17:57 31232 ----a-w- c:\windows\system32\lsass.exe
2014-04-12 02:12 . 2014-05-14 17:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-04-12 02:10 . 2014-05-14 17:57 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-03-31 16:42 . 2014-05-05 15:09 40392 ----a-w- c:\windows\system32\drivers\nvvad64v.sys
2014-03-31 16:42 . 2013-11-02 14:44 37320 ----a-w- c:\windows\system32\nvaudcap64v.dll
2014-03-31 16:42 . 2014-05-05 15:09 34760 ----a-w- c:\windows\SysWow64\nvaudcap32v.dll
2014-03-27 12:45 . 2014-04-22 15:06 1890080 ----a-w- c:\windows\system32\nvdispco6433750.dll
2014-03-27 12:45 . 2014-04-22 15:06 1539416 ----a-w- c:\windows\system32\nvdispgenco6433750.dll
2014-03-25 02:43 . 2014-05-14 17:57 14175744 ----a-w- c:\windows\system32\shell32.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2013-03-12 134616]
"XFastUSB"="c:\program files (x86)\XFastUSB\XFastUsb.exe" [2013-11-02 4936968]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Bitdefender-Geldbörse-Agent"="c:\program files\Bitdefender\Bitdefender\pmbxag.exe" [2014-05-20 568400]
"Bitdefender-Geldbörse-Anwendungs-Agent"="c:\program files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe" [2014-04-08 614744]
.
c:\users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Samsung Magician.lnk - c:\program files (x86)\Samsung\Samsung Magician\Samsung Magician.exe /AUTOHIDE [2014-1-7 4580256]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
3;4 BDVEDISK;BDVEDISK;c:\windows\system32\DRIVERS\bdvedisk.sys;c:\windows\SYSNATIVE\DRIVERS\bdvedisk.sys [x]
R2 avgwd;AVG WatchDog;f:\avg\avgwdsvc.exe;f:\avg\avgwdsvc.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 FNETTBOH_305;FNETTBOH_305;c:\windows\system32\drivers\FNETTBOH_305.SYS;c:\windows\SYSNATIVE\drivers\FNETTBOH_305.SYS [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Intel(R) Capability Licensing Service TCP IP Interface;Intel(R) Capability Licensing Service TCP IP Interface;c:\program files\Intel\iCLS Client\SocketHeciServer.exe;c:\program files\Intel\iCLS Client\SocketHeciServer.exe [x]
R3 iumsvc;Intel(R) Update Manager;c:\program files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe;c:\program files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 iusb3hcs;Intel(R) USB 3.0 Hostcontroller-Switchtreiber;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS;c:\windows\SYSNATIVE\drivers\FNETURPX.SYS [x]
S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 Intel(R) ME Service;Intel(R) ME Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [x]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe;c:\program files (x86)\ Malwarebytes Anti-Malware \mbamservice.exe [x]
S2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 e1dexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver D;c:\windows\system32\DRIVERS\e1d62x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1d62x64.sys [x]
S3 iusb3hub;Intel(R) USB 3.0-Hubtreiber;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible-Hostcontrollertreiber;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 LADF_CaptureOnly;LADF Capture Filter Driver;c:\windows\system32\DRIVERS\ladfGSCamd64.sys;c:\windows\SYSNATIVE\DRIVERS\ladfGSCamd64.sys [x]
S3 LADF_RenderOnly;LADF Render Filter Driver;c:\windows\system32\DRIVERS\ladfGSRamd64.sys;c:\windows\SYSNATIVE\DRIVERS\ladfGSRamd64.sys [x]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys;c:\windows\SYSNATIVE\drivers\LGBusEnum.sys [x]
S3 LGSHidFilt;Logitech Gaming KMDF HID Filter Driver;c:\windows\system32\DRIVERS\LGSHidFilt.Sys;c:\windows\SYSNATIVE\DRIVERS\LGSHidFilt.Sys [x]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys;c:\windows\SYSNATIVE\drivers\LGVirHid.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 Neo_VPN;VPN Client Device Driver - VPN;c:\windows\system32\DRIVERS\Neo_0116.sys;c:\windows\SYSNATIVE\DRIVERS\Neo_0116.sys [x]
S3 NvStreamKms;NvStreamKms;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - BdfNdisf
*Deregistered* - bdfwfpf
*Deregistered* - gzflt
*Deregistered* - kxldrpog
.
Inhalt des "geplante Tasks" Ordners
.
2014-06-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-11-02 21:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2013-07-26 13636824]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2013-08-01 8290584]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2014-05-29 1279480]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2014-05-29 2352072]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\f2vgn55p.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.de/
FF - prefs.js: network.proxy.ftp - 71.56.183.237
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.socks - 71.56.183.237
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 71.56.183.237
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 2
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKU-Default-Run-Bitdefender-Geldbörse - c:\program files\Bitdefender\Bitdefender\pwdmanui.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
HKLM-Run-InstallerLauncher - c:\program files\Common Files\Bitdefender\SetupInformation\{6F57816A-791A-4159-A75F-CFD0C7EA4FBF}\setuplauncher.exe
AddRemove-UpdaterEX - c:\users\Alex\AppData\Roaming\UpdaterEX\UpdateProc\UpdateTask.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2014-06-18 17:08:12
ComboFix-quarantined-files.txt 2014-06-18 15:08
.
Vor Suchlauf: 8 Verzeichnis(se), 214.944.190.464 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 216.076.824.576 Bytes frei
.
- - End Of File - - 7C1671240175518441F3FE434CB5F316
A36C5E4F47E84449FF07ED3517B43A31
|
|
18.06.2014, 19:43
| #15 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe Adware/Junkware/Toolbars entfernen 1. Schritt: adwCleaner Downloade Dir bitte  AdwCleaner auf deinen Desktop.
2. Schritt: JRT - Junkware Removal Tool Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
3. Schritt: Frisches Log mit FRST Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop:  FRST 32-Bit | FRST 64-Bit(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
__________________ Logfiles bitte immer in CODE-Tags posten |
|
| Themen zu Angeblicher Keylogger/Rootkit: Doctor2 rundll32.exe |
| kunde, pup.optional.browsefox.a, pup.optional.installbrain.a, pup.optional.installiq, pup.optional.opencandy.a, pup.optional.softonic.a, pup.optional.wajam.a, pup.optional.websparkle.a, win64/psw.agent.e |
Linear-Darstellung
