| logposter | 10.01.2014 14:53 |
Bitdefender meldet Trojan.GenericKD.1440205
Bitdefender hat vor ein paar Tagen die unten angegebenen Meldungen angezeigt.
Ansonsten nichts bemerkt, außer, dass das Verzeichnis C:\Users\Anonym\AppData\Local\Temp\PDF24 vom PDF-Drucker nicht mehr beschrieben werde konnte. Nachdem ich den Ordner gelöscht habe, geht es wieder.
Virustotal:
https://www.virustotal.com/de/file/3e80ae42c92f333799e1ba3c3dd28a1794f42bb2bbe302cd974e178eee0b1723/analysis/1389012534/
Bitdefender Code:
The file C:\Users\Anonym\AppData\Local\Temp\P1USPtHp.exe.part has been detected as infected. Bitdefender denied this item.
Virus name: Trojan.GenericKD.1440205
The file C:\Users\Anonym\AppData\Local\Temp\ibJoQv9n.exe.part has been detected as infected. Bitdefender denied this item.
Virus name: Trojan.GenericKD.1440205
FRST Logfile:
FRST Logfile:
FRST Logfile: Code:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-01-2014
Ran by Admin (administrator) on HP-PAVILLION on 10-01-2014 15:17:20
Running from C:\Users\Anonym\Downloads
Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) ===================
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2013\vsserv.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Program Files\Macrium\Reflect\ReflectService.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2013\updatesrv.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2013\bdagent.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Geek Software GmbH) C:\Program Files\PDF24\pdf24.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [Bdagent] - C:\Program Files\Bitdefender\Bitdefender 2013\bdagent.exe [1614344 2013-11-20] (Bitdefender)
HKLM\...\Run: [KeePass 2 PreLoad] - C:\Program Files\KeePass Password Safe 2\KeePass.exe [1960448 2013-04-05] (Dominik Reichl)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [PDFPrint] - C:\Program Files\PDF24\pdf24.exe [186408 2013-12-12] (Geek Software GmbH)
MountPoints2: {5e8555c9-955a-11e2-913c-806e6f6e6963} - E:\autorun.exe
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://google.de/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xA0E97C95A129CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5ido52vh.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @google.com/npPicasa3,version=3.0.0 - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.40.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.40.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-de.xml
========================== Services (Whitelisted) =================
R2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [249976 2013-06-14] ()
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender 2013\updatesrv.exe [54960 2013-08-27] (Bitdefender)
R2 vsserv; C:\Program Files\Bitdefender\Bitdefender 2013\vsserv.exe [1343472 2013-11-20] (Bitdefender)
==================== Drivers (Whitelisted) ====================
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [640560 2013-08-01] (BitDefender)
R3 avchv; C:\Windows\System32\DRIVERS\avchv.sys [242504 2012-11-02] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [490144 2013-08-01] (BitDefender)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [90704 2011-11-14] (BitDefender LLC)
S3 BDSandBox; C:\Windows\system32\drivers\bdsandbox.sys [66832 2013-11-20] (BitDefender SRL)
R1 bdselfpr; C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys [135600 2013-08-07] (BitDefender LLC)
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [165744 2013-10-02] (BitDefender LLC)
S3 PSMounterEx; C:\Windows\system32\drivers\psmounterex.sys [55416 2013-06-14] ()
R0 pssnap; C:\Windows\System32\DRIVERS\pssnap.sys [16504 2013-06-14] (Macrium Software)
S3 PSVolAcc; C:\Windows\System32\Drivers\PSVolAcc.sys [13432 2013-06-14] (Paramount Software UK Ltd)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [360376 2013-10-02] (BitDefender S.R.L.)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-01-10 15:17 - 2014-01-10 15:17 - 00005277 _____ C:\Users\Anonym\Downloads\FRST.txt
2014-01-10 14:27 - 2014-01-10 14:29 - 00000241 _____ C:\Users\Anonym\Downloads\Neues Textdokument.txt
2014-01-10 14:13 - 2014-01-10 14:13 - 00000000 ____D C:\Users\Anonym\AppData\Local\PDF24
2014-01-10 14:07 - 2014-01-10 14:07 - 00000000 ____D C:\Users\Admin\AppData\Local\PDF24
2014-01-10 14:01 - 2014-01-10 14:01 - 00001819 _____ C:\Users\Public\Desktop\PDF24 Creator.lnk
2014-01-09 16:31 - 2014-01-10 11:14 - 00000000 ____D C:\Users\Anonym\Desktop\KORRESPONDENZ - BLANKO
2014-01-09 14:59 - 2014-01-09 14:59 - 00000000 ____D C:\Users\Anonym\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google+ Auto Backup
2014-01-07 11:50 - 2014-01-10 11:01 - 00000000 ____D C:\Users\Anonym\AppData\Roaming\Foxit Scanner Images
2014-01-06 20:23 - 2014-01-06 20:23 - 04558848 _____ (Google Inc.) C:\Windows\system32\GPhotos.scr
2014-01-06 14:54 - 2014-01-10 14:43 - 00192037 _____ C:\Users\Anonym\Downloads\gmer.log
2014-01-06 14:19 - 2014-01-10 15:09 - 00000000 ____D C:\FRST
2014-01-06 14:17 - 2014-01-10 15:09 - 01066141 _____ (Farbar) C:\Users\Anonym\Downloads\FRST.exe
2014-01-06 14:17 - 2014-01-06 14:17 - 00377856 _____ C:\Users\Anonym\Downloads\gmer_2.1.19163.exe
2014-01-06 12:57 - 2014-01-06 12:57 - 00000000 ____D C:\Program Files\OpenEstate-ImmoTool
2013-12-28 14:16 - 2013-12-28 14:17 - 00000000 ____D C:\Users\Anonym\Desktop\Neuer Ordner
2013-12-16 08:23 - 2013-12-16 08:23 - 00131072 ____N C:\Windows\Minidump\121613-30342-01.dmp
2013-12-14 16:07 - 2013-12-14 16:07 - 00131072 ____N C:\Windows\Minidump\121413-34039-01.dmp
2013-12-12 14:43 - 2013-11-26 11:11 - 17112576 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-12-12 14:43 - 2013-11-26 10:23 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-12-12 14:43 - 2013-11-26 10:22 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2013-12-12 14:43 - 2013-11-26 09:53 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-12-12 14:43 - 2013-11-26 09:52 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2013-12-12 14:43 - 2013-11-26 09:38 - 02166784 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-12-12 14:43 - 2013-11-26 09:38 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-12-12 14:43 - 2013-11-26 09:36 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-12-12 14:43 - 2013-11-26 09:32 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-12-12 14:43 - 2013-11-26 09:29 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-12-12 14:43 - 2013-11-26 09:29 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2013-12-12 14:43 - 2013-11-26 09:28 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2013-12-12 14:43 - 2013-11-26 09:16 - 04243968 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-12-12 14:43 - 2013-11-26 09:13 - 00208896 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-12-12 14:43 - 2013-11-26 08:32 - 01928192 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-12-12 14:43 - 2013-11-26 08:26 - 11221504 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-12-12 14:43 - 2013-11-26 07:34 - 00703488 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2013-12-12 14:43 - 2013-11-26 07:33 - 01820160 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-12-12 14:43 - 2013-11-26 07:27 - 01157632 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-12-12 14:38 - 2013-05-10 05:56 - 12625408 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2013-12-12 14:38 - 2013-05-10 05:56 - 11410432 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2013-12-12 08:53 - 2013-11-23 19:26 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2013-12-12 08:53 - 2013-10-30 03:19 - 00301568 _____ (Microsoft Corporation) C:\Windows\system32\msieftp.dll
2013-12-12 08:53 - 2013-10-19 02:36 - 00159232 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2013-12-12 08:53 - 2013-10-12 03:04 - 00121856 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2013-12-12 08:53 - 2013-10-12 03:03 - 00163840 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2013-12-12 08:53 - 2013-10-12 02:15 - 00141824 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2013-12-12 08:53 - 2013-10-12 02:15 - 00126976 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2013-12-12 08:52 - 2013-11-12 03:07 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-12-12 08:52 - 2013-10-30 02:27 - 02349056 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-12-12 08:52 - 2013-10-04 02:49 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2013-12-12 08:52 - 2013-10-04 02:17 - 00177152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys
==================== One Month Modified Files and Folders =======
2014-01-10 15:17 - 2014-01-10 15:17 - 00005277 _____ C:\Users\Anonym\Downloads\FRST.txt
2014-01-10 15:16 - 2009-07-14 05:39 - 01186104 _____ C:\Windows\setupact.log
2014-01-10 15:11 - 2009-07-14 05:34 - 00022032 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-10 15:11 - 2009-07-14 05:34 - 00022032 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-10 15:09 - 2014-01-06 14:19 - 00000000 ____D C:\FRST
2014-01-10 15:09 - 2014-01-06 14:17 - 01066141 _____ (Farbar) C:\Users\Anonym\Downloads\FRST.exe
2014-01-10 15:09 - 2010-11-20 22:01 - 00005194 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-10 15:07 - 2013-11-01 19:07 - 00000917 _____ C:\Windows\Tasks\EPSON XP-312 313 315 Series Update {A694DE30-5F99-4288-B18F-0FC22B6D624B}.job
2014-01-10 15:07 - 2013-11-01 19:07 - 00000731 _____ C:\Windows\Tasks\EPSON XP-312 313 315 Series Invitation {A694DE30-5F99-4288-B18F-0FC22B6D624B}.job
2014-01-10 15:07 - 2013-03-26 13:25 - 00000000 ____D C:\Users\Admin\AppData\Local\Mozilla
2014-01-10 15:07 - 2013-03-25 15:46 - 01944976 _____ C:\Windows\WindowsUpdate.log
2014-01-10 15:07 - 2009-07-14 05:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2014-01-10 14:59 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-10 14:53 - 2013-03-26 14:07 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-10 14:43 - 2014-01-06 14:54 - 00192037 _____ C:\Users\Anonym\Downloads\gmer.log
2014-01-10 14:29 - 2014-01-10 14:27 - 00000241 _____ C:\Users\Anonym\Downloads\Neues Textdokument.txt
2014-01-10 14:21 - 2013-11-01 18:21 - 00000917 _____ C:\Windows\Tasks\EPSON XP-312 313 315 Series Update {03A9264B-F446-42F5-90B8-162111576567}.job
2014-01-10 14:21 - 2013-11-01 18:21 - 00000731 _____ C:\Windows\Tasks\EPSON XP-312 313 315 Series Invitation {03A9264B-F446-42F5-90B8-162111576567}.job
2014-01-10 14:13 - 2014-01-10 14:13 - 00000000 ____D C:\Users\Anonym\AppData\Local\PDF24
2014-01-10 14:07 - 2014-01-10 14:07 - 00000000 ____D C:\Users\Admin\AppData\Local\PDF24
2014-01-10 14:04 - 2013-03-25 19:53 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2014-01-10 14:02 - 2013-03-26 13:24 - 00000000 ____D C:\Program Files\Mozilla Firefox
2014-01-10 14:01 - 2014-01-10 14:01 - 00001819 _____ C:\Users\Public\Desktop\PDF24 Creator.lnk
2014-01-10 14:01 - 2013-06-23 10:00 - 00000000 ____D C:\Program Files\PDF24
2014-01-10 11:14 - 2014-01-09 16:31 - 00000000 ____D C:\Users\Anonym\Desktop\KORRESPONDENZ - BLANKO
2014-01-10 11:01 - 2014-01-07 11:50 - 00000000 ____D C:\Users\Anonym\AppData\Roaming\Foxit Scanner Images
2014-01-09 14:59 - 2014-01-09 14:59 - 00000000 ____D C:\Users\Anonym\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google+ Auto Backup
2014-01-09 04:25 - 2009-07-14 05:53 - 00032634 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-08 16:38 - 2013-06-21 17:34 - 00031744 _____ C:\Users\Anonym\Desktop\Privat - Sonstiges 2014.xls
2014-01-07 13:59 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\rescache
2014-01-06 20:23 - 2014-01-06 20:23 - 04558848 _____ (Google Inc.) C:\Windows\system32\GPhotos.scr
2014-01-06 14:17 - 2014-01-06 14:17 - 00377856 _____ C:\Users\Anonym\Downloads\gmer_2.1.19163.exe
2014-01-06 13:58 - 2013-06-20 09:23 - 00000000 ____D C:\Users\Anonym\AppData\Roaming\KeePass
2014-01-06 12:57 - 2014-01-06 12:57 - 00000000 ____D C:\Program Files\OpenEstate-ImmoTool
2013-12-28 14:17 - 2013-12-28 14:16 - 00000000 ____D C:\Users\Anonym\Desktop\Neuer Ordner
2013-12-16 08:24 - 2013-05-22 18:53 - 00000000 ____D C:\Windows\Minidump
2013-12-16 08:23 - 2013-12-16 08:23 - 00131072 ____N C:\Windows\Minidump\121613-30342-01.dmp
2013-12-14 16:07 - 2013-12-14 16:07 - 00131072 ____N C:\Windows\Minidump\121413-34039-01.dmp
2013-12-12 14:48 - 2009-07-14 05:33 - 00301632 _____ C:\Windows\system32\FNTCACHE.DAT
2013-12-12 14:46 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\system32\de-DE
2013-12-12 14:43 - 2013-03-25 20:18 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-12-12 14:41 - 2013-07-19 07:41 - 00000000 ____D C:\Windows\system32\MRT
2013-12-12 14:39 - 2013-03-25 21:37 - 88123800 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-12-11 08:53 - 2013-03-26 14:07 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-12-11 08:53 - 2013-03-26 14:07 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\Foxit Updater.exe
C:\Users\Admin\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Admin\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Anonym\AppData\Local\Temp\Checkupdate.exe
C:\Users\Anonym\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\Anonym\AppData\Local\Temp\Foxit Updater.exe
C:\Users\Anonym\AppData\Local\Temp\gcapi_dll.dll
C:\Users\Anonym\AppData\Local\Temp\gtapi_signed.dll
C:\Users\Anonym\AppData\Local\Temp\secuniasi3858215019176989230.dll
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-01-10 12:33
==================== End Of Log ============================
--- --- ---
--- --- ---
--- --- ---
GMER, Teil 1 Code:
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2014-01-06 14:54:37
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 WDC_WD2500BEVS-60UST0 rev.01.01A01 232,89GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uxliapoc.sys
---- System - GMER 2.1 ----
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwAllocateVirtualMemory [0x8DB920BE]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwAlpcConnectPort [0x8DB95566]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwAlpcSendWaitReceivePort [0x8DB9509C]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwAssignProcessToJobObject [0x8DB92C88]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwClose [0x8DB95B8C]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwConnectPort [0x8DB94418]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwCreateFile [0x8DB9395C]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwCreateKey [0x8DB94B10]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwCreateProcess [0x8DB92EDE]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwCreateProcessEx [0x8DB92F94]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwCreateSection [0x8DB9327E]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwCreateThread [0x8DB91A2E]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwCreateThreadEx [0x8DB95DA8]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwDeviceIoControlFile [0x8DB94C80]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwDuplicateObject [0x8DB9911A]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwFsControlFile [0x8DB94F38]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwLoadDriver [0x8DB92594]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwMakeTemporaryObject [0x8DB95934]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwOpenFile [0x8DB9374E]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwOpenProcess [0x8DB98B72]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwOpenSection [0x8DB9304E]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwOpenThread [0x8DB98E22]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwProtectVirtualMemory [0x8DB91F42]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwQueueApcThread [0x8DB92DB0]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwReplaceKey [0x8DB95782]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwRequestPort [0x8DB94586]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwRequestWaitReplyPort [0x8DB93F1A]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwRestoreKey [0x8DB9580C]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwSecureConnectPort [0x8DB949A0]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwSetContextThread [0x8DB91B9E]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwSetSecurityObject [0x8DB956DC]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwSetSystemInformation [0x8DB9278E]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwShutdownSystem [0x8DB9589E]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwSuspendProcess [0x8DB91E1A]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwSuspendThread [0x8DB91CF4]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwSystemDebugControl [0x8DB92BBA]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwTerminateProcess [0x8DB98A6A]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwTerminateThread [0x8DB9930C]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwUnloadDriver [0x8DB959CA]
SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2013\bdselfpr.sys ZwWriteVirtualMemory [0x8DB918B2]
SYSENTER \SystemRoot\system32\DRIVERS\avc3.sys 8889E000
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82A76A15 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB0212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82AB7488 4 Bytes [BE, 20, B9, 8D]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82AB7494 4 Bytes [66, 55, B9, 8D]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82AB74D8 4 Bytes [9C, 50, B9, 8D]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82AB74E8 4 Bytes [88, 2C, B9, 8D]
.text ntkrnlpa.exe!KeRemoveQueueEx + 116F 82AB7504 4 Bytes [8C, 5B, B9, 8D]
.text ...
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x93431340, 0x3EE217, 0xE8000020]
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21E61
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D01
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22D91
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22C71
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22BE1
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23181
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D23061
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D230F1
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D24651
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D22FD1
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25971
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D22251
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D258E1
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22F41
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21A71
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D21F81
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D246E1
.text C:\Windows\system32\svchost.exe[108] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21EF1
.text C:\Windows\system32\svchost.exe[108] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21D41
.text C:\Windows\system32\svchost.exe[108] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D22911
.text C:\Windows\system32\svchost.exe[108] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D22641
.text C:\Windows\system32\svchost.exe[108] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Windows\system32\svchost.exe[108] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D22521
.text C:\Windows\system32\svchost.exe[108] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22EB1
.text C:\Windows\system32\svchost.exe[108] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D245C1
.text C:\Windows\system32\svchost.exe[108] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D227F1
.text C:\Windows\system32\svchost.exe[108] kernel32.dll!ReadConsoleA 768BC928 5 Bytes JMP 74D244A1
.text C:\Windows\system32\svchost.exe[108] kernel32.dll!ReadConsoleInputA 768BD04F 5 Bytes JMP 74D24261
.text C:\Windows\system32\svchost.exe[108] kernel32.dll!ReadConsoleInputW 768BD072 5 Bytes JMP 74D24381
.text C:\Windows\system32\svchost.exe[108] msvcrt.dll!_lock + 29 7742A472 5 Bytes JMP 74D26391
.text C:\Windows\system32\svchost.exe[108] msvcrt.dll!__p__fmode 774327CE 5 Bytes JMP 74D21B91
.text C:\Windows\system32\svchost.exe[108] msvcrt.dll!__p__environ 7743E6CF 5 Bytes JMP 74D21B01
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21E61
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D01
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22D91
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22C71
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22BE1
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23181
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D23061
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D230F1
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D24651
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D22FD1
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25971
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D22251
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D258E1
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22F41
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21A71
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D21F81
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D246E1
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21EF1
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21D41
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D22911
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D22641
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D22521
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22EB1
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D245C1
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D227F1
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!ReadConsoleA 768BC928 5 Bytes JMP 74D244A1
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!ReadConsoleInputA 768BD04F 5 Bytes JMP 74D24261
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!ReadConsoleInputW 768BD072 5 Bytes JMP 74D24381
.text C:\Windows\system32\svchost.exe[1116] msvcrt.dll!_lock + 29 7742A472 5 Bytes JMP 74D26391
.text C:\Windows\system32\svchost.exe[1116] msvcrt.dll!__p__fmode 774327CE 5 Bytes JMP 74D21B91
.text C:\Windows\system32\svchost.exe[1116] msvcrt.dll!__p__environ 7743E6CF 5 Bytes JMP 74D21B01
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21E61
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D01
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22D91
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22C71
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22BE1
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23181
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D23061
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D230F1
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D24651
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D22FD1
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25971
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D22251
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D258E1
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22F41
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21A71
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D21F81
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D246E1
.text C:\Windows\System32\svchost.exe[1216] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21EF1
.text C:\Windows\System32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21D41
.text C:\Windows\System32\svchost.exe[1216] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D22911
.text C:\Windows\System32\svchost.exe[1216] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D22641
.text C:\Windows\System32\svchost.exe[1216] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Windows\System32\svchost.exe[1216] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D22521
.text C:\Windows\System32\svchost.exe[1216] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22EB1
.text C:\Windows\System32\svchost.exe[1216] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D245C1
.text C:\Windows\System32\svchost.exe[1216] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D227F1
.text C:\Windows\System32\svchost.exe[1216] kernel32.dll!ReadConsoleA 768BC928 5 Bytes JMP 74D244A1
.text C:\Windows\System32\svchost.exe[1216] kernel32.dll!ReadConsoleInputA 768BD04F 5 Bytes JMP 74D24261
.text C:\Windows\System32\svchost.exe[1216] kernel32.dll!ReadConsoleInputW 768BD072 5 Bytes JMP 74D24381
.text C:\Windows\System32\svchost.exe[1216] msvcrt.dll!_lock + 29 7742A472 5 Bytes JMP 74D26391
.text C:\Windows\System32\svchost.exe[1216] msvcrt.dll!__p__fmode 774327CE 5 Bytes JMP 74D21B91
.text C:\Windows\System32\svchost.exe[1216] msvcrt.dll!__p__environ 7743E6CF 5 Bytes JMP 74D21B01
.text C:\Windows\System32\svchost.exe[1216] USERENV.dll!LoadUserProfileW + 1F1 00E31C9D 5 Bytes JMP 74D26421
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21E61
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D01
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22D91
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22C71
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22BE1
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23181
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D23061
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D230F1
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D24651
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D22FD1
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25971
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D22251
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D258E1
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22F41
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21A71
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D21F81
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D246E1
.text C:\Windows\System32\svchost.exe[1268] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21EF1
.text C:\Windows\System32\svchost.exe[1268] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21D41
.text C:\Windows\System32\svchost.exe[1268] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D22911
.text C:\Windows\System32\svchost.exe[1268] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D22641
.text C:\Windows\System32\svchost.exe[1268] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Windows\System32\svchost.exe[1268] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D22521
.text C:\Windows\System32\svchost.exe[1268] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22EB1
.text C:\Windows\System32\svchost.exe[1268] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D245C1
.text C:\Windows\System32\svchost.exe[1268] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D227F1
.text C:\Windows\System32\svchost.exe[1268] kernel32.dll!ReadConsoleA 768BC928 5 Bytes JMP 74D244A1
.text C:\Windows\System32\svchost.exe[1268] kernel32.dll!ReadConsoleInputA 768BD04F 5 Bytes JMP 74D24261
.text C:\Windows\System32\svchost.exe[1268] kernel32.dll!ReadConsoleInputW 768BD072 5 Bytes JMP 74D24381
.text C:\Windows\System32\svchost.exe[1268] msvcrt.dll!_lock + 29 7742A472 5 Bytes JMP 74D26391
.text C:\Windows\System32\svchost.exe[1268] msvcrt.dll!__p__fmode 774327CE 5 Bytes JMP 74D21B91
.text C:\Windows\System32\svchost.exe[1268] msvcrt.dll!__p__environ 7743E6CF 5 Bytes JMP 74D21B01
.text C:\Windows\System32\svchost.exe[1268] SHELL32.dll!Shell_NotifyIconW 75930171 5 Bytes JMP 74D24891
.text C:\Windows\System32\svchost.exe[1268] SHELL32.dll!SHRestricted + 251E 75991621 5 Bytes JMP 74D26421
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21E61
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D01
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22D91
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22C71
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22BE1
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23181
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D23061
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D230F1
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D24651
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D22FD1
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25971
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D22251
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D258E1
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22F41
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21A71
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D21F81
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D246E1
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21EF1
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21D41
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D22911
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D22641
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D22521
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22EB1
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D245C1
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D227F1
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!ReadConsoleA 768BC928 5 Bytes JMP 74D244A1
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!ReadConsoleInputA 768BD04F 5 Bytes JMP 74D24261
.text C:\Windows\system32\svchost.exe[1328] kernel32.dll!ReadConsoleInputW 768BD072 5 Bytes JMP 74D24381
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_lock + 29 7742A472 5 Bytes JMP 74D26391
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!__p__fmode 774327CE 5 Bytes JMP 74D21B91
.text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!__p__environ 7743E6CF 5 Bytes JMP 74D21B01
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21E61
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D01
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22D91
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22C71
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22BE1
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23181
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D23061
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D230F1
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D24651
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D22FD1
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25971
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D22251
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D258E1
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22F41
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21A71
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D21F81
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D246E1
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21EF1
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21D41
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D22911
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D22641
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D22521
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22EB1
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D245C1
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D227F1
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!ReadConsoleA 768BC928 5 Bytes JMP 74D244A1
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!ReadConsoleInputA 768BD04F 5 Bytes JMP 74D24261
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!ReadConsoleInputW 768BD072 5 Bytes JMP 74D24381
.text C:\Windows\system32\svchost.exe[1352] msvcrt.dll!_lock + 29 7742A472 5 Bytes JMP 74D26391
.text C:\Windows\system32\svchost.exe[1352] msvcrt.dll!__p__fmode 774327CE 5 Bytes JMP 74D21B91
.text C:\Windows\system32\svchost.exe[1352] msvcrt.dll!__p__environ 7743E6CF 5 Bytes JMP 74D21B01
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21E61
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D01
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22D91
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22C71
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22BE1
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23181
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D23061
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D230F1
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D24651
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D22FD1
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25971
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D22251
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D258E1
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22F41
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21A71
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D21F81
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D246E1
.text C:\Windows\system32\svchost.exe[1588] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21EF1
.text C:\Windows\system32\svchost.exe[1588] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21D41
.text C:\Windows\system32\svchost.exe[1588] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D22911
.text C:\Windows\system32\svchost.exe[1588] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D22641
.text C:\Windows\system32\svchost.exe[1588] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Windows\system32\svchost.exe[1588] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D22521
.text C:\Windows\system32\svchost.exe[1588] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22EB1
.text C:\Windows\system32\svchost.exe[1588] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D245C1
.text C:\Windows\system32\svchost.exe[1588] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D227F1
.text C:\Windows\system32\svchost.exe[1588] kernel32.dll!ReadConsoleA 768BC928 5 Bytes JMP 74D244A1
.text C:\Windows\system32\svchost.exe[1588] kernel32.dll!ReadConsoleInputA 768BD04F 5 Bytes JMP 74D24261
.text C:\Windows\system32\svchost.exe[1588] kernel32.dll!ReadConsoleInputW 768BD072 5 Bytes JMP 74D24381
.text C:\Windows\system32\svchost.exe[1588] msvcrt.dll!_lock + 29 7742A472 5 Bytes JMP 74D26391
.text C:\Windows\system32\svchost.exe[1588] msvcrt.dll!__p__fmode 774327CE 5 Bytes JMP 74D21B91
.text C:\Windows\system32\svchost.exe[1588] msvcrt.dll!__p__environ 7743E6CF 5 Bytes JMP 74D21B01
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21E61
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D01
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22D91
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22C71
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22BE1
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23181
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D23061
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D230F1
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D24651
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D22FD1
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25971
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D22251
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D258E1
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtVdmControl + 5 775E6A0D 5 Bytes JMP 74D26391
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22F41
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21A71
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D21F81
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D246E1
.text C:\Windows\System32\spoolsv.exe[1700] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21EF1
.text C:\Windows\System32\spoolsv.exe[1700] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21D41
.text C:\Windows\System32\spoolsv.exe[1700] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D22911
.text C:\Windows\System32\spoolsv.exe[1700] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D22641
.text C:\Windows\System32\spoolsv.exe[1700] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Windows\System32\spoolsv.exe[1700] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D22521
.text C:\Windows\System32\spoolsv.exe[1700] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22EB1
.text C:\Windows\System32\spoolsv.exe[1700] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D245C1
.text C:\Windows\System32\spoolsv.exe[1700] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D227F1
.text C:\Windows\System32\spoolsv.exe[1700] kernel32.dll!ReadConsoleA 768BC928 5 Bytes JMP 74D244A1
.text C:\Windows\System32\spoolsv.exe[1700] kernel32.dll!ReadConsoleInputA 768BD04F 5 Bytes JMP 74D24261
.text C:\Windows\System32\spoolsv.exe[1700] kernel32.dll!ReadConsoleInputW 768BD072 5 Bytes JMP 74D24381
.text C:\Windows\System32\spoolsv.exe[1700] msvcrt.dll!_lock + 29 7742A472 5 Bytes JMP 74D26541
.text C:\Windows\System32\spoolsv.exe[1700] msvcrt.dll!__p__fmode 774327CE 5 Bytes JMP 74D21B91
.text C:\Windows\System32\spoolsv.exe[1700] msvcrt.dll!__p__environ 7743E6CF 5 Bytes JMP 74D21B01
.text C:\Windows\System32\spoolsv.exe[1700] SHELL32.dll!Shell_NotifyIconW 75930171 5 Bytes JMP 74D24891
.text C:\Windows\System32\spoolsv.exe[1700] SHELL32.dll!SHRestricted + 251E 75991621 5 Bytes JMP 74D265D1
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21E61
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D01
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22D91
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22C71
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22BE1
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23181
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D23061
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D230F1
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D24651
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D22FD1
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25971
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D22251
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D258E1
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22F41
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21A71
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D21F81
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D246E1
.text C:\Windows\system32\svchost.exe[1776] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21EF1
.text C:\Windows\system32\svchost.exe[1776] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21D41
.text C:\Windows\system32\svchost.exe[1776] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D22911
.text C:\Windows\system32\svchost.exe[1776] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D22641
.text C:\Windows\system32\svchost.exe[1776] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Windows\system32\svchost.exe[1776] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D22521
.text C:\Windows\system32\svchost.exe[1776] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22EB1
.text C:\Windows\system32\svchost.exe[1776] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D245C1
.text C:\Windows\system32\svchost.exe[1776] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D227F1
.text C:\Windows\system32\svchost.exe[1776] kernel32.dll!ReadConsoleA 768BC928 5 Bytes JMP 74D244A1
.text C:\Windows\system32\svchost.exe[1776] kernel32.dll!ReadConsoleInputA 768BD04F 5 Bytes JMP 74D24261
.text C:\Windows\system32\svchost.exe[1776] kernel32.dll!ReadConsoleInputW 768BD072 5 Bytes JMP 74D24381
.text C:\Windows\system32\svchost.exe[1776] msvcrt.dll!_lock + 29 7742A472 5 Bytes JMP 74D26391
.text C:\Windows\system32\svchost.exe[1776] msvcrt.dll!__p__fmode 774327CE 5 Bytes JMP 74D21B91
.text C:\Windows\system32\svchost.exe[1776] msvcrt.dll!__p__environ 7743E6CF 5 Bytes JMP 74D21B01
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!WahWriteLSPEvent 76F4145D 5 Bytes JMP 74D26421
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!closesocket 76F43918 5 Bytes JMP 74D25851
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!WSASocketW 76F43CD3 5 Bytes JMP 74D257C1
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!socket 76F43EB8 5 Bytes JMP 74D260C1
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!WSASend 76F44406 5 Bytes JMP 74D220A1
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!GetAddrInfoW 76F44889 5 Bytes JMP 74D25191
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!recv 76F46B0E 5 Bytes JMP 74D26271
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!connect 76F46BDD 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!connect 76F46BDD 5 Bytes JMP 74D23DE1
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!send 76F46F01 5 Bytes JMP 74D22011
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!WSARecv 76F47089 5 Bytes JMP 74D26301
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!WSAConnect 76F4CC3F 5 Bytes JMP 74D261E1
.text C:\Windows\system32\svchost.exe[1776] WS2_32.dll!gethostbyname 76F57673 5 Bytes JMP 74D25221
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21E61
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D01
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22D91
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22C71
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22BE1
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23181
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D23061
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D230F1
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D24651
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D22FD1
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25971
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D22251
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D258E1
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22F41
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21A71
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D21F81
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D246E1
.text C:\Windows\system32\svchost.exe[1876] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21EF1
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21D41
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D22911
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D22641
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D22521
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22EB1
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D245C1
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D227F1
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!ReadConsoleA 768BC928 5 Bytes JMP 74D244A1
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!ReadConsoleInputA 768BD04F 5 Bytes JMP 74D24261
.text C:\Windows\system32\svchost.exe[1876] kernel32.dll!ReadConsoleInputW 768BD072 5 Bytes JMP 74D24381
.text C:\Windows\system32\svchost.exe[1876] msvcrt.dll!_lock + 29 7742A472 5 Bytes JMP 74D26391
.text C:\Windows\system32\svchost.exe[1876] msvcrt.dll!__p__fmode 774327CE 5 Bytes JMP 74D21B91
.text C:\Windows\system32\svchost.exe[1876] msvcrt.dll!__p__environ 7743E6CF 5 Bytes JMP 74D21B01
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21E61
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D01
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22D91
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22C71
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22BE1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23181
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D23061
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D230F1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D24651
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D22FD1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25971
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D22251
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D258E1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtVdmControl + 5 775E6A0D 5 Bytes JMP 74D26391
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22F41
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21A71
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D21F81
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D246E1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21EF1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21D41
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D22911
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D22641
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D22521
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22EB1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D245C1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D227F1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] kernel32.dll!ReadConsoleA 768BC928 5 Bytes JMP 74D244A1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] kernel32.dll!ReadConsoleInputA 768BD04F 5 Bytes JMP 74D24261
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] kernel32.dll!ReadConsoleInputW 768BD072 5 Bytes JMP 74D24381
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!FindWindowExA 76A46F69 5 Bytes JMP 74D25C41
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!FindWindowA 76A48FF3 5 Bytes JMP 74D25BB1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!CallNextHookEx 76A4ABE1 5 Bytes JMP 74D24771
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!UnhookWindowsHookEx 76A4ADF9 5 Bytes JMP 74D24801
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!FindWindowW 76A4AE0D 5 Bytes JMP 74D25CD1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!PostMessageA 76A4B446 5 Bytes JMP 74D26421
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!CreateWindowExA 76A4BF40 5 Bytes JMP 74D25341
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!SetWindowsHookExW 76A4E30C 5 Bytes JMP 74D22AC1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!CreateWindowExW 76A4EC7C 5 Bytes JMP 74D252B1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!ShowWindow 76A4F2A9 5 Bytes JMP 74D253D1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!GetMessageA 76A51899 5 Bytes JMP 74D23F91
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!PeekMessageA 76A519A5 5 Bytes JMP 74D240B1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!PostMessageW 76A5447B 5 Bytes JMP 74D264B1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!SetWindowTextW 76A5612B 5 Bytes JMP 74D25731
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!PeekMessageW 76A5634A 5 Bytes JMP 74D24141
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!GetMessageW 76A5CDE8 5 Bytes JMP 74D24021
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!UserClientDllInitialize 76A5D711 5 Bytes JMP 74D26541
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!SetWindowTextA 76A70C5B 5 Bytes JMP 74D256A1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!DialogBoxIndirectParamAorW 76A73B40 5 Bytes JMP 74D254F1
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!CreateDialogIndirectParamAorW 76A75327 5 Bytes JMP 74D25461
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!SetWindowsHookExA 76A76D0C 5 Bytes JMP 74D22A31
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!FindWindowExW 76A7712B 5 Bytes JMP 74D25D61
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!MessageBoxExA 76A9E9C9 5 Bytes JMP 74D25581
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1948] USER32.dll!MessageBoxExW 76A9E9ED 5 Bytes JMP 74D25611
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtClose + 5 775E550D 5 Bytes JMP 74D25F11
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtCreateFile + 5 775E560D 5 Bytes JMP 74D21EF1
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtCreateProcess + 5 775E56DD 5 Bytes JMP 74D22D91
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtCreateProcessEx + 5 775E56ED 5 Bytes JMP 74D22E21
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtCreateThread + 5 775E575D 5 Bytes JMP 74D22D01
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtCreateThreadEx + 5 775E576D 5 Bytes JMP 74D22C71
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtDuplicateObject + 5 775E58DD 5 Bytes JMP 74D23211
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtLoadDriver + 5 775E5B9D 2 Bytes JMP 74D25FA1
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtLoadDriver + 8 775E5BA0 2 Bytes [74, FD] {JZ 0xffffffff}
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtMapViewOfSection + 5 775E5C6D 5 Bytes JMP 74D215F1
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtOpenProcess + 5 775E5DCD 5 Bytes JMP 74D230F1
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtQueueApcThread + 5 775E62BD 5 Bytes JMP 74D23181
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtRaiseHardError + 5 775E62ED 5 Bytes JMP 74D246E1
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtSetContextThread + 5 775E65AD 5 Bytes JMP 74D23061
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtSetInformationProcess + 5 775E66BD 5 Bytes JMP 74D25A01
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtSetSystemInformation + 5 775E67CD 5 Bytes JMP 74D26031
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtSetValueKey + 5 775E684D 5 Bytes JMP 74D222E1
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtTerminateProcess + 5 775E690D 5 Bytes JMP 74D25971
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtUnmapViewOfSection + 5 775E69FD 5 Bytes JMP 74D21681
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtVdmControl + 5 775E6A0D 5 Bytes JMP 74D26391
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!NtWriteVirtualMemory + 5 775E6ADD 5 Bytes JMP 74D22FD1
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!RtlQueryPerformanceCounter 775F313F 5 Bytes JMP 74D21B01
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!RtlCreateProcessParametersEx 77606F19 5 Bytes JMP 74D22011
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!RtlReportException 77645F59 5 Bytes JMP 74D24771
.text C:\Windows\system32\rundll32.exe[2160] ntdll.dll!RtlCreateProcessParameters 776498A2 5 Bytes JMP 74D21F81
.text C:\Windows\system32\rundll32.exe[2160] kernel32.dll!GetStartupInfoA 76811E10 5 Bytes JMP 74D21DD1
.text C:\Windows\system32\rundll32.exe[2160] kernel32.dll!CreateProcessA 76812082 5 Bytes JMP 74D229A1
.text C:\Windows\system32\rundll32.exe[2160] kernel32.dll!CreateToolhelp32Snapshot 7684FD29 4 Bytes JMP 74D226D1
.text C:\Windows\system32\rundll32.exe[2160] kernel32.dll!Process32NextW 768500C2 5 Bytes JMP 74D25E81
.text C:\Windows\system32\rundll32.exe[2160] kernel32.dll!LoadLibraryA 7685DC55 5 Bytes JMP 74D225B1
.text C:\Windows\system32\rundll32.exe[2160] kernel32.dll!CreateProcessInternalW 76860792 5 Bytes JMP 74D22F41
.text C:\Windows\system32\rundll32.exe[2160] kernel32.dll!ReadConsoleW 768726AE 5 Bytes JMP 74D24651
.text C:\Windows\system32\rundll32.exe[2160] kernel32.dll!WinExec 7689ED9E 5 Bytes JMP 74D22881
|
So funktioniert es: