GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-14 21:33:08 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 FUJITSU_ rev.0040 Running: 7pqowpfd.exe; Driver: C:\Users\JAKKOL~1\AppData\Local\Temp\kwtiraob.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x900CD9BE] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x900CD958] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x900CD96C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x900CD9FC] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x900CDA3F] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x900CD930] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x900CD944] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x900CD9D2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x900CDA67] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x900CDA53] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x900CD9AA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x900CD996] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x900CDA2B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x900CDA12] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x900CD9E8] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x900CD982] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 82469190 5 Bytes JMP 900CD9EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8260317C 5 Bytes JMP 900CDA43 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateUserProcess 8260ADD5 5 Bytes JMP 900CD986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 82624F8A 5 Bytes JMP 900CDA2F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 826441D4 5 Bytes JMP 900CD948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 82653B10 5 Bytes JMP 900CD934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 8266674E 7 Bytes JMP 900CDA00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82666DA5 5 Bytes JMP 900CDA16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 82668FB6 5 Bytes JMP 900CD9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 82676674 5 Bytes JMP 900CD99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 826788CE 7 Bytes JMP 900CD9D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 82697452 5 Bytes JMP 900CDA57 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 8269849E 2 Bytes JMP 900CDA6B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey + 3 826984A1 2 Bytes [A3, 0D] PAGE ntkrnlpa.exe!ZwCreateProcess 826D61AF 5 Bytes JMP 900CD95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 826D61FA 7 Bytes JMP 900CD970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 826D6CB7 5 Bytes JMP 900CD9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A752480, 0x3C939, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A793900, 0x3CA, 0x48000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E60C000, 0x1FB0FA, 0xE8000020] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9D651300, 0x3AE88, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9D694300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[628] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[628] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Windows\system32\services.exe[756] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 0048009B .text C:\Windows\system32\services.exe[756] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 00480F55 .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 004800D8 .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 004800BD .text C:\Windows\system32\services.exe[756] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 00480062 .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 0048002C .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 00480F88 .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 00480FA5 .text C:\Windows\system32\services.exe[756] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 00480F77 .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 00480047 .text C:\Windows\system32\services.exe[756] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 00480FC0 .text C:\Windows\system32\services.exe[756] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 00480F66 .text C:\Windows\system32\services.exe[756] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 00480F1C .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 00480FE5 .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 00480000 .text C:\Windows\system32\services.exe[756] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 0048001B .text C:\Windows\system32\services.exe[756] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 004800AC .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 00130062 .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 0013003D .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 00130FEF .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 00130FC0 .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 00130087 .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 00130011 .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 00130000 .text C:\Windows\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 00130022 .text C:\Windows\system32\services.exe[756] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 004E0FAD .text C:\Windows\system32\services.exe[756] msvcrt.dll!system 77328B63 5 Bytes JMP 004E0038 .text C:\Windows\system32\services.exe[756] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 004E001D .text C:\Windows\system32\services.exe[756] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 004E0000 .text C:\Windows\system32\services.exe[756] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 004E0FC8 .text C:\Windows\system32\services.exe[756] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 004E0FEF .text C:\Windows\system32\services.exe[756] WS2_32.dll!socket 772536D1 5 Bytes JMP 00490000 .text C:\Windows\system32\lsass.exe[768] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 000D0054 .text C:\Windows\system32\lsass.exe[768] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 000D0F0E .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 000D0ED8 .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 000D006F .text C:\Windows\system32\lsass.exe[768] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 000D0039 .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 000D0F9E .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 000D001E .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 000D0F7C .text C:\Windows\system32\lsass.exe[768] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 000D0F3A .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 000D0F61 .text C:\Windows\system32\lsass.exe[768] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 000D0F8D .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 000D0F1F .text C:\Windows\system32\lsass.exe[768] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 000D0080 .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 000D0FD4 .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 000D0FEF .text C:\Windows\system32\lsass.exe[768] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 000D0FC3 .text C:\Windows\system32\lsass.exe[768] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 000D0EF3 .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 000C0011 .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 000C0F79 .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 000C0FEF .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 000C0000 .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 000C0F54 .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 000C0FAF .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 000C0FCA .text C:\Windows\system32\lsass.exe[768] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 000C0F94 .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 008F0FA3 .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!system 77328B63 5 Bytes JMP 008F0FB4 .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 008F001D .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 008F0000 .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 008F002E .text C:\Windows\system32\lsass.exe[768] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 008F0FE3 .text C:\Windows\system32\lsass.exe[768] WS2_32.dll!socket 772536D1 5 Bytes JMP 000E0FEF .text C:\Windows\system32\svchost.exe[924] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 001A00CB .text C:\Windows\system32\svchost.exe[924] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 001A00B0 .text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 001A00E6 .text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 001A0F4F .text C:\Windows\system32\svchost.exe[924] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 001A007D .text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 001A001B .text C:\Windows\system32\svchost.exe[924] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 001A0062 .text C:\Windows\system32\svchost.exe[924] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 001A003D .text C:\Windows\system32\svchost.exe[924] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 001A008E .text C:\Windows\system32\svchost.exe[924] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 001A0FA5 .text C:\Windows\system32\svchost.exe[924] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 001A002C .text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 001A009F .text C:\Windows\system32\svchost.exe[924] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 001A0F34 .text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 001A0000 .text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 001A0FE5 .text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 001A0FCA .text C:\Windows\system32\svchost.exe[924] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 001A0F60 .text C:\Windows\system32\svchost.exe[924] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 001C0FA8 .text C:\Windows\system32\svchost.exe[924] msvcrt.dll!system 77328B63 5 Bytes JMP 001C0FC3 .text C:\Windows\system32\svchost.exe[924] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 001C0FDE .text C:\Windows\system32\svchost.exe[924] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 001C0000 .text C:\Windows\system32\svchost.exe[924] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 001C0033 .text C:\Windows\system32\svchost.exe[924] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 001C0FEF .text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 00190054 .text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 00190FCD .text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 00190FEF .text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 00190FB2 .text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 00190065 .text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 0019001E .text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 00190FDE .text C:\Windows\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 00190039 .text C:\Windows\system32\svchost.exe[924] WS2_32.dll!socket 772536D1 5 Bytes JMP 001B0FEF .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 002A008E .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 002A0F52 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 002A00B0 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 002A009F .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 002A0051 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 002A0FCA .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 002A0F77 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 002A0F9E .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 002A0062 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 002A0036 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 002A0FAF .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 002A007D .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 002A0EFE .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 002A0000 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 002A0FEF .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 002A001B .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 002A0F2D .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 00490FB7 .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!system 77328B63 5 Bytes JMP 00490FC8 .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 0049001D .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 00490000 .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 0049002E .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 00490FE3 .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 00290062 .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 0029002C .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 00290FEF .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 00290047 .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 00290FA5 .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 0029001B .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 0029000A .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 00290FC0 .text C:\Windows\system32\svchost.exe[1068] WS2_32.dll!socket 772536D1 5 Bytes JMP 00480FE5 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 005A0F32 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 005A0F43 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 005A0F06 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 005A009D .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 005A0F6F .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 005A0000 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 005A0053 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 005A001B .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 005A0F5E .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 005A0036 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 005A0F94 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 005A006E .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 005A00AE .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 005A0FD4 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 005A0FE5 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 005A0FB9 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 005A0F21 .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 00600FD4 .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!system 77328B63 5 Bytes JMP 00600069 .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 00600029 .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 0060000C .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 00600044 .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 00600FEF .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 00230054 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 1 Byte [E9] .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 00230FB2 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 00230FEF .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 00230043 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 00230065 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 00230014 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 00230FDE .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 00230FC3 .text C:\Windows\System32\svchost.exe[1128] WS2_32.dll!socket 772536D1 5 Bytes JMP 005F0FE5 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 000F0F41 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 000F0F52 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 000F00CE .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 000F00B3 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 000F0F6D .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 000F0FD4 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 000F0047 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 000F0FA5 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 000F006C .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 000F0F8A .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 000F0036 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 000F007D .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 000F00DF .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 000F0FEF .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 000F0000 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 000F0025 .text C:\Windows\System32\svchost.exe[1236] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 000F00A2 .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 00660042 .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!system 77328B63 5 Bytes JMP 00660031 .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 00660FC1 .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 00660FEF .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 00660016 .text C:\Windows\System32\svchost.exe[1236] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 00660FDE .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 005F006C .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 005F0FEF .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 005F000A .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 005F0FD4 .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 005F0091 .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 005F0036 .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 005F0025 .text C:\Windows\System32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 005F005B .text C:\Windows\System32\svchost.exe[1236] WS2_32.dll!socket 772536D1 5 Bytes JMP 00620FEF .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 00DE0F29 .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 00DE0F3A .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 00DE00AF .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 00DE009E .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 00DE0F77 .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 00DE0FC0 .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 00DE0F88 .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 00DE0FAF .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 00DE0F66 .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 00DE0051 .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 00DE002C .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 00DE0F4B .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 00DE0EFD .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 00DE0011 .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 00DE0000 .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 00DE0FDB .text C:\Windows\System32\svchost.exe[1280] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 00DE0F18 .text C:\Windows\System32\svchost.exe[1280] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 01050050 .text C:\Windows\System32\svchost.exe[1280] msvcrt.dll!system 77328B63 5 Bytes JMP 0105003F .text C:\Windows\System32\svchost.exe[1280] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 0105002E .text C:\Windows\System32\svchost.exe[1280] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 01050000 .text C:\Windows\System32\svchost.exe[1280] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 01050FCF .text C:\Windows\System32\svchost.exe[1280] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 0105001D .text C:\Windows\System32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 00DF0F68 .text C:\Windows\System32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 00DF0F94 .text C:\Windows\System32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 00DF0FEF .text C:\Windows\System32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 00DF0F83 .text C:\Windows\System32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 00DF0025 .text C:\Windows\System32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 00DF0FCA .text C:\Windows\System32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 00DF0000 .text C:\Windows\System32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 00DF0FB9 .text C:\Windows\System32\svchost.exe[1280] WS2_32.dll!socket 772536D1 5 Bytes JMP 01040000 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 010400B0 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 01040F6A .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 01040F4F .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 010400DC .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 01040F8F .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 01040036 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 01040069 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 01040FC0 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 01040084 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 01040058 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 01040047 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 01040095 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 01040101 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 01040FE5 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 01040000 .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 0104001B .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 010400C1 .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 010A0F7F .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!system 77328B63 5 Bytes JMP 010A0F90 .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 010A0000 .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 010A0FEF .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 010A0FAB .text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 010A0FD2 .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 00DF007A .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 00DF0058 .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 00DF0000 .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 00DF0069 .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 00DF0FBD .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 00DF002C .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 00DF001B .text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 00DF0047 .text C:\Windows\system32\svchost.exe[1296] WS2_32.dll!socket 772536D1 5 Bytes JMP 01050FEF .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 00A100DE .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoA 761419C9 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 00A100CD .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 00A1010A .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 00A100EF .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 00A10FAC .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 00A10036 .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 00A10090 .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 00A10058 .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 00A100A1 .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 00A10069 .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 00A10047 .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 00A100B2 .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 00A1011B .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 00A10FE5 .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 00A10000 .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 00A10025 .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 00A10F7D .text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 01000053 .text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!system 77328B63 5 Bytes JMP 01000042 .text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 0100001D .text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 01000000 .text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 01000FC8 .text C:\Windows\system32\svchost.exe[1512] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 01000FE3 .text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 00A00FCA .text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 00A00051 .text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 00A00000 .text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 00A0006C .text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 00A00FAF .text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 00A00FE5 .text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 00A0001B .text C:\Windows\system32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 00A00036 .text C:\Windows\system32\svchost.exe[1512] WS2_32.dll!socket 772536D1 5 Bytes JMP 00A60000 .text C:\Windows\system32\svchost.exe[1512] WinInet.dll!InternetOpenA 75D20A4D 5 Bytes JMP 001B0FEF .text C:\Windows\system32\svchost.exe[1512] WinInet.dll!InternetOpenUrlA 75D22713 5 Bytes JMP 001B0FD4 .text C:\Windows\system32\svchost.exe[1512] WinInet.dll!InternetOpenW 75D230C8 5 Bytes JMP 001B0000 .text C:\Windows\system32\svchost.exe[1512] WinInet.dll!InternetOpenUrlW 75D784F1 5 Bytes JMP 001B0FB9 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 005300A2 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 00530087 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 005300E2 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 005300BD .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 00530F6D .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 00530FC0 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 00530047 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 00530F94 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 0053006C .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 00530036 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 00530FAF .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 00530F5C .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 00530F30 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 00530011 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 00530000 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 00530FD1 .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 00530F41 .text C:\Windows\system32\svchost.exe[1640] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 00550062 .text C:\Windows\system32\svchost.exe[1640] msvcrt.dll!system 77328B63 5 Bytes JMP 0055003D .text C:\Windows\system32\svchost.exe[1640] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 00550011 .text C:\Windows\system32\svchost.exe[1640] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 00550FEF .text C:\Windows\system32\svchost.exe[1640] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 0055002C .text C:\Windows\system32\svchost.exe[1640] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 00550000 .text C:\Windows\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 00520F91 .text C:\Windows\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 00520033 .text C:\Windows\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 00520000 .text C:\Windows\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 00520FAC .text C:\Windows\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 00520F76 .text C:\Windows\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 00520022 .text C:\Windows\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 00520011 .text C:\Windows\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 00520FD1 .text C:\Windows\system32\svchost.exe[1640] WS2_32.dll!socket 772536D1 5 Bytes JMP 00540FEF .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 004F005B .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 004F0F15 .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 004F0076 .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 004F0EE9 .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 004F0F4B .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 004F0FC3 .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 004F0F66 .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 004F002F .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 004F004A .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 004F0F83 .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 004F0F9E .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 004F0F3A .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 004F0087 .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 004F0FDE .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 004F0FEF .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 004F0014 .text C:\Windows\system32\svchost.exe[1888] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 004F0EFA .text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 00670FA3 .text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!system 77328B63 5 Bytes JMP 00670FBE .text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 0067001D .text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 00670000 .text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 00670038 .text C:\Windows\system32\svchost.exe[1888] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 00670FE3 .text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 004E0FB2 .text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 004E0039 .text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 004E0FEF .text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 004E0054 .text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 004E0FA1 .text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 004E0FD4 .text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 004E0014 .text C:\Windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 004E0FC3 .text C:\Windows\system32\svchost.exe[1888] WS2_32.dll!socket 772536D1 5 Bytes JMP 00500000 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 00800F72 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 008000B8 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 008000EE .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 008000DD .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 00800F94 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 0080002C .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 00800078 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 00800051 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 00800089 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 00800FAF .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 00800FCA .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 00800F83 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 00800F46 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 00800011 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 00800000 .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 00800FDB .text C:\Windows\system32\svchost.exe[2296] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 00800F61 .text C:\Windows\system32\svchost.exe[2296] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 00A0003D .text C:\Windows\system32\svchost.exe[2296] msvcrt.dll!system 77328B63 5 Bytes JMP 00A0002C .text C:\Windows\system32\svchost.exe[2296] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 00A00FC3 .text C:\Windows\system32\svchost.exe[2296] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 00A00FEF .text C:\Windows\system32\svchost.exe[2296] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 00A00FB2 .text C:\Windows\system32\svchost.exe[2296] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 00A00FDE .text C:\Windows\system32\svchost.exe[2296] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 00650F9E .text C:\Windows\system32\svchost.exe[2296] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 00650040 .text C:\Windows\system32\svchost.exe[2296] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 00650000 .text C:\Windows\system32\svchost.exe[2296] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 00650FB9 .text C:\Windows\system32\svchost.exe[2296] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 00650F83 .text C:\Windows\system32\svchost.exe[2296] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 00650FEF .text C:\Windows\system32\svchost.exe[2296] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 0065001B .text C:\Windows\system32\svchost.exe[2296] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 00650FDE .text C:\Windows\system32\svchost.exe[2296] WS2_32.dll!socket 772536D1 5 Bytes JMP 009F0FEF .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 00600EF8 .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 00600F09 .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 0060007E .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 00600EE7 .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 00600F3F .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 00600FA8 .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 00600F5A .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 00600F86 .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 00600034 .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 00600F6B .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 00600F97 .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 00600F24 .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 00600ED6 .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 00600FD4 .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 00600FEF .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 00600FB9 .text C:\Windows\system32\svchost.exe[2320] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 00600063 .text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 00670F9C .text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!system 77328B63 5 Bytes JMP 00670FB7 .text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 0067000C .text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 00670FEF .text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 00670027 .text C:\Windows\system32\svchost.exe[2320] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 00670FD2 .text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 005B003D .text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 005B0011 .text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 005B0FEF .text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 005B0022 .text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 005B0058 .text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 005B0FCA .text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 005B0000 .text C:\Windows\system32\svchost.exe[2320] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 005B0FAF .text C:\Windows\system32\svchost.exe[2320] WS2_32.dll!socket 772536D1 5 Bytes JMP 00610FEF .text C:\Windows\Explorer.EXE[3012] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 00010091 .text C:\Windows\Explorer.EXE[3012] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 00010076 .text C:\Windows\Explorer.EXE[3012] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 00010F1C .text C:\Windows\Explorer.EXE[3012] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 000100B3 .text C:\Windows\Explorer.EXE[3012] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 0001005B .text C:\Windows\Explorer.EXE[3012] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 00010FAF .text C:\Windows\Explorer.EXE[3012] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 00010F83 .text C:\Windows\Explorer.EXE[3012] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 00010036 .text C:\Windows\Explorer.EXE[3012] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 00010F5C .text C:\Windows\Explorer.EXE[3012] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 00010F94 .text C:\Windows\Explorer.EXE[3012] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 00010025 .text C:\Windows\Explorer.EXE[3012] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 00010F4B .text C:\Windows\Explorer.EXE[3012] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 00010F01 .text C:\Windows\Explorer.EXE[3012] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 00010FE5 .text C:\Windows\Explorer.EXE[3012] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 00010000 .text C:\Windows\Explorer.EXE[3012] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 00010FCA .text C:\Windows\Explorer.EXE[3012] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 000100A2 .text C:\Windows\Explorer.EXE[3012] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 00060073 .text C:\Windows\Explorer.EXE[3012] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 00060051 .text C:\Windows\Explorer.EXE[3012] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 00060000 .text C:\Windows\Explorer.EXE[3012] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 00060062 .text C:\Windows\Explorer.EXE[3012] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 00060FB6 .text C:\Windows\Explorer.EXE[3012] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 0006001B .text C:\Windows\Explorer.EXE[3012] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 00060FE5 .text C:\Windows\Explorer.EXE[3012] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 0006002C .text C:\Windows\Explorer.EXE[3012] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 00070FD4 .text C:\Windows\Explorer.EXE[3012] msvcrt.dll!system 77328B63 5 Bytes JMP 0007005F .text C:\Windows\Explorer.EXE[3012] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 0007003A .text C:\Windows\Explorer.EXE[3012] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 0007000C .text C:\Windows\Explorer.EXE[3012] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 00070FEF .text C:\Windows\Explorer.EXE[3012] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 0007001D .text C:\Windows\Explorer.EXE[3012] WS2_32.dll!socket 772536D1 5 Bytes JMP 03170000 .text C:\Windows\Explorer.EXE[3012] WININET.dll!InternetOpenA 75D20A4D 5 Bytes JMP 024E0FEF .text C:\Windows\Explorer.EXE[3012] WININET.dll!InternetOpenUrlA 75D22713 5 Bytes JMP 024E0FB9 .text C:\Windows\Explorer.EXE[3012] WININET.dll!InternetOpenW 75D230C8 5 Bytes JMP 024E0FDE .text C:\Windows\Explorer.EXE[3012] WININET.dll!InternetOpenUrlW 75D784F1 5 Bytes JMP 024E000A .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!GetStartupInfoW 76141929 5 Bytes JMP 000100BD .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!GetStartupInfoA 761419C9 5 Bytes JMP 000100A2 .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!CreateProcessW 76141C01 5 Bytes JMP 00010F4B .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!CreateProcessA 76141C36 5 Bytes JMP 00010F5C .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!VirtualProtect 76141DD1 5 Bytes JMP 0001006F .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!CreateNamedPipeW 76145C44 5 Bytes JMP 00010FD4 .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!LoadLibraryExW 761630C3 5 Bytes JMP 00010F97 .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!LoadLibraryW 7616361F 5 Bytes JMP 00010FC3 .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!VirtualProtectEx 76168D7E 5 Bytes JMP 00010080 .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!LoadLibraryExA 76169469 5 Bytes JMP 00010FB2 .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!LoadLibraryA 76169491 5 Bytes JMP 0001004A .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!CreatePipe 76170284 5 Bytes JMP 00010091 .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!GetProcAddress 7618B8B6 5 Bytes JMP 000100FD .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!CreateFileW 7618CC4E 5 Bytes JMP 0001000A .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!CreateFileA 7618CF71 5 Bytes JMP 00010FEF .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!CreateNamedPipeA 761D430E 5 Bytes JMP 0001001B .text C:\Windows\System32\svchost.exe[3096] kernel32.dll!WinExec 761D54FF 5 Bytes JMP 000100D8 .text C:\Windows\System32\svchost.exe[3096] msvcrt.dll!_wsystem 77328A47 5 Bytes JMP 00050F9C .text C:\Windows\System32\svchost.exe[3096] msvcrt.dll!system 77328B63 5 Bytes JMP 00050FB7 .text C:\Windows\System32\svchost.exe[3096] msvcrt.dll!_creat 7732C6F1 5 Bytes JMP 00050FD2 .text C:\Windows\System32\svchost.exe[3096] msvcrt.dll!_open 7732DA7E 5 Bytes JMP 00050FEF .text C:\Windows\System32\svchost.exe[3096] msvcrt.dll!_wcreat 7732DC9E 5 Bytes JMP 0005001D .text C:\Windows\System32\svchost.exe[3096] msvcrt.dll!_wopen 7732DE79 5 Bytes JMP 0005000C .text C:\Windows\System32\svchost.exe[3096] ADVAPI32.dll!RegCreateKeyExA 75E0B5E7 5 Bytes JMP 00060FAF .text C:\Windows\System32\svchost.exe[3096] ADVAPI32.dll!RegCreateKeyA 75E0B8AE 5 Bytes JMP 00060051 .text C:\Windows\System32\svchost.exe[3096] ADVAPI32.dll!RegOpenKeyA 75E10BF5 5 Bytes JMP 00060000 .text C:\Windows\System32\svchost.exe[3096] ADVAPI32.dll!RegCreateKeyW 75E1B83D 5 Bytes JMP 00060FC0 .text C:\Windows\System32\svchost.exe[3096] ADVAPI32.dll!RegCreateKeyExW 75E1BCE1 5 Bytes JMP 00060F94 .text C:\Windows\System32\svchost.exe[3096] ADVAPI32.dll!RegOpenKeyExA 75E1D4E8 5 Bytes JMP 00060FE5 .text C:\Windows\System32\svchost.exe[3096] ADVAPI32.dll!RegOpenKeyW 75E23CB0 5 Bytes JMP 00060011 .text C:\Windows\System32\svchost.exe[3096] ADVAPI32.dll!RegOpenKeyExW 75E2F09D 5 Bytes JMP 00060036 ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) ---- EOF - GMER 1.0.15 ----