GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-15 18:28:31 Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.LB01 Running: 0ce5xe89.exe; Driver: C:\Users\Jeet\AppData\Local\Temp\kwrdypow.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8C6D59BE] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8C6D5958] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8C6D596C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8C6D59FC] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8C6D5A3F] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8C6D5930] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8C6D5944] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8C6D59D2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8C6D5A67] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8C6D5A53] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8C6D59AA] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8C6D5996] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8C6D5A2B] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8C6D5A12] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8C6D59E8] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8C6D5982] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 820B5AC6 5 Bytes JMP 8C6D59EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8213870E 5 Bytes JMP 8C6D5A43 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 82139BA6 5 Bytes JMP 8C6D5A57 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 8213BD42 5 Bytes JMP 8C6D5A6B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 8218EE0C 5 Bytes JMP 8C6D59C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 821D0396 7 Bytes JMP 8C6D5A00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 821E0D88 5 Bytes JMP 8C6D5A16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 821E890B 7 Bytes JMP 8C6D59D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 822125FA 5 Bytes JMP 8C6D595C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82212645 7 Bytes JMP 8C6D5970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 82213AA7 5 Bytes JMP 8C6D5934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 82213E07 5 Bytes JMP 8C6D5948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 82215EBB 5 Bytes JMP 8C6D599A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 8221AEBB 5 Bytes JMP 8C6D59AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 8221B2B3 5 Bytes JMP 8C6D5A2F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateUserProcess 822227DF 5 Bytes JMP 8C6D5986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x81E0D000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x81E56000, 0x510, 0x40000040] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\services.exe[660] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 00900058 .text C:\Windows\system32\services.exe[660] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 009000B3 .text C:\Windows\system32\services.exe[660] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 00900098 .text C:\Windows\system32\services.exe[660] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 009000F0 .text C:\Windows\system32\services.exe[660] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 009000DF .text C:\Windows\system32\services.exe[660] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 0090001B .text C:\Windows\system32\services.exe[660] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 009000C4 .text C:\Windows\system32\services.exe[660] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 00900FCA .text C:\Windows\system32\services.exe[660] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 0090007D .text C:\Windows\system32\services.exe[660] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 00900F6D .text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 00900047 .text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 00900F9E .text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 00900036 .text C:\Windows\system32\services.exe[660] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 00900FAF .text C:\Windows\system32\services.exe[660] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 00900F34 .text C:\Windows\system32\services.exe[660] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 00900FE5 .text C:\Windows\system32\services.exe[660] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 00900000 .text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 008B0FA3 .text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 008B003F .text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 008B0FB4 .text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 008B005C .text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 008B0FDB .text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 008B0011 .text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 008B0000 .text C:\Windows\system32\services.exe[660] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 008B002E .text C:\Windows\system32\services.exe[660] msvcrt.dll!_open 7700A890 5 Bytes JMP 00930FEF .text C:\Windows\system32\services.exe[660] msvcrt.dll!_wsystem 7703AA4F 5 Bytes JMP 00930F81 .text C:\Windows\system32\services.exe[660] msvcrt.dll!system 7703AB6B 5 Bytes JMP 00930F9C .text C:\Windows\system32\services.exe[660] msvcrt.dll!_creat 7703E711 5 Bytes JMP 00930FD2 .text C:\Windows\system32\services.exe[660] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 00930FB7 .text C:\Windows\system32\services.exe[660] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 0093000C .text C:\Windows\system32\services.exe[660] WS2_32.dll!socket 76F94358 5 Bytes JMP 00920FEF .text C:\Windows\system32\lsass.exe[672] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 0022008C .text C:\Windows\system32\lsass.exe[672] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 002200DD .text C:\Windows\system32\lsass.exe[672] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 00220F8D .text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 00220F6B .text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 00220F7C .text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 0022002F .text C:\Windows\system32\lsass.exe[672] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 002200F8 .text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 00220FDE .text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 002200B8 .text C:\Windows\system32\lsass.exe[672] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 0022009D .text C:\Windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 0022006F .text C:\Windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 00220FBC .text C:\Windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 0022005E .text C:\Windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 00220FCD .text C:\Windows\system32\lsass.exe[672] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 00220113 .text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 00220FEF .text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 0022000A .text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 0021004C .text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 00210FA6 .text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 00210FB7 .text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 0021005D .text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 00210FD4 .text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 00210000 .text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 00210FE5 .text C:\Windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 00210027 .text C:\Windows\system32\lsass.exe[672] msvcrt.dll!_open 7700A890 5 Bytes JMP 00DB0000 .text C:\Windows\system32\lsass.exe[672] msvcrt.dll!_wsystem 7703AA4F 5 Bytes JMP 00DB0FAD .text C:\Windows\system32\lsass.exe[672] msvcrt.dll!system 7703AB6B 5 Bytes JMP 00DB0FC8 .text C:\Windows\system32\lsass.exe[672] msvcrt.dll!_creat 7703E711 5 Bytes JMP 00DB0FE3 .text C:\Windows\system32\lsass.exe[672] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 00DB0038 .text C:\Windows\system32\lsass.exe[672] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 00DB0011 .text C:\Windows\system32\lsass.exe[672] WS2_32.dll!socket 76F94358 5 Bytes JMP 00230000 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 007A0067 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 007A0F57 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 007A0093 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 007A00E4 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 007A00C9 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 007A0FCD .text C:\Windows\system32\svchost.exe[864] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 007A00B8 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 007A001E .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 007A0F72 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 007A0082 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 007A0F8D .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 007A002F .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 007A004A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 007A0FB2 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 007A0F32 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 007A0FDE .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 007A0FEF .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!_open 7700A890 5 Bytes JMP 00960000 .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!_wsystem 7703AA4F 5 Bytes JMP 00960F9C .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!system 7703AB6B 5 Bytes JMP 00960027 .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!_creat 7703E711 5 Bytes JMP 00960FD2 .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 00960FB7 .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 00960FE3 .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 00790FA8 .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 0079004E .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 00790FB9 .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 00790F8B .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 00790011 .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 00790000 .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 00790FE5 .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 00790FCA .text C:\Windows\system32\svchost.exe[864] WS2_32.dll!socket 76F94358 5 Bytes JMP 00950FE5 .text C:\Windows\system32\svchost.exe[956] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 006F0F81 .text C:\Windows\system32\svchost.exe[956] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 006F0F5C .text C:\Windows\system32\svchost.exe[956] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 006F0098 .text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 006F0F30 .text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 006F0F41 .text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 006F0FDE .text C:\Windows\system32\svchost.exe[956] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 006F00BD .text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 006F0FCD .text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 006F0087 .text C:\Windows\system32\svchost.exe[956] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 006F006C .text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 006F005B .text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 006F0040 .text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 006F0F9E .text C:\Windows\system32\svchost.exe[956] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 006F002F .text C:\Windows\system32\svchost.exe[956] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 006F0F15 .text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 006F000A .text C:\Windows\system32\svchost.exe[956] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 006F0FEF .text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_open 7700A890 5 Bytes JMP 00920FEF .text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_wsystem 7703AA4F 2 Bytes JMP 0092001B .text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_wsystem + 3 7703AA52 2 Bytes [8E, 89] .text C:\Windows\system32\svchost.exe[956] msvcrt.dll!system 7703AB6B 5 Bytes JMP 00920F9A .text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_creat 7703E711 5 Bytes JMP 00920FB5 .text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 0092000A .text C:\Windows\system32\svchost.exe[956] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 00920FC6 .text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 006D0055 .text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 006D0072 .text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 006D0FD4 .text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 006D0083 .text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 006D002C .text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 006D001B .text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 006D0000 .text C:\Windows\system32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 006D0FE5 .text C:\Windows\system32\svchost.exe[956] WS2_32.dll!socket 76F94358 3 Bytes JMP 00850FE5 .text C:\Windows\system32\svchost.exe[956] WS2_32.dll!socket + 4 76F9435C 1 Byte [89] .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 00A30FA3 .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 00A30F70 .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 00A30F81 .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 00A300F6 .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 00A300D1 .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 00A30025 .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 00A30F5F .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 00A30036 .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 00A30F92 .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 00A30098 .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 00A30FB4 .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 00A3006C .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 00A3007D .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 00A3005B .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 00A30111 .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 00A30FEF .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 00A30000 .text C:\Windows\System32\svchost.exe[1080] msvcrt.dll!_open 7700A890 5 Bytes JMP 00F60000 .text C:\Windows\System32\svchost.exe[1080] msvcrt.dll!_wsystem 7703AA4F 5 Bytes JMP 00F60F7F .text C:\Windows\System32\svchost.exe[1080] msvcrt.dll!system 7703AB6B 5 Bytes JMP 00F60F9A .text C:\Windows\System32\svchost.exe[1080] msvcrt.dll!_creat 7703E711 5 Bytes JMP 00F60FC6 .text C:\Windows\System32\svchost.exe[1080] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 00F60FAB .text C:\Windows\System32\svchost.exe[1080] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 00F60FD7 .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 00A10FB9 .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 00A10FA8 .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 00A10044 .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 00A10F97 .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 00A10FD4 .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 00A1000A .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 00A10FEF .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 00A10033 .text C:\Windows\System32\svchost.exe[1080] WS2_32.dll!socket 76F94358 5 Bytes JMP 00A8000A .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 0119005B .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 01190076 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 01190F30 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 01190EF3 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 01190F0E .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 0119000A .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 01190F1F .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 01190025 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 01190F4B .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 01190F66 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 01190F8D .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 01190FB9 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 01190F9E .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 01190040 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 01190ED8 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 01190FD4 .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 01190FEF .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_open 7700A890 5 Bytes JMP 011F0FEF .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wsystem 7703AA4F 5 Bytes JMP 011F0F99 .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!system 7703AB6B 5 Bytes JMP 011F002E .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_creat 7703E711 5 Bytes JMP 011F000C .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 011F001D .text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 011F0FD2 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 01040033 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 01040050 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 01040018 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 01040061 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 01040FB9 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 01040FD4 .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 01040FEF .text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 01040FA8 .text C:\Windows\System32\svchost.exe[1128] WS2_32.dll!socket 76F94358 5 Bytes JMP 011A0FE5 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 01000F88 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 010000A2 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 01000F5C .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 01000F26 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 010000C7 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 01000FD4 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 01000F41 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 01000025 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 01000F77 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 0100007D .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 01000062 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 01000FAF .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 01000051 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 01000036 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 010000D8 .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 01000FEF .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 0100000A .text C:\Windows\system32\svchost.exe[1160] msvcrt.dll!_open 7700A890 5 Bytes JMP 011A0FEF .text C:\Windows\system32\svchost.exe[1160] msvcrt.dll!_wsystem 7703AA4F 2 Bytes JMP 011A0044 .text C:\Windows\system32\svchost.exe[1160] msvcrt.dll!_wsystem + 3 7703AA52 2 Bytes [16, 8A] .text C:\Windows\system32\svchost.exe[1160] msvcrt.dll!system 7703AB6B 5 Bytes JMP 011A0033 .text C:\Windows\system32\svchost.exe[1160] msvcrt.dll!_creat 7703E711 5 Bytes JMP 011A0018 .text C:\Windows\system32\svchost.exe[1160] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 011A0FC3 .text C:\Windows\system32\svchost.exe[1160] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 011A0FDE .text C:\Windows\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 00FB0FAD .text C:\Windows\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 00FB0F9C .text C:\Windows\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 00FB0FC8 .text C:\Windows\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 00FB006B .text C:\Windows\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 00FB0027 .text C:\Windows\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 00FB0000 .text C:\Windows\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 00FB0FE5 .text C:\Windows\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 00FB0038 .text C:\Windows\system32\svchost.exe[1160] WS2_32.dll!socket 76F94358 5 Bytes JMP 0119000A .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1180] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1180] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 00E9006C .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 00E90F3A .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 00E90F55 .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 00E900AC .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 00E9009B .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 00E9001B .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 00E90F1F .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 00E90FD4 .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 00E90F66 .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 00E90F77 .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 00E9005B .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 00E90FB9 .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 00E90F9E .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 00E90040 .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 00E900D1 .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 00E90FE5 .text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 00E90000 .text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!_open 7700A890 5 Bytes JMP 00FC0000 .text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!_wsystem 7703AA4F 5 Bytes JMP 00FC0FAD .text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!system 7703AB6B 5 Bytes JMP 00FC0042 .text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!_creat 7703E711 5 Bytes JMP 00FC0FE3 .text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 00FC0FD2 .text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 00FC0011 .text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 00E40038 .text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 00E40F92 .text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 00E40027 .text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 00E40061 .text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 00E40000 .text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 00E40FCA .text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 00E40FE5 .text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 00E40FAD .text C:\Windows\system32\svchost.exe[1340] WS2_32.dll!socket 76F94358 5 Bytes JMP 00FB0000 .text C:\Windows\system32\svchost.exe[1340] WinInet.dll!InternetOpenA 76ED3081 5 Bytes JMP 00F60FEF .text C:\Windows\system32\svchost.exe[1340] WinInet.dll!InternetOpenW 76ED36B1 5 Bytes JMP 00F60FD4 .text C:\Windows\system32\svchost.exe[1340] WinInet.dll!InternetOpenUrlA 76ED6F5A 5 Bytes JMP 00F6000A .text C:\Windows\system32\svchost.exe[1340] WinInet.dll!InternetOpenUrlW 76F18439 5 Bytes JMP 00F60025 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 00990047 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 0099008E .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 0099007D .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 00990F12 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 0099009F .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 0099001B .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 00990F23 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 00990FCA .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 00990062 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 00990F52 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 00990F79 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 00990FAF .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 00990F8A .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 00990036 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 00990F01 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 00990FE5 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 00990000 .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_open 7700A890 5 Bytes JMP 009B0FE3 .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_wsystem 7703AA4F 2 Bytes JMP 009B0027 .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_wsystem + 3 7703AA52 2 Bytes [97, 89] .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!system 7703AB6B 5 Bytes JMP 009B0FA6 .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_creat 7703E711 5 Bytes JMP 009B000C .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 009B0FC1 .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 009B0FD2 .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 00980058 .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 00980FB2 .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 00980047 .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 00980FA1 .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 0098002C .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 0098001B .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 00980000 .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 00980FD9 .text C:\Windows\system32\svchost.exe[1492] WS2_32.dll!socket 76F94358 5 Bytes JMP 009A0000 .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 00B2007D .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 00B20F59 .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 00B2009F .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 00B200CB .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 00B200BA .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 00B20014 .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 00B20F3E .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 00B20025 .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 00B2008E .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 00B20F7E .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 00B2006C .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 00B2005B .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 00B20FB9 .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 00B2004A .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 00B200DC .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 00B20FDE .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 00B20FEF .text C:\Windows\system32\svchost.exe[1804] msvcrt.dll!_open 7700A890 5 Bytes JMP 00EE0000 .text C:\Windows\system32\svchost.exe[1804] msvcrt.dll!_wsystem 7703AA4F 5 Bytes JMP 00EE0055 .text C:\Windows\system32\svchost.exe[1804] msvcrt.dll!system 7703AB6B 5 Bytes JMP 00EE0FCA .text C:\Windows\system32\svchost.exe[1804] msvcrt.dll!_creat 7703E711 5 Bytes JMP 00EE0029 .text C:\Windows\system32\svchost.exe[1804] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 00EE003A .text C:\Windows\system32\svchost.exe[1804] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 00EE0FEF .text C:\Windows\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 009C0036 .text C:\Windows\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 009C0051 .text C:\Windows\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 009C0FAB .text C:\Windows\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 009C0F8E .text C:\Windows\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 009C001B .text C:\Windows\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 009C000A .text C:\Windows\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 009C0FEF .text C:\Windows\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 009C0FBC .text C:\Windows\system32\svchost.exe[1804] WS2_32.dll!socket 76F94358 5 Bytes JMP 00B30FEF .text C:\Windows\Explorer.EXE[2036] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 02250F97 .text C:\Windows\Explorer.EXE[2036] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 02250F5A .text C:\Windows\Explorer.EXE[2036] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 02250F6B .text C:\Windows\Explorer.EXE[2036] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 022500D6 .text C:\Windows\Explorer.EXE[2036] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 022500BB .text C:\Windows\Explorer.EXE[2036] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 02250014 .text C:\Windows\Explorer.EXE[2036] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 02250F3F .text C:\Windows\Explorer.EXE[2036] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 02250FCD .text C:\Windows\Explorer.EXE[2036] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 0225008C .text C:\Windows\Explorer.EXE[2036] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 02250F7C .text C:\Windows\Explorer.EXE[2036] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 02250071 .text C:\Windows\Explorer.EXE[2036] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 0225004A .text C:\Windows\Explorer.EXE[2036] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 02250FA8 .text C:\Windows\Explorer.EXE[2036] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 02250039 .text C:\Windows\Explorer.EXE[2036] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 02250F1A .text C:\Windows\Explorer.EXE[2036] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 02250FDE .text C:\Windows\Explorer.EXE[2036] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 02250FEF .text C:\Windows\Explorer.EXE[2036] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 02240039 .text C:\Windows\Explorer.EXE[2036] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 02240056 .text C:\Windows\Explorer.EXE[2036] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 02240FA4 .text C:\Windows\Explorer.EXE[2036] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 02240067 .text C:\Windows\Explorer.EXE[2036] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 02240FC1 .text C:\Windows\Explorer.EXE[2036] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 02240FDE .text C:\Windows\Explorer.EXE[2036] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 02240FEF .text C:\Windows\Explorer.EXE[2036] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 02240014 .text C:\Windows\Explorer.EXE[2036] msvcrt.dll!_open 7700A890 5 Bytes JMP 02630FEF .text C:\Windows\Explorer.EXE[2036] msvcrt.dll!_wsystem 7703AA4F 5 Bytes JMP 02630FC1 .text C:\Windows\Explorer.EXE[2036] msvcrt.dll!system 7703AB6B 5 Bytes JMP 02630042 .text C:\Windows\Explorer.EXE[2036] msvcrt.dll!_creat 7703E711 5 Bytes JMP 0263000C .text C:\Windows\Explorer.EXE[2036] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 02630031 .text C:\Windows\Explorer.EXE[2036] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 02630FD2 .text C:\Windows\Explorer.EXE[2036] WS2_32.dll!socket 76F94358 5 Bytes JMP 02270000 .text C:\Windows\Explorer.EXE[2036] WININET.dll!InternetOpenA 76ED3081 5 Bytes JMP 02260FEF .text C:\Windows\Explorer.EXE[2036] WININET.dll!InternetOpenW 76ED36B1 5 Bytes JMP 02260FD4 .text C:\Windows\Explorer.EXE[2036] WININET.dll!InternetOpenUrlA 76ED6F5A 5 Bytes JMP 0226000A .text C:\Windows\Explorer.EXE[2036] WININET.dll!InternetOpenUrlW 76F18439 5 Bytes JMP 02260FB9 .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 002E0049 .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 002E0F4A .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 002E0090 .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 002E0F28 .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 002E00B5 .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 002E0FB9 .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 002E0F39 .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 002E0FA8 .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 002E0075 .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 002E0064 .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 002E0F6F .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 002E001B .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 002E002C .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 002E000A .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 002E0F17 .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 002E0FDE .text C:\Windows\system32\svchost.exe[2580] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 002E0FEF .text C:\Windows\system32\svchost.exe[2580] msvcrt.dll!_open 7700A890 5 Bytes JMP 00340FEF .text C:\Windows\system32\svchost.exe[2580] msvcrt.dll!_wsystem 7703AA4F 2 Bytes JMP 0034002C .text C:\Windows\system32\svchost.exe[2580] msvcrt.dll!_wsystem + 3 7703AA52 2 Bytes [30, 89] .text C:\Windows\system32\svchost.exe[2580] msvcrt.dll!system 7703AB6B 5 Bytes JMP 0034001B .text C:\Windows\system32\svchost.exe[2580] msvcrt.dll!_creat 7703E711 5 Bytes JMP 00340FC6 .text C:\Windows\system32\svchost.exe[2580] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 00340FAB .text C:\Windows\system32\svchost.exe[2580] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 00340000 .text C:\Windows\system32\svchost.exe[2580] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 002D0FB0 .text C:\Windows\system32\svchost.exe[2580] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 002D0058 .text C:\Windows\system32\svchost.exe[2580] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 002D003B .text C:\Windows\system32\svchost.exe[2580] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 002D0F95 .text C:\Windows\system32\svchost.exe[2580] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 002D0FD2 .text C:\Windows\system32\svchost.exe[2580] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 002D0FEF .text C:\Windows\system32\svchost.exe[2580] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 002D000A .text C:\Windows\system32\svchost.exe[2580] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 002D0FC1 .text C:\Windows\system32\svchost.exe[2580] WS2_32.dll!socket 76F94358 5 Bytes JMP 002F0FEF .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 000100A2 .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 00010F77 .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 000100BD .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 00010F48 .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 000100E9 .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 0001002C .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 000100D8 .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 00010FE5 .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 00010F92 .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 00010FA3 .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 00010FCA .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 00010062 .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 0001007D .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 00010051 .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 000100FA .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 0001001B .text C:\Windows\system32\svchost.exe[2604] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 00010000 .text C:\Windows\system32\svchost.exe[2604] msvcrt.dll!_open 7700A890 5 Bytes JMP 00050FE3 .text C:\Windows\system32\svchost.exe[2604] msvcrt.dll!_wsystem 7703AA4F 5 Bytes JMP 00050F97 .text C:\Windows\system32\svchost.exe[2604] msvcrt.dll!system 7703AB6B 5 Bytes JMP 0005002C .text C:\Windows\system32\svchost.exe[2604] msvcrt.dll!_creat 7703E711 5 Bytes JMP 00050FBC .text C:\Windows\system32\svchost.exe[2604] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 00050011 .text C:\Windows\system32\svchost.exe[2604] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 00050000 .text C:\Windows\system32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 00060FBE .text C:\Windows\system32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 0006005A .text C:\Windows\system32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 00060049 .text C:\Windows\system32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 00060F97 .text C:\Windows\system32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 0006001B .text C:\Windows\system32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 0006000A .text C:\Windows\system32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 00060FEF .text C:\Windows\system32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 0006002C .text C:\Windows\system32\svchost.exe[2604] WS2_32.dll!socket 76F94358 5 Bytes JMP 0008000A .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 00DD0076 .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 00DD00A2 .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 00DD0F5C .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 00DD0F1C .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 00DD00BD .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 00DD0FDE .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 00DD0F41 .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 00DD002F .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 00DD0091 .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 00DD0F77 .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 00DD0065 .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 00DD0FB9 .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 00DD0FA8 .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 00DD004A .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 00DD00CE .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 00DD0FEF .text C:\Windows\system32\svchost.exe[2640] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 00DD0000 .text C:\Windows\system32\svchost.exe[2640] msvcrt.dll!_open 7700A890 5 Bytes JMP 00E30000 .text C:\Windows\system32\svchost.exe[2640] msvcrt.dll!_wsystem 7703AA4F 2 Bytes JMP 00E3004E .text C:\Windows\system32\svchost.exe[2640] msvcrt.dll!_wsystem + 3 7703AA52 2 Bytes [DF, 89] .text C:\Windows\system32\svchost.exe[2640] msvcrt.dll!system 7703AB6B 5 Bytes JMP 00E3003D .text C:\Windows\system32\svchost.exe[2640] msvcrt.dll!_creat 7703E711 5 Bytes JMP 00E30FDE .text C:\Windows\system32\svchost.exe[2640] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 00E30FCD .text C:\Windows\system32\svchost.exe[2640] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 00E30FEF .text C:\Windows\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 00DC0049 .text C:\Windows\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 00DC005A .text C:\Windows\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 00DC0FBE .text C:\Windows\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 00DC006B .text C:\Windows\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 00DC0022 .text C:\Windows\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 00DC0011 .text C:\Windows\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 00DC0000 .text C:\Windows\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 00DC0FCF .text C:\Windows\system32\svchost.exe[2640] WS2_32.dll!socket 76F94358 5 Bytes JMP 00E20FEF .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!VirtualProtect 76C318BF 5 Bytes JMP 00110F77 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!GetStartupInfoW 76C3191A 5 Bytes JMP 00110F55 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!GetStartupInfoA 76C319B8 5 Bytes JMP 00110091 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!CreateProcessW 76C31D27 5 Bytes JMP 00110F1F .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!CreateProcessA 76C31D5C 5 Bytes JMP 00110F3A .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!CreateNamedPipeA 76C32484 5 Bytes JMP 00110FCA .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!WinExec 76C332DF 5 Bytes JMP 001100B6 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!CreateNamedPipeW 76C3EDFE 5 Bytes JMP 0011001B .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!CreatePipe 76C4B0AF 5 Bytes JMP 00110080 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!VirtualProtectEx 76C560AB 5 Bytes JMP 00110F66 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!LoadLibraryExW 76C595A7 5 Bytes JMP 00110F88 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!LoadLibraryW 76C5971F 5 Bytes JMP 00110FA5 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!LoadLibraryExA 76C59A6E 5 Bytes JMP 00110051 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!LoadLibraryA 76C59A96 5 Bytes JMP 00110036 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!GetProcAddress 76C74110 5 Bytes JMP 001100D1 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!CreateFileW 76C7866C 5 Bytes JMP 00110000 .text C:\Windows\System32\svchost.exe[2936] kernel32.dll!CreateFileA 76C78CA4 5 Bytes JMP 00110FEF .text C:\Windows\System32\svchost.exe[2936] msvcrt.dll!_open 7700A890 5 Bytes JMP 00160000 .text C:\Windows\System32\svchost.exe[2936] msvcrt.dll!_wsystem 7703AA4F 1 Byte [E9] .text C:\Windows\System32\svchost.exe[2936] msvcrt.dll!_wsystem + 3 7703AA52 2 Bytes [12, 89] .text C:\Windows\System32\svchost.exe[2936] msvcrt.dll!system 7703AB6B 5 Bytes JMP 00160042 .text C:\Windows\System32\svchost.exe[2936] msvcrt.dll!_creat 7703E711 5 Bytes JMP 00160FD2 .text C:\Windows\System32\svchost.exe[2936] msvcrt.dll!_wcreat 7703F9C6 5 Bytes JMP 00160027 .text C:\Windows\System32\svchost.exe[2936] msvcrt.dll!_wopen 7703FBA1 5 Bytes JMP 00160FEF .text C:\Windows\System32\svchost.exe[2936] ADVAPI32.dll!RegCreateKeyW 76738229 5 Bytes JMP 00100FB0 .text C:\Windows\System32\svchost.exe[2936] ADVAPI32.dll!RegCreateKeyExA 76743941 5 Bytes JMP 00100056 .text C:\Windows\System32\svchost.exe[2936] ADVAPI32.dll!RegCreateKeyA 76743B9F 5 Bytes JMP 0010003B .text C:\Windows\System32\svchost.exe[2936] ADVAPI32.dll!RegCreateKeyExW 767504A2 5 Bytes JMP 00100073 .text C:\Windows\System32\svchost.exe[2936] ADVAPI32.dll!RegOpenKeyExA 76750DDF 5 Bytes JMP 00100FDE .text C:\Windows\System32\svchost.exe[2936] ADVAPI32.dll!RegOpenKeyW 76757B8D 5 Bytes JMP 00100FEF .text C:\Windows\System32\svchost.exe[2936] ADVAPI32.dll!RegOpenKeyA 7675EAEA 5 Bytes JMP 00100000 .text C:\Windows\System32\svchost.exe[2936] ADVAPI32.dll!RegOpenKeyExW 76765ECD 5 Bytes JMP 00100FC1 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[3404] @ C:\Windows\system32\NETAPI32.dll [PSAPI.DLL!GetModuleBaseNameW] [7640159E] C:\Windows\system32\PSAPI.DLL (Process Status Helper/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x74 0x65 0x65 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x74 0x65 0x65 0x02 ... ---- EOF - GMER 1.0.15 ----