GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-10 18:03:55 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdePort1 ST9160310AS rev.0303 149,05GB Running: yk8gjn29.exe; Driver: C:\DOCUME~1\nowy\USTAWI~1\Temp\fwldqpow.sys ---- System - GMER 2.1 ---- SSDT \WINDOWS\system32\ntkrnlpa.exe (J¹dro i system NT/Microsoft Corporation) ZwCreateKey [0x804D70CC] SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70CC] ZwCreateKey [0x804D70CC] SSDT \WINDOWS\system32\ntkrnlpa.exe (J¹dro i system NT/Microsoft Corporation) ZwOpenKey [0x804D70D1] SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70D1] ZwOpenKey [0x804D70D1] INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70DB INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) ADCCA16D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) ADCC9FC2 Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF7189242] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF7189090] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF71890A4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF7189114] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7189140] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF71891AE] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF7189198] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF71891C4] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7189282] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF71891F0] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7189054] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7189068] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF7189256] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF718922C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF7189182] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF718916C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF718912A] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF7189218] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF7189204] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF71890CE] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF71890BA] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7189156] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF71892B1] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF71891DA] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7189298] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF718926C] Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwYieldExecution 80504B1C 7 Bytes JMP F7189270 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 805790A2 5 Bytes JMP F7189246 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2042 7 Bytes JMP F7189286 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E50 5 Bytes JMP F718929C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B8426 7 Bytes JMP F718925A mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 805CB456 5 Bytes JMP F7189058 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 805CB6E2 5 Bytes JMP F718906C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDEA0 5 Bytes JMP F71890BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D119A 7 Bytes JMP F71890A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 805D1250 5 Bytes JMP F7189094 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 805D22D8 5 Bytes JMP F71892B5 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 805D2C1A 5 Bytes JMP F71890D2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryValueKey 806221FA 7 Bytes JMP F7189170 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetValueKey 80622548 7 Bytes JMP F718915A mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnloadKey 80622872 7 Bytes JMP F71891DE mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80623124 7 Bytes JMP F7189186 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRenameKey 806239F8 7 Bytes JMP F718912E mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteKey 80624472 7 Bytes JMP F7189118 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwDeleteValueKey 80624642 7 Bytes JMP F7189144 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateKey 80624822 7 Bytes JMP F71891B2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80624A8C 7 Bytes JMP F718919C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwQueryKey 806256F6 7 Bytes JMP F7189230 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 806259B6 5 Bytes JMP F7189208 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwLoadKey2 80625E06 7 Bytes JMP F71891C8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 806260AA 5 Bytes JMP F718921C mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806261C4 5 Bytes JMP F71891F4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.) .sfrelocÿÿÿÿsfsync03unknown last section [0xF74C4000, 0xA20, 0x40000040] C:\WINDOWS\system32\drivers\sfsync03.sys unknown last section [0xF74C4000, 0xA20, 0x40000040] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6645000, 0x189F82, 0xE8000020] .text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xA89F2000, 0x49379, 0xE0000020] .init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xA8A48224] .init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xA8A48000, 0x4000, 0xE20000E0] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA8809400, 0x6EB98, 0xE8000020] .protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA8893C20] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA8893C20] .protectÿÿÿÿhardlockunknown last code section [0xA8893A00, 0x50CA, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA8893A00, 0x50CA, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05C10FEF .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05C1004F .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05C10F5A .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05C10F6B .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05C10028 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05C10FA1 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05C10F27 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05C10F38 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05C100A5 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05C10094 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 05C10EF1 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05C10F86 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05C10FD4 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05C10F49 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05C10FB2 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05C10FC3 .text C:\WINDOWS\System32\svchost.exe[196] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05C10F16 .text C:\WINDOWS\System32\svchost.exe[196] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 05C0002C .text C:\WINDOWS\System32\svchost.exe[196] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 05C00F91 .text C:\WINDOWS\System32\svchost.exe[196] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 05C0001B .text C:\WINDOWS\System32\svchost.exe[196] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 05C00000 .text C:\WINDOWS\System32\svchost.exe[196] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 05C0004E .text C:\WINDOWS\System32\svchost.exe[196] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 05C00FE5 .text C:\WINDOWS\System32\svchost.exe[196] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 05C00FB6 .text C:\WINDOWS\System32\svchost.exe[196] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [E1, 8D] {LOOPZ 0xffffff8f} .text C:\WINDOWS\System32\svchost.exe[196] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 05C0003D .text C:\WINDOWS\System32\svchost.exe[196] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 05BF0058 .text C:\WINDOWS\System32\svchost.exe[196] msvcrt.dll!system 77C193C7 5 Bytes JMP 05BF0FCD .text C:\WINDOWS\System32\svchost.exe[196] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 05BF0FDE .text C:\WINDOWS\System32\svchost.exe[196] msvcrt.dll!_open 77C1F566 5 Bytes JMP 05BF000C .text C:\WINDOWS\System32\svchost.exe[196] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 05BF003D .text C:\WINDOWS\System32\svchost.exe[196] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 05BF0FEF .text C:\WINDOWS\System32\svchost.exe[196] WS2_32.dll!socket 71A54211 5 Bytes JMP 05BE0FEF .text C:\WINDOWS\System32\svchost.exe[196] WININET.dll!InternetOpenA 3FD1D6A8 5 Bytes JMP 05BD0FEF .text C:\WINDOWS\System32\svchost.exe[196] WININET.dll!InternetOpenW 3FD1DB21 5 Bytes JMP 05BD0FDE .text C:\WINDOWS\System32\svchost.exe[196] WININET.dll!InternetOpenUrlA 3FD1F3BC 5 Bytes JMP 05BD0FCD .text C:\WINDOWS\System32\svchost.exe[196] WININET.dll!InternetOpenUrlW 3FD66DFF 5 Bytes JMP 05BD0FB2 .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006A0000 .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006A0F9E .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006A0093 .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006A0FB9 .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006A0076 .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006A0FD4 .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006A00E6 .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006A00CB .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006A011C .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006A0101 .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006A0F68 .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006A005B .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006A001B .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006A00AE .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006A0040 .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006A0FE5 .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006A0F83 .text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 0069001B .text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00690F8A .text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00690FCA .text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0069000A .text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00690047 .text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00690FEF .text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 0069002C .text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00690FA5 .text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00680F9C .text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!system 77C193C7 5 Bytes JMP 00680027 .text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00680FB7 .text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00680FEF .text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 0068000C .text C:\WINDOWS\system32\svchost.exe[252] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00680FD2 .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FEF .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20F94 .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C20FA5 .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20FC0 .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C2007D .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C2005B .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C200C6 .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C200B5 .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C200FC .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C200E1 .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C20F48 .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C2006C .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C2000A .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C200A4 .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20036 .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20025 .text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C20F63 .text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00C1002C .text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00C10FA5 .text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00C10FDB .text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00C10011 .text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00C10062 .text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00C10000 .text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00C10FC0 .text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [E2, 88] {LOOP 0xffffff8a} .text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00C1003D .text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00C00FBC .text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!system 77C193C7 5 Bytes JMP 00C00047 .text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00C00018 .text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00C00FEF .text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00C00FCD .text C:\WINDOWS\system32\svchost.exe[588] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00C00FDE .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01CA0FEF .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01CA0F6B .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01CA0F7C .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01CA0F8D .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01CA004A .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01CA002F .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01CA0F3D .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01CA0085 .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01CA0096 .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01CA0EFD .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01CA0EE2 .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01CA0FA8 .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01CA0FDE .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01CA0F5A .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01CA0FC3 .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01CA0014 .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01CA0F22 .text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 01C90FC3 .text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 01C90F72 .text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 01C9000A .text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 01C90FD4 .text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 01C90F8D .text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 01C90FEF .text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 01C90F9E .text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes JMP 50C03389 .text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 01C90025 .text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00E20F7F .text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!system 77C193C7 5 Bytes JMP 00E20F90 .text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00E20FB5 .text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00E20FE3 .text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00E20000 .text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00E20FC6 .text C:\WINDOWS\system32\svchost.exe[700] WS2_32.dll!socket 71A54211 5 Bytes JMP 00E10FEF .text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenA 3FD1D6A8 5 Bytes JMP 00E0000A .text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenW 3FD1DB21 5 Bytes JMP 00E00FEF .text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenUrlA 3FD1F3BC 5 Bytes JMP 00E00FCA .text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenUrlW 3FD66DFF 5 Bytes JMP 00E0001B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015A0FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015A0082 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015A0067 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015A004A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015A0F97 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015A0025 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015A0F52 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015A00A4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015A0F26 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015A0F37 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 015A0F0B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 015A0FA8 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 015A0FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015A0093 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 015A0FB9 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 015A000A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015A00B5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 01590FB2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 01590065 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 01590FC3 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 01590FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 0159004A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 01590FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 01590039 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 0159001E .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 01470025 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] msvcrt.dll!system 77C193C7 5 Bytes JMP 01470F90 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 01470FC6 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] msvcrt.dll!_open 77C1F566 5 Bytes JMP 01470FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 01470FA1 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 01470000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[908] WS2_32.dll!socket 71A54211 5 Bytes JMP 01450000 .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E1000A .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E10076 .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E10F8B .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E10FA8 .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E10FB9 .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E10051 .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E100AC .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E10F5A .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E10F2E .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E100C7 .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E100E2 .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E10FCA .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E10FEF .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E10091 .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E10040 .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E10025 .text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E10F49 .text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00E00FB9 .text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00E00F72 .text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00E00FCA .text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00E00FDB .text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00E00F83 .text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00E00000 .text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00E0002F .text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00E00F9E .text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00DF0038 .text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!system 77C193C7 5 Bytes JMP 00DF0027 .text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00DF0FD2 .text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00DF0FEF .text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00DF0FB7 .text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00DF000C .text C:\WINDOWS\system32\svchost.exe[912] WS2_32.dll!socket 71A54211 5 Bytes JMP 00DE0000 .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000 .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F80 .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007007F .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070FA5 .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070062 .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070047 .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700D2 .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700AB .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700FE .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F65 .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0007010F .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FC0 .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FE5 .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070090 .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0007002C .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007001B .text C:\WINDOWS\system32\services.exe[1600] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000700ED .text C:\WINDOWS\system32\services.exe[1600] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00060FDB .text C:\WINDOWS\system32\services.exe[1600] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00060076 .text C:\WINDOWS\system32\services.exe[1600] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 0006002C .text C:\WINDOWS\system32\services.exe[1600] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0006001B .text C:\WINDOWS\system32\services.exe[1600] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00060051 .text C:\WINDOWS\system32\services.exe[1600] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00060000 .text C:\WINDOWS\system32\services.exe[1600] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00060FB9 .text C:\WINDOWS\system32\services.exe[1600] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [27, 88] .text C:\WINDOWS\system32\services.exe[1600] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00060FCA .text C:\WINDOWS\system32\services.exe[1600] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00050058 .text C:\WINDOWS\system32\services.exe[1600] msvcrt.dll!system 77C193C7 5 Bytes JMP 0005003D .text C:\WINDOWS\system32\services.exe[1600] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00050011 .text C:\WINDOWS\system32\services.exe[1600] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00050000 .text C:\WINDOWS\system32\services.exe[1600] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00050022 .text C:\WINDOWS\system32\services.exe[1600] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00050FE3 .text C:\WINDOWS\system32\services.exe[1600] WS2_32.dll!socket 71A54211 5 Bytes JMP 00040FEF .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0000 .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF009A .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0FA5 .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0FC0 .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF007D .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0047 .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF00CD .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF00BC .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0103 .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF00E8 .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF011E .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0058 .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0011 .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF00AB .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FDB .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0022 .text C:\WINDOWS\system32\lsass.exe[1612] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F6A .text C:\WINDOWS\system32\lsass.exe[1612] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00FE0FCA .text C:\WINDOWS\system32\lsass.exe[1612] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00FE0F7C .text C:\WINDOWS\system32\lsass.exe[1612] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00FE0FDB .text C:\WINDOWS\system32\lsass.exe[1612] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00FE001B .text C:\WINDOWS\system32\lsass.exe[1612] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00FE0F8D .text C:\WINDOWS\system32\lsass.exe[1612] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00FE000A .text C:\WINDOWS\system32\lsass.exe[1612] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00FE0F9E .text C:\WINDOWS\system32\lsass.exe[1612] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [1F, 89] .text C:\WINDOWS\system32\lsass.exe[1612] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00FE0FAF .text C:\WINDOWS\system32\lsass.exe[1612] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00E00FC8 .text C:\WINDOWS\system32\lsass.exe[1612] msvcrt.dll!system 77C193C7 5 Bytes JMP 00E00053 .text C:\WINDOWS\system32\lsass.exe[1612] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00E00FE3 .text C:\WINDOWS\system32\lsass.exe[1612] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00E00000 .text C:\WINDOWS\system32\lsass.exe[1612] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00E00038 .text C:\WINDOWS\system32\lsass.exe[1612] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00E00011 .text C:\WINDOWS\system32\lsass.exe[1612] WS2_32.dll!socket 71A54211 5 Bytes JMP 00DF0FEF .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80FEF .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80084 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80073 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80FA5 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80062 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80FCA .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F800A1 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F59 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80F3E .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F800D7 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F80F23 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80051 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80000 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80F74 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80036 .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F8001B .text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F800BC .text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00F70FB9 .text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00F70F83 .text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00F70FCA .text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00F70FEF .text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00F7004A .text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00F70000 .text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00F7002F .text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00F70F9E .text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00F60FAB .text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!system 77C193C7 5 Bytes JMP 00F60FBC .text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00F60FDE .text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00F60FEF .text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00F60FCD .text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00F6000C .text C:\WINDOWS\system32\svchost.exe[1808] WS2_32.dll!socket 71A54211 5 Bytes JMP 00F50FE5 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E00000 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E00F5C .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E00051 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E00040 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E00F83 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E00FA8 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E00073 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E00062 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E00F10 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E000A9 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E00EFF .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E0002F .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E00FE5 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E00F37 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E00FB9 .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E00FCA .text C:\WINDOWS\system32\svchost.exe[1884] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E00084 .text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00DF0FEF .text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00DF009B .text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00DF0040 .text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00DF0025 .text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00DF0080 .text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00DF000A .text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00DF0FDE .text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [00, 89] .text C:\WINDOWS\system32\svchost.exe[1884] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00DF0065 .text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00DE0FB2 .text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!system 77C193C7 5 Bytes JMP 00DE0FCD .text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00DE0022 .text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00DE0000 .text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00DE003D .text C:\WINDOWS\system32\svchost.exe[1884] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00DE0011 .text C:\WINDOWS\system32\svchost.exe[1884] WS2_32.dll!socket 71A54211 5 Bytes JMP 00DD0FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF000A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F75 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0F90 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF005E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0FA1 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0FC3 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0F64 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF00A0 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0F42 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF00DB .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF0F31 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0FB2 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FE5 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0085 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0FD4 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF001B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF0F53 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00CE002C .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00CE0F9B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00CE0FDB .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00CE0011 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00CE0FAC .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00CE0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00CE004E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00CE003D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00CD0FAD .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] msvcrt.dll!system 77C193C7 5 Bytes JMP 00CD0FBE .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00CD002E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00CD0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00CD0FD9 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00CD001D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2144] WS2_32.dll!socket 71A54211 5 Bytes JMP 00CC0FEF .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 5CE60FE5 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 5CE60069 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 5CE60F7E .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!LoadLibraryExW 7C801AF5 4 Bytes JMP 5CE60F9B .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 5CE6004E .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 5CE6002C .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 5CE60F48 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 5CE60084 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 5CE600CD .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 5CE600BC .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 5CE600DE .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 5CE6003D .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 5CE6000A .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 5CE60F59 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 5CE6001B .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 5CE60FD4 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 5CE600AB .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00880FAB .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] msvcrt.dll!system 77C193C7 5 Bytes JMP 0088002C .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00880FC6 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00880FEF .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 0088001B .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00880000 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00890FCD .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00890FA8 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00890FDE .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 0089000A .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00890065 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00890FEF .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 0089004A .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00890039 .text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2192] WS2_32.dll!socket 71A54211 5 Bytes JMP 00870000 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00750FEF .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00750F75 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0075006A .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00750F90 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0075004D .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00750FB2 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00750F38 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00750F49 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007500B6 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007500A5 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007500D1 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00750FA1 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00750FD4 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00750F5A .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0075001E .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00750FC3 .text C:\WINDOWS\System32\svchost.exe[2376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00750F27 .text C:\WINDOWS\System32\svchost.exe[2376] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 0074000A .text C:\WINDOWS\System32\svchost.exe[2376] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 0074006C .text C:\WINDOWS\System32\svchost.exe[2376] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00740FB9 .text C:\WINDOWS\System32\svchost.exe[2376] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00740FD4 .text C:\WINDOWS\System32\svchost.exe[2376] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00740051 .text C:\WINDOWS\System32\svchost.exe[2376] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00740FEF .text C:\WINDOWS\System32\svchost.exe[2376] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00740036 .text C:\WINDOWS\System32\svchost.exe[2376] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00740025 .text C:\WINDOWS\System32\svchost.exe[2376] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00730042 .text C:\WINDOWS\System32\svchost.exe[2376] msvcrt.dll!system 77C193C7 5 Bytes JMP 00730031 .text C:\WINDOWS\System32\svchost.exe[2376] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 0073000C .text C:\WINDOWS\System32\svchost.exe[2376] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00730FEF .text C:\WINDOWS\System32\svchost.exe[2376] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00730FC1 .text C:\WINDOWS\System32\svchost.exe[2376] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00730FDE .text C:\WINDOWS\System32\svchost.exe[2376] WS2_32.dll!socket 71A54211 5 Bytes JMP 00720000 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70FE5 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D70078 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D70F79 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D70F94 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70051 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D7002C .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D700C1 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D7009A .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D700ED .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D70F54 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D70108 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D70FA5 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D70FD4 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D70089 .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D7001B .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D7000A .text C:\WINDOWS\Explorer.EXE[2924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D700D2 .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00D60FD4 .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00D6005E .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00D60025 .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00D6000A .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00D60F97 .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00D60FE5 .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!RegCreateKeyW 77DEBA55 2 Bytes JMP 00D60FA8 .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!RegCreateKeyW + 3 77DEBA58 2 Bytes [F7, 88] .text C:\WINDOWS\Explorer.EXE[2924] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00D60FC3 .text C:\WINDOWS\Explorer.EXE[2924] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00D40FB9 .text C:\WINDOWS\Explorer.EXE[2924] msvcrt.dll!system 77C193C7 5 Bytes JMP 00D40FCA .text C:\WINDOWS\Explorer.EXE[2924] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00D40FEF .text C:\WINDOWS\Explorer.EXE[2924] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00D4000C .text C:\WINDOWS\Explorer.EXE[2924] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00D40044 .text C:\WINDOWS\Explorer.EXE[2924] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00D40029 .text C:\WINDOWS\Explorer.EXE[2924] WININET.dll!InternetOpenA 3FD1D6A8 5 Bytes JMP 00CD0000 .text C:\WINDOWS\Explorer.EXE[2924] WININET.dll!InternetOpenW 3FD1DB21 5 Bytes JMP 00CD0FEF .text C:\WINDOWS\Explorer.EXE[2924] WININET.dll!InternetOpenUrlA 3FD1F3BC 5 Bytes JMP 00CD0025 .text C:\WINDOWS\Explorer.EXE[2924] WININET.dll!InternetOpenUrlW 3FD66DFF 5 Bytes JMP 00CD0FDE .text C:\WINDOWS\Explorer.EXE[2924] WS2_32.dll!socket 71A54211 5 Bytes JMP 00CE0FEF .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00750FEF .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00750F4B .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00750F66 .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00750040 .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00750F8D .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00750014 .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00750080 .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00750065 .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00750F02 .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00750F13 .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00750EF1 .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0075002F .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00750FDE .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00750F3A .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00750FA8 .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00750FB9 .text C:\WINDOWS\System32\svchost.exe[3104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00750091 .text C:\WINDOWS\System32\svchost.exe[3104] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00740FB6 .text C:\WINDOWS\System32\svchost.exe[3104] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00740058 .text C:\WINDOWS\System32\svchost.exe[3104] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00740011 .text C:\WINDOWS\System32\svchost.exe[3104] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00740000 .text C:\WINDOWS\System32\svchost.exe[3104] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00740047 .text C:\WINDOWS\System32\svchost.exe[3104] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00740FE5 .text C:\WINDOWS\System32\svchost.exe[3104] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00740036 .text C:\WINDOWS\System32\svchost.exe[3104] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00740FA5 .text C:\WINDOWS\System32\svchost.exe[3104] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00730FAD .text C:\WINDOWS\System32\svchost.exe[3104] msvcrt.dll!system 77C193C7 5 Bytes JMP 00730038 .text C:\WINDOWS\System32\svchost.exe[3104] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 0073001D .text C:\WINDOWS\System32\svchost.exe[3104] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00730000 .text C:\WINDOWS\System32\svchost.exe[3104] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00730FD2 .text C:\WINDOWS\System32\svchost.exe[3104] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00730FE3 .text C:\WINDOWS\System32\svchost.exe[3104] WS2_32.dll!socket 71A54211 5 Bytes JMP 00720000 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FE5 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50067 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50F72 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F83 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50040 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50FC3 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F500A4 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50093 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F500E1 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F500D0 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F500F2 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50FA8 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F50000 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F50082 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50FD4 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F50025 .text C:\WINDOWS\system32\svchost.exe[3212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F500B5 .text C:\WINDOWS\system32\svchost.exe[3212] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 00F40025 .text C:\WINDOWS\system32\svchost.exe[3212] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 00F40F83 .text C:\WINDOWS\system32\svchost.exe[3212] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 00F40FD4 .text C:\WINDOWS\system32\svchost.exe[3212] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 00F40FE5 .text C:\WINDOWS\system32\svchost.exe[3212] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 00F40F94 .text C:\WINDOWS\system32\svchost.exe[3212] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00F40000 .text C:\WINDOWS\system32\svchost.exe[3212] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 00F40040 .text C:\WINDOWS\system32\svchost.exe[3212] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 00F40FB9 .text C:\WINDOWS\system32\svchost.exe[3212] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 00F30053 .text C:\WINDOWS\system32\svchost.exe[3212] msvcrt.dll!system 77C193C7 5 Bytes JMP 00F30FC8 .text C:\WINDOWS\system32\svchost.exe[3212] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 00F30FE3 .text C:\WINDOWS\system32\svchost.exe[3212] msvcrt.dll!_open 77C1F566 5 Bytes JMP 00F30000 .text C:\WINDOWS\system32\svchost.exe[3212] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 00F30038 .text C:\WINDOWS\system32\svchost.exe[3212] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 00F30011 .text C:\WINDOWS\system32\svchost.exe[3212] WS2_32.dll!socket 71A54211 5 Bytes JMP 00F20FEF .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260000 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F7E .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260069 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F8F .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260058 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260FC0 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260F6D .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002600B5 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F48 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002600D7 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00260F2D .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260047 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260FE5 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260098 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260022 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260011 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002600C6 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] ADVAPI32.dll!RegOpenKeyExW 77DC6AAF 5 Bytes JMP 003B0025 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] ADVAPI32.dll!RegCreateKeyExW 77DC776C 5 Bytes JMP 003B006F .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] ADVAPI32.dll!RegOpenKeyExA 77DC7852 5 Bytes JMP 003B0FD4 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] ADVAPI32.dll!RegOpenKeyW 77DC7946 5 Bytes JMP 003B000A .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] ADVAPI32.dll!RegCreateKeyExA 77DCE9F4 5 Bytes JMP 003B0FA8 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 003B0FEF .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] ADVAPI32.dll!RegCreateKeyW 77DEBA55 5 Bytes JMP 003B004A .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] ADVAPI32.dll!RegCreateKeyA 77DEBCF3 5 Bytes JMP 003B0FC3 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] ole32.dll!OleLoadFromStream 7751983B 5 Bytes JMP 30F52DF0 C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll (Microsoft Office 2003 component/Microsoft Corporation) .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] msvcrt.dll!_wsystem 77C1931E 5 Bytes JMP 003C0FA1 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] msvcrt.dll!system 77C193C7 5 Bytes JMP 003C0FB2 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] msvcrt.dll!_creat 77C1D40F 5 Bytes JMP 003C0FCD .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] msvcrt.dll!_open 77C1F566 5 Bytes JMP 003C0FEF .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] msvcrt.dll!_wcreat 77C1FC9B 5 Bytes JMP 003C002C .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] msvcrt.dll!_wopen 77C20055 5 Bytes JMP 003C0FDE .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] WS2_32.dll!socket 71A54211 5 Bytes JMP 01470000 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] WININET.dll!InternetOpenA 3FD1D6A8 5 Bytes JMP 016A0FEF .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] WININET.dll!InternetOpenW 3FD1DB21 5 Bytes JMP 016A000A .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] WININET.dll!InternetOpenUrlA 3FD1F3BC 5 Bytes JMP 016A0FD4 .text C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE[3668] WININET.dll!InternetOpenUrlW 3FD66DFF 5 Bytes JMP 016A0FC3 .text C:\Program Files\Mozilla Firefox\firefox.exe[5440] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01596D70 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5440] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 018ED736 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5440] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 018ED713 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5440] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 015B1C62 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5440] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 018ED694 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[8404] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 108243E6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[8404] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 10824375 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[8404] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1046E50D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[8404] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 1046E9FB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\mfevtps.exe[336] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00405941] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort0 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort2 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\RTSTOR \Device\000000a7 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\Disk \Device\Harddisk1\DR3 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+4 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\RTSTOR \Device\000000aa sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ---- Threads - GMER 2.1 ---- Thread System [4:6448] A23B51F0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2A 0xEB 0xAA 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2A 0xEB 0xAA 0xD8 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2A 0xEB 0xAA 0xD8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Officejet 7000 E809a Series@ChangeID 123313906 ---- EOF - GMER 2.1 ----