GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-18 20:31:12 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PC2O Running: syiw3rhk.exe; Driver: C:\Users\kwieka\AppData\Local\Temp\fgdirpow.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8B38D918] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8B38D92C] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8B38D942] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8B38D9CE] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8B38D97E] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0x8B38D9A6] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0x8B38D992] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8B38D96A] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8B38D956] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8B38D9FD] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8B38D9E4] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8B38D9BA] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 82E44138 5 Bytes JMP 8B38D9BE \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) .text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E5C589 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E81092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} PAGE ntkrnlpa.exe!ZwNotifyChangeKey 83013047 5 Bytes JMP 8B38D982 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 830668E5 5 Bytes JMP 8B38D95A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateUserProcess 8306F2BC 5 Bytes JMP 8B38D946 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 8307B01D 5 Bytes JMP 8B38DA01 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 830951BC 5 Bytes JMP 8B38D9E8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 830983B7 7 Bytes JMP 8B38D9D2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 830AF435 5 Bytes JMP 8B38D996 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 830B65A2 5 Bytes JMP 8B38D9AA \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 830F42A9 5 Bytes JMP 8B38D91C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 830F42F4 7 Bytes JMP 8B38D930 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 830F51B7 5 Bytes JMP 8B38D96E \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ? C:\windows\System32\Drivers\SafeBoot.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ? c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7A5B1351-2B4B-47B3-BD3C-3EC4D30C9E53}\MpKsl00acc14a.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\windows\system32\wuauclt.exe[404] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 0004000A .text C:\windows\system32\wuauclt.exe[404] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 00040FDE .text C:\windows\system32\wuauclt.exe[404] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 00040FEF .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 00010F5B .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 000100C4 .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 00010F2F .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00010047 .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 00010F76 .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 0001007A .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 00010FA2 .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00010069 .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 0001001B .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 000100D5 .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00010FD1 .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 00010058 .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 0001000A .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 0001009F .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 0001002C .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 00010F40 .text C:\windows\system32\wuauclt.exe[404] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 00010F91 .text C:\windows\system32\wuauclt.exe[404] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 0008000C .text C:\windows\system32\wuauclt.exe[404] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 00080FCA .text C:\windows\system32\wuauclt.exe[404] msvcrt.dll!system 76E0B16F 5 Bytes JMP 00080055 .text C:\windows\system32\wuauclt.exe[404] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 00080029 .text C:\windows\system32\wuauclt.exe[404] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 0008003A .text C:\windows\system32\wuauclt.exe[404] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 00080FEF .text C:\windows\system32\wuauclt.exe[404] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00090000 .text C:\windows\system32\wuauclt.exe[404] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00090033 .text C:\windows\system32\wuauclt.exe[404] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 0009005F .text C:\windows\system32\wuauclt.exe[404] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00090044 .text C:\windows\system32\wuauclt.exe[404] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00090011 .text C:\windows\system32\wuauclt.exe[404] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00090070 .text C:\windows\system32\wuauclt.exe[404] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 00090FD1 .text C:\windows\system32\wuauclt.exe[404] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00090022 .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtCreateFile + 6 77CE4876 4 Bytes [28, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtCreateFile + B 77CE487B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 1 Byte [28] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 4 Bytes [28, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtMapViewOfSection + B 77CE4EDB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenFile + 6 77CE4F86 4 Bytes [68, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenFile + B 77CE4F8B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenProcess + 6 77CE5036 4 Bytes [A8, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenProcess + B 77CE503B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenProcessToken + B 77CE504B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5056 4 Bytes [A8, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenProcessTokenEx + B 77CE505B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenThread + 6 77CE50B6 4 Bytes [68, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenThread + B 77CE50BB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenThreadToken + 6 77CE50C6 4 Bytes [68, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenThreadToken + B 77CE50CB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtOpenThreadTokenEx + B 77CE50DB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtQueryAttributesFile + 6 77CE51E6 4 Bytes [A8, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtQueryAttributesFile + B 77CE51EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtQueryFullAttributesFile + B 77CE529B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtSetInformationFile + 6 77CE58E6 4 Bytes [28, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtSetInformationFile + B 77CE58EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtSetInformationThread + 6 77CE5946 4 Bytes [28, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtSetInformationThread + B 77CE594B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 1 Byte [68] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 4 Bytes [68, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[528] ntdll.dll!NtUnmapViewOfSection + B 77CE5C6B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtCreateFile + 6 77CE4876 4 Bytes [28, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtCreateFile + B 77CE487B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 1 Byte [28] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 4 Bytes [28, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtMapViewOfSection + B 77CE4EDB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenFile + 6 77CE4F86 4 Bytes [68, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenFile + B 77CE4F8B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenProcess + 6 77CE5036 4 Bytes [A8, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenProcess + B 77CE503B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenProcessToken + B 77CE504B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5056 4 Bytes [A8, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenProcessTokenEx + B 77CE505B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenThread + 6 77CE50B6 4 Bytes [68, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenThread + B 77CE50BB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenThreadToken + 6 77CE50C6 4 Bytes [68, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenThreadToken + B 77CE50CB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtOpenThreadTokenEx + B 77CE50DB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtQueryAttributesFile + 6 77CE51E6 4 Bytes [A8, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtQueryAttributesFile + B 77CE51EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtQueryFullAttributesFile + B 77CE529B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtSetInformationFile + 6 77CE58E6 4 Bytes [28, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtSetInformationFile + B 77CE58EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtSetInformationThread + 6 77CE5946 4 Bytes [28, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtSetInformationThread + B 77CE594B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 1 Byte [68] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 4 Bytes [68, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[556] ntdll.dll!NtUnmapViewOfSection + B 77CE5C6B 1 Byte [E2] .text C:\windows\system32\services.exe[656] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 014F0000 .text C:\windows\system32\services.exe[656] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 014F0036 .text C:\windows\system32\services.exe[656] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 014F0025 .text C:\windows\system32\services.exe[656] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 009000A2 .text C:\windows\system32\services.exe[656] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 00900104 .text C:\windows\system32\services.exe[656] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 009000E9 .text C:\windows\system32\services.exe[656] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00900036 .text C:\windows\system32\services.exe[656] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 00900F79 .text C:\windows\system32\services.exe[656] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 00900F9B .text C:\windows\system32\services.exe[656] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 00900073 .text C:\windows\system32\services.exe[656] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00900058 .text C:\windows\system32\services.exe[656] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 00900011 .text C:\windows\system32\services.exe[656] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 00900115 .text C:\windows\system32\services.exe[656] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00900FCA .text C:\windows\system32\services.exe[656] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 00900047 .text C:\windows\system32\services.exe[656] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00900000 .text C:\windows\system32\services.exe[656] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 009000BD .text C:\windows\system32\services.exe[656] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 00900FE5 .text C:\windows\system32\services.exe[656] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 009000CE .text C:\windows\system32\services.exe[656] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 00900F8A .text C:\windows\system32\services.exe[656] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 014A0FE3 .text C:\windows\system32\services.exe[656] msvcrt.dll!_wsystem 76E0B04F 1 Byte [E9] .text C:\windows\system32\services.exe[656] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 014A0053 .text C:\windows\system32\services.exe[656] msvcrt.dll!system 76E0B16F 5 Bytes JMP 014A0042 .text C:\windows\system32\services.exe[656] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 014A000C .text C:\windows\system32\services.exe[656] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 014A0027 .text C:\windows\system32\services.exe[656] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 014A0FD2 .text C:\windows\system32\services.exe[656] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00A20FEF .text C:\windows\system32\services.exe[656] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00A20F9E .text C:\windows\system32\services.exe[656] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00A20036 .text C:\windows\system32\services.exe[656] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00A20025 .text C:\windows\system32\services.exe[656] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00A2000A .text C:\windows\system32\services.exe[656] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00A20F79 .text C:\windows\system32\services.exe[656] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 00A20FD4 .text C:\windows\system32\services.exe[656] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00A20FC3 .text C:\windows\system32\services.exe[656] WS2_32.dll!socket 76C23F00 5 Bytes JMP 0158000A .text C:\windows\system32\lsass.exe[672] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 006D0FEF .text C:\windows\system32\lsass.exe[672] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 006D0FB9 .text C:\windows\system32\lsass.exe[672] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 006D0FD4 .text C:\windows\system32\lsass.exe[672] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 001000AC .text C:\windows\system32\lsass.exe[672] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 00100F4D .text C:\windows\system32\lsass.exe[672] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 001000E2 .text C:\windows\system32\lsass.exe[672] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00100025 .text C:\windows\system32\lsass.exe[672] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 00100091 .text C:\windows\system32\lsass.exe[672] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 00100F83 .text C:\windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 00100F94 .text C:\windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00100051 .text C:\windows\system32\lsass.exe[672] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 00100FDE .text C:\windows\system32\lsass.exe[672] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 00100F3C .text C:\windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00100036 .text C:\windows\system32\lsass.exe[672] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 00100FAF .text C:\windows\system32\lsass.exe[672] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00100FEF .text C:\windows\system32\lsass.exe[672] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 001000C7 .text C:\windows\system32\lsass.exe[672] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 00100014 .text C:\windows\system32\lsass.exe[672] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 00100F5E .text C:\windows\system32\lsass.exe[672] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 00100080 .text C:\windows\system32\lsass.exe[672] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 00130000 .text C:\windows\system32\lsass.exe[672] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 00130064 .text C:\windows\system32\lsass.exe[672] msvcrt.dll!system 76E0B16F 5 Bytes JMP 00130053 .text C:\windows\system32\lsass.exe[672] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 00130FD9 .text C:\windows\system32\lsass.exe[672] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 00130038 .text C:\windows\system32\lsass.exe[672] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 0013001D .text C:\windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00120FEF .text C:\windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00120F94 .text C:\windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00120025 .text C:\windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00120F83 .text C:\windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00120FD4 .text C:\windows\system32\lsass.exe[672] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00120F5E .text C:\windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 00120FB9 .text C:\windows\system32\lsass.exe[672] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00120000 .text C:\windows\system32\lsass.exe[672] WS2_32.dll!socket 76C23F00 5 Bytes JMP 0011000A .text C:\windows\system32\svchost.exe[836] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 00450FE5 .text C:\windows\system32\svchost.exe[836] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 00450FCA .text C:\windows\system32\svchost.exe[836] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 0045000A .text C:\windows\system32\svchost.exe[836] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 003D0F4D .text C:\windows\system32\svchost.exe[836] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 003D00AC .text C:\windows\system32\svchost.exe[836] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 003D009B .text C:\windows\system32\svchost.exe[836] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 003D0036 .text C:\windows\system32\svchost.exe[836] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 003D0F68 .text C:\windows\system32\svchost.exe[836] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 003D0076 .text C:\windows\system32\svchost.exe[836] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 003D0F94 .text C:\windows\system32\svchost.exe[836] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 003D0047 .text C:\windows\system32\svchost.exe[836] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 003D001B .text C:\windows\system32\svchost.exe[836] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 003D0EFC .text C:\windows\system32\svchost.exe[836] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 003D0FC0 .text C:\windows\system32\svchost.exe[836] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 003D0FAF .text C:\windows\system32\svchost.exe[836] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 003D000A .text C:\windows\system32\svchost.exe[836] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 003D0F32 .text C:\windows\system32\svchost.exe[836] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 003D0FE5 .text C:\windows\system32\svchost.exe[836] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 003D0F21 .text C:\windows\system32\svchost.exe[836] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 003D0F79 .text C:\windows\system32\svchost.exe[836] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 00440000 .text C:\windows\system32\svchost.exe[836] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 00440FA3 .text C:\windows\system32\svchost.exe[836] msvcrt.dll!system 76E0B16F 5 Bytes JMP 00440FBE .text C:\windows\system32\svchost.exe[836] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 00440038 .text C:\windows\system32\svchost.exe[836] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 00440FD9 .text C:\windows\system32\svchost.exe[836] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 0044001D .text C:\windows\system32\svchost.exe[836] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 003F0000 .text C:\windows\system32\svchost.exe[836] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 003F0FB6 .text C:\windows\system32\svchost.exe[836] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 003F0F8A .text C:\windows\system32\svchost.exe[836] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 003F0F9B .text C:\windows\system32\svchost.exe[836] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 003F0011 .text C:\windows\system32\svchost.exe[836] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 003F0F79 .text C:\windows\system32\svchost.exe[836] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 003F0022 .text C:\windows\system32\svchost.exe[836] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 003F0FD1 .text C:\windows\system32\svchost.exe[836] WS2_32.dll!socket 76C23F00 5 Bytes JMP 003E000A .text C:\windows\system32\svchost.exe[960] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 009D0000 .text C:\windows\system32\svchost.exe[960] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 009D0FCA .text C:\windows\system32\svchost.exe[960] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 009D0FE5 .text C:\windows\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 005600BA .text C:\windows\system32\svchost.exe[960] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 00560F54 .text C:\windows\system32\svchost.exe[960] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 00560F65 .text C:\windows\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 0056001B .text C:\windows\system32\svchost.exe[960] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 005600A9 .text C:\windows\system32\svchost.exe[960] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 0056007D .text C:\windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 0056006C .text C:\windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00560FAF .text C:\windows\system32\svchost.exe[960] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 00560FE5 .text C:\windows\system32\svchost.exe[960] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 00560104 .text C:\windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00560036 .text C:\windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 00560051 .text C:\windows\system32\svchost.exe[960] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00560000 .text C:\windows\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 005600D5 .text C:\windows\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 00560FCA .text C:\windows\system32\svchost.exe[960] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 00560F80 .text C:\windows\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 00560098 .text C:\windows\system32\svchost.exe[960] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 009C000C .text C:\windows\system32\svchost.exe[960] msvcrt.dll!_wsystem 76E0B04F 1 Byte [E9] .text C:\windows\system32\svchost.exe[960] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 009C0053 .text C:\windows\system32\svchost.exe[960] msvcrt.dll!system 76E0B16F 5 Bytes JMP 009C0FD2 .text C:\windows\system32\svchost.exe[960] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 009C001D .text C:\windows\system32\svchost.exe[960] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 009C0042 .text C:\windows\system32\svchost.exe[960] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 009C0FE3 .text C:\windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00930FE5 .text C:\windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00930FA8 .text C:\windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00930F8D .text C:\windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 0093002F .text C:\windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00930FD4 .text C:\windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00930F68 .text C:\windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 0093000A .text C:\windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00930FB9 .text C:\windows\system32\svchost.exe[960] WS2_32.dll!socket 76C23F00 5 Bytes JMP 008E0FE5 .text C:\windows\system32\svchost.exe[984] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 00490FEF .text C:\windows\system32\svchost.exe[984] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 00490FC3 .text C:\windows\system32\svchost.exe[984] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 00490FDE .text C:\windows\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 00300F65 .text C:\windows\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 00300F2C .text C:\windows\system32\svchost.exe[984] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 003000CB .text C:\windows\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00300040 .text C:\windows\system32\svchost.exe[984] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 00300F80 .text C:\windows\system32\svchost.exe[984] kernel32.dll!VirtualProtect 761450AB 1 Byte [E9] .text C:\windows\system32\svchost.exe[984] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 00300FAF .text C:\windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 00300FC0 .text C:\windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00300087 .text C:\windows\system32\svchost.exe[984] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 00300FEF .text C:\windows\system32\svchost.exe[984] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 003000DC .text C:\windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 0030005B .text C:\windows\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 00300076 .text C:\windows\system32\svchost.exe[984] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00300000 .text C:\windows\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 003000A9 .text C:\windows\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 00300025 .text C:\windows\system32\svchost.exe[984] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 003000BA .text C:\windows\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 00300098 .text C:\windows\system32\svchost.exe[984] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 003B0FEF .text C:\windows\system32\svchost.exe[984] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 003B0038 .text C:\windows\system32\svchost.exe[984] msvcrt.dll!system 76E0B16F 5 Bytes JMP 003B0FAD .text C:\windows\system32\svchost.exe[984] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 003B0FC8 .text C:\windows\system32\svchost.exe[984] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 003B001D .text C:\windows\system32\svchost.exe[984] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 003B000C .text C:\windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 003A0000 .text C:\windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 003A0FC0 .text C:\windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 003A0062 .text C:\windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 003A0047 .text C:\windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 003A0FDB .text C:\windows\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 003A0FA5 .text C:\windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 1 Byte [E9] .text C:\windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 003A0011 .text C:\windows\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 003A0036 .text C:\windows\system32\svchost.exe[984] WS2_32.dll!socket 76C23F00 5 Bytes JMP 00350000 .text C:\windows\System32\svchost.exe[1116] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 00E30FEF .text C:\windows\System32\svchost.exe[1116] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 00E3000A .text C:\windows\System32\svchost.exe[1116] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 00E30FD4 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 009A00B6 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 009A0F46 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 009A0F57 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 009A001B .text C:\windows\System32\svchost.exe[1116] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 009A0F83 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 009A0F94 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 009A006C .text C:\windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 009A005B .text C:\windows\System32\svchost.exe[1116] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 009A0000 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 009A00EC .text C:\windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 009A0FB9 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 009A0040 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 009A0FE5 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 009A0F72 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 009A0FCA .text C:\windows\System32\svchost.exe[1116] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 009A00D1 .text C:\windows\System32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 009A0091 .text C:\windows\System32\svchost.exe[1116] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 00E20FEF .text C:\windows\System32\svchost.exe[1116] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 00E20038 .text C:\windows\System32\svchost.exe[1116] msvcrt.dll!system 76E0B16F 5 Bytes JMP 00E20FAD .text C:\windows\System32\svchost.exe[1116] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 00E2000C .text C:\windows\System32\svchost.exe[1116] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 00E2001D .text C:\windows\System32\svchost.exe[1116] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 00E20FD2 .text C:\windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00DD0FEF .text C:\windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00DD002C .text C:\windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00DD0F9E .text C:\windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00DD0FAF .text C:\windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00DD0000 .text C:\windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00DD0F83 .text C:\windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 1 Byte [E9] .text C:\windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 00DD0011 .text C:\windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00DD0FC0 .text C:\windows\System32\svchost.exe[1116] WS2_32.dll!socket 76C23F00 5 Bytes JMP 00DC0FEF .text C:\windows\System32\svchost.exe[1156] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 009A0FEF .text C:\windows\System32\svchost.exe[1156] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 009A0FB9 .text C:\windows\System32\svchost.exe[1156] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 009A0FD4 .text C:\windows\System32\svchost.exe[1156] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 008A009C .text C:\windows\System32\svchost.exe[1156] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 008A0F2C .text C:\windows\System32\svchost.exe[1156] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 008A00C1 .text C:\windows\System32\svchost.exe[1156] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 008A0022 .text C:\windows\System32\svchost.exe[1156] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 008A0081 .text C:\windows\System32\svchost.exe[1156] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 008A0F87 .text C:\windows\System32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 008A005F .text C:\windows\System32\svchost.exe[1156] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 008A004E .text C:\windows\System32\svchost.exe[1156] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 008A0011 .text C:\windows\System32\svchost.exe[1156] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 008A0F11 .text C:\windows\System32\svchost.exe[1156] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 008A0FC0 .text C:\windows\System32\svchost.exe[1156] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 008A003D .text C:\windows\System32\svchost.exe[1156] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 008A0000 .text C:\windows\System32\svchost.exe[1156] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 008A0F58 .text C:\windows\System32\svchost.exe[1156] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 008A0FD1 .text C:\windows\System32\svchost.exe[1156] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 008A0F3D .text C:\windows\System32\svchost.exe[1156] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 008A0070 .text C:\windows\System32\svchost.exe[1156] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 00990FEF .text C:\windows\System32\svchost.exe[1156] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 00990FA8 .text C:\windows\System32\svchost.exe[1156] msvcrt.dll!system 76E0B16F 5 Bytes JMP 00990FB9 .text C:\windows\System32\svchost.exe[1156] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 00990018 .text C:\windows\System32\svchost.exe[1156] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 00990029 .text C:\windows\System32\svchost.exe[1156] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 00990FDE .text C:\windows\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00900FE5 .text C:\windows\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00900FA8 .text C:\windows\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00900F7C .text C:\windows\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00900F8D .text C:\windows\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00900FD4 .text C:\windows\System32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00900039 .text C:\windows\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 0090000A .text C:\windows\System32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00900FB9 .text C:\windows\System32\svchost.exe[1156] WS2_32.dll!socket 76C23F00 5 Bytes JMP 008F0FEF .text C:\windows\system32\svchost.exe[1188] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 00EE0FEF .text C:\windows\system32\svchost.exe[1188] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 00EE001B .text C:\windows\system32\svchost.exe[1188] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 00EE000A .text C:\windows\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 009E0F57 .text C:\windows\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 009E00AC .text C:\windows\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 009E009B .text C:\windows\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 009E0040 .text C:\windows\system32\svchost.exe[1188] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 009E0F68 .text C:\windows\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 009E0F94 .text C:\windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 009E0076 .text C:\windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 009E0FB9 .text C:\windows\system32\svchost.exe[1188] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 009E0FEF .text C:\windows\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 009E00D1 .text C:\windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 009E005B .text C:\windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 009E0FCA .text C:\windows\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 009E0000 .text C:\windows\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 009E0F46 .text C:\windows\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 009E0025 .text C:\windows\system32\svchost.exe[1188] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 009E0F2B .text C:\windows\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 009E0F83 .text C:\windows\system32\svchost.exe[1188] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 00ED0FEF .text C:\windows\system32\svchost.exe[1188] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 00ED003D .text C:\windows\system32\svchost.exe[1188] msvcrt.dll!system 76E0B16F 5 Bytes JMP 00ED0FB2 .text C:\windows\system32\svchost.exe[1188] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 00ED0011 .text C:\windows\system32\svchost.exe[1188] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 00ED0022 .text C:\windows\system32\svchost.exe[1188] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 00ED0000 .text C:\windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00B30000 .text C:\windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00B30FC0 .text C:\windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00B30FA5 .text C:\windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00B3003D .text C:\windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00B3001B .text C:\windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00B30062 .text C:\windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 00B30FE5 .text C:\windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00B3002C .text C:\windows\system32\svchost.exe[1188] WS2_32.dll!socket 76C23F00 5 Bytes JMP 00A30FEF .text C:\windows\system32\svchost.exe[1428] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 00240FEF .text C:\windows\system32\svchost.exe[1428] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 00240FD4 .text C:\windows\system32\svchost.exe[1428] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 0024000A .text C:\windows\system32\svchost.exe[1428] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 001000A9 .text C:\windows\system32\svchost.exe[1428] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 00100F2F .text C:\windows\system32\svchost.exe[1428] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 00100F40 .text C:\windows\system32\svchost.exe[1428] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00100FD1 .text C:\windows\system32\svchost.exe[1428] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 00100098 .text C:\windows\system32\svchost.exe[1428] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 00100062 .text C:\windows\system32\svchost.exe[1428] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 00100F8A .text C:\windows\system32\svchost.exe[1428] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00100F9B .text C:\windows\system32\svchost.exe[1428] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 00100011 .text C:\windows\system32\svchost.exe[1428] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 001000DF .text C:\windows\system32\svchost.exe[1428] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00100FC0 .text C:\windows\system32\svchost.exe[1428] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 0010003D .text C:\windows\system32\svchost.exe[1428] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00100000 .text C:\windows\system32\svchost.exe[1428] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 00100F65 .text C:\windows\system32\svchost.exe[1428] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 00100022 .text C:\windows\system32\svchost.exe[1428] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 001000C4 .text C:\windows\system32\svchost.exe[1428] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 0010007D .text C:\windows\system32\svchost.exe[1428] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 0012000C .text C:\windows\system32\svchost.exe[1428] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 00120FCA .text C:\windows\system32\svchost.exe[1428] msvcrt.dll!system 76E0B16F 5 Bytes JMP 00120055 .text C:\windows\system32\svchost.exe[1428] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 0012003A .text C:\windows\system32\svchost.exe[1428] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 00120FE5 .text C:\windows\system32\svchost.exe[1428] msvcrt.dll!_wopen 76E10570 3 Bytes JMP 0012001D .text C:\windows\system32\svchost.exe[1428] msvcrt.dll!_wopen + 4 76E10574 1 Byte [89] .text C:\windows\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00110000 .text C:\windows\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00110FC3 .text C:\windows\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 0011004A .text C:\windows\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00110FA8 .text C:\windows\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00110FE5 .text C:\windows\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 0011005B .text C:\windows\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 00110FD4 .text C:\windows\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 0011002F .text C:\windows\system32\svchost.exe[1428] WS2_32.dll!socket 76C23F00 5 Bytes JMP 0039000A .text C:\windows\system32\svchost.exe[1532] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 0090000A .text C:\windows\system32\svchost.exe[1532] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 0090001B .text C:\windows\system32\svchost.exe[1532] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 00900FEF .text C:\windows\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 00810F51 .text C:\windows\system32\svchost.exe[1532] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 00810F1B .text C:\windows\system32\svchost.exe[1532] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 008100B0 .text C:\windows\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00810022 .text C:\windows\system32\svchost.exe[1532] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 00810084 .text C:\windows\system32\svchost.exe[1532] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 00810F8A .text C:\windows\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 00810F9B .text C:\windows\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00810058 .text C:\windows\system32\svchost.exe[1532] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 00810000 .text C:\windows\system32\svchost.exe[1532] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 00810F00 .text C:\windows\system32\svchost.exe[1532] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00810FB6 .text C:\windows\system32\svchost.exe[1532] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 0081003D .text C:\windows\system32\svchost.exe[1532] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00810FEF .text C:\windows\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 00810095 .text C:\windows\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 00810011 .text C:\windows\system32\svchost.exe[1532] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 00810F36 .text C:\windows\system32\svchost.exe[1532] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 00810073 .text C:\windows\system32\svchost.exe[1532] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 0083000C .text C:\windows\system32\svchost.exe[1532] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 00830064 .text C:\windows\system32\svchost.exe[1532] msvcrt.dll!system 76E0B16F 5 Bytes JMP 00830FCF .text C:\windows\system32\svchost.exe[1532] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 0083002E .text C:\windows\system32\svchost.exe[1532] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 0083003F .text C:\windows\system32\svchost.exe[1532] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 0083001D .text C:\windows\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00820000 .text C:\windows\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00820036 .text C:\windows\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00820FA5 .text C:\windows\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00820047 .text C:\windows\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00820FE5 .text C:\windows\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00820F8A .text C:\windows\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 0082001B .text C:\windows\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00820FCA .text C:\windows\system32\svchost.exe[1888] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 00D10FEF .text C:\windows\system32\svchost.exe[1888] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 00D10FC3 .text C:\windows\system32\svchost.exe[1888] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 00D10FD4 .text C:\windows\system32\svchost.exe[1888] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 00900F3F .text C:\windows\system32\svchost.exe[1888] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 00900EEE .text C:\windows\system32\svchost.exe[1888] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 00900F13 .text C:\windows\system32\svchost.exe[1888] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00900FCD .text C:\windows\system32\svchost.exe[1888] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 00900F50 .text C:\windows\system32\svchost.exe[1888] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 0090005E .text C:\windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 00900F86 .text C:\windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00900FA1 .text C:\windows\system32\svchost.exe[1888] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 00900014 .text C:\windows\system32\svchost.exe[1888] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 0090009E .text C:\windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00900FB2 .text C:\windows\system32\svchost.exe[1888] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 00900043 .text C:\windows\system32\svchost.exe[1888] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00900FEF .text C:\windows\system32\svchost.exe[1888] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 00900F2E .text C:\windows\system32\svchost.exe[1888] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 00900FDE .text C:\windows\system32\svchost.exe[1888] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 0090008D .text C:\windows\system32\svchost.exe[1888] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 00900F6B .text C:\windows\system32\svchost.exe[1888] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 00D00000 .text C:\windows\system32\svchost.exe[1888] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 00D00FAD .text C:\windows\system32\svchost.exe[1888] msvcrt.dll!system 76E0B16F 5 Bytes JMP 00D00038 .text C:\windows\system32\svchost.exe[1888] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 00D00027 .text C:\windows\system32\svchost.exe[1888] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 00D00FC8 .text C:\windows\system32\svchost.exe[1888] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 00D00FE3 .text C:\windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 009E0FEF .text C:\windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 009E0FC3 .text C:\windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 009E0040 .text C:\windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 009E0F9E .text C:\windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 009E0FDE .text C:\windows\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 009E0F8D .text C:\windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 009E0014 .text C:\windows\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 009E002F .text C:\windows\system32\svchost.exe[1888] WS2_32.dll!socket 76C23F00 5 Bytes JMP 0091000A .text C:\windows\system32\svchost.exe[2088] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 01190000 .text C:\windows\system32\svchost.exe[2088] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 0119001B .text C:\windows\system32\svchost.exe[2088] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 01190FE5 .text C:\windows\system32\svchost.exe[2088] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 01150F8D .text C:\windows\system32\svchost.exe[2088] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 01150107 .text C:\windows\system32\svchost.exe[2088] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 011500F6 .text C:\windows\system32\svchost.exe[2088] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 01150FDE .text C:\windows\system32\svchost.exe[2088] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 011500AC .text C:\windows\system32\svchost.exe[2088] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 01150080 .text C:\windows\system32\svchost.exe[2088] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 01150065 .text C:\windows\system32\svchost.exe[2088] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 01150FB2 .text C:\windows\system32\svchost.exe[2088] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 0115001B .text C:\windows\system32\svchost.exe[2088] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 01150F61 .text C:\windows\system32\svchost.exe[2088] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 0115004A .text C:\windows\system32\svchost.exe[2088] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 01150FC3 .text C:\windows\system32\svchost.exe[2088] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 01150000 .text C:\windows\system32\svchost.exe[2088] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 011500DB .text C:\windows\system32\svchost.exe[2088] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 01150FEF .text C:\windows\system32\svchost.exe[2088] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 01150F7C .text C:\windows\system32\svchost.exe[2088] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 0115009B .text C:\windows\system32\svchost.exe[2088] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 01180000 .text C:\windows\system32\svchost.exe[2088] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 01180F90 .text C:\windows\system32\svchost.exe[2088] msvcrt.dll!system 76E0B16F 5 Bytes JMP 01180FAB .text C:\windows\system32\svchost.exe[2088] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 01180FCD .text C:\windows\system32\svchost.exe[2088] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 01180FBC .text C:\windows\system32\svchost.exe[2088] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 01180011 .text C:\windows\system32\svchost.exe[2088] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 01170FEF .text C:\windows\system32\svchost.exe[2088] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 01170FC3 .text C:\windows\system32\svchost.exe[2088] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 01170FB2 .text C:\windows\system32\svchost.exe[2088] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 01170054 .text C:\windows\system32\svchost.exe[2088] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 0117000A .text C:\windows\system32\svchost.exe[2088] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 01170F97 .text C:\windows\system32\svchost.exe[2088] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 01170FD4 .text C:\windows\system32\svchost.exe[2088] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 0117002F .text C:\windows\system32\svchost.exe[2088] WS2_32.dll!socket 76C23F00 5 Bytes JMP 01160FEF .text C:\windows\system32\svchost.exe[2548] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 0037000A .text C:\windows\system32\svchost.exe[2548] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 00370025 .text C:\windows\system32\svchost.exe[2548] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 00370FE5 .text C:\windows\system32\svchost.exe[2548] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 0030008E .text C:\windows\system32\svchost.exe[2548] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 003000D5 .text C:\windows\system32\svchost.exe[2548] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 003000BA .text C:\windows\system32\svchost.exe[2548] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00300FAF .text C:\windows\system32\svchost.exe[2548] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 0030007D .text C:\windows\system32\svchost.exe[2548] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 0030005B .text C:\windows\system32\svchost.exe[2548] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 00300F79 .text C:\windows\system32\svchost.exe[2548] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00300036 .text C:\windows\system32\svchost.exe[2548] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 00300FE5 .text C:\windows\system32\svchost.exe[2548] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 00300F25 .text C:\windows\system32\svchost.exe[2548] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00300F9E .text C:\windows\system32\svchost.exe[2548] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 00300025 .text C:\windows\system32\svchost.exe[2548] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00300000 .text C:\windows\system32\svchost.exe[2548] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 0030009F .text C:\windows\system32\svchost.exe[2548] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 00300FCA .text C:\windows\system32\svchost.exe[2548] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 00300F40 .text C:\windows\system32\svchost.exe[2548] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 0030006C .text C:\windows\system32\svchost.exe[2548] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 00320000 .text C:\windows\system32\svchost.exe[2548] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 00320FAB .text C:\windows\system32\svchost.exe[2548] msvcrt.dll!system 76E0B16F 5 Bytes JMP 00320036 .text C:\windows\system32\svchost.exe[2548] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 0032001B .text C:\windows\system32\svchost.exe[2548] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 00320FC6 .text C:\windows\system32\svchost.exe[2548] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 00320FD7 .text C:\windows\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00310FEF .text C:\windows\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 0031002F .text C:\windows\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00310F8D .text C:\windows\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00310F9E .text C:\windows\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 0031000A .text C:\windows\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyExW 76C7B946 1 Byte [E9] .text C:\windows\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 0031004A .text C:\windows\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 00310FD4 .text C:\windows\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00310FB9 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 03E30FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 03E30FC0 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 03E30000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 03DF0F57 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 03DF0EFF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 03DF0F10 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 03DF0FCD .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 03DF0080 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 03DF0054 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 03DF0F7C .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 03DF0F8D .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 03DF0FDE .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 03DF00AF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 03DF0039 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 03DF0FA8 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 03DF0FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 03DF0F46 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 03DF0014 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 03DF0F21 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 03DF0065 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 03E20FE3 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 03E20027 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] msvcrt.dll!system 76E0B16F 5 Bytes JMP 03E20FA6 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 03E20FC1 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 03E2000C .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 03E20FD2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 03E10FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 03E10FB9 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 03E10040 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 03E10FA8 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 03E10000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 03E10F8D .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 03E10FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 03E10025 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] WS2_32.dll!socket 76C23F00 5 Bytes JMP 03E00000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] WININET.dll!InternetOpenA 76897DDC 5 Bytes JMP 03E50000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] WININET.dll!InternetOpenW 76899D58 5 Bytes JMP 03E50FE5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] WININET.dll!InternetOpenUrlA 7689DBD0 1 Byte [E9] .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] WININET.dll!InternetOpenUrlA 7689DBD0 5 Bytes JMP 03E50FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[2728] WININET.dll!InternetOpenUrlW 768EE094 5 Bytes JMP 03E50025 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 009B0FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 009B0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 009B0FD4 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 007D0F79 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 007D0F03 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 007D0F28 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 007D0036 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 007D0F8A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 007D0098 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 007D0FCA .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 007D0087 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 007D0FE5 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 007D0EF2 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 007D0047 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 007D0062 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 007D0000 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 007D0F5E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 007D0025 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 007D0F39 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 007D0FA5 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 009A0FE3 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 009A002A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] msvcrt.dll!system 76E0B16F 5 Bytes JMP 009A0F95 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 009A0FC1 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 009A0FB0 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 009A0FD2 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00990FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00990FC0 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00990FAF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00990047 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 0099000A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00990F9E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 0099001B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 0099002C .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[3088] WS2_32.dll!socket 76C23F00 5 Bytes JMP 00980000 .text C:\windows\system32\svchost.exe[3168] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 003B0FE5 .text C:\windows\system32\svchost.exe[3168] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 003B0FC3 .text C:\windows\system32\svchost.exe[3168] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 003B0FD4 .text C:\windows\system32\svchost.exe[3168] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 00380054 .text C:\windows\system32\svchost.exe[3168] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 0038008A .text C:\windows\system32\svchost.exe[3168] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 00380079 .text C:\windows\system32\svchost.exe[3168] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00380FA8 .text C:\windows\system32\svchost.exe[3168] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 00380F2B .text C:\windows\system32\svchost.exe[3168] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 00380F3C .text C:\windows\system32\svchost.exe[3168] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 00380F61 .text C:\windows\system32\svchost.exe[3168] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 0038001E .text C:\windows\system32\svchost.exe[3168] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 00380FD4 .text C:\windows\system32\svchost.exe[3168] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 00380EDA .text C:\windows\system32\svchost.exe[3168] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00380F97 .text C:\windows\system32\svchost.exe[3168] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 00380F7C .text C:\windows\system32\svchost.exe[3168] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00380FE5 .text C:\windows\system32\svchost.exe[3168] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 00380F1A .text C:\windows\system32\svchost.exe[3168] kernel32.dll!CreateNamedPipeA 7618D5BF 1 Byte [E9] .text C:\windows\system32\svchost.exe[3168] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 00380FC3 .text C:\windows\system32\svchost.exe[3168] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 00380F09 .text C:\windows\system32\svchost.exe[3168] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 00380039 .text C:\windows\system32\svchost.exe[3168] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 003A0FE3 .text C:\windows\system32\svchost.exe[3168] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 003A0F9F .text C:\windows\system32\svchost.exe[3168] msvcrt.dll!system 76E0B16F 5 Bytes JMP 003A002A .text C:\windows\system32\svchost.exe[3168] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 003A0FC1 .text C:\windows\system32\svchost.exe[3168] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 003A0FB0 .text C:\windows\system32\svchost.exe[3168] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 003A0FD2 .text C:\windows\system32\svchost.exe[3168] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00390000 .text C:\windows\system32\svchost.exe[3168] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00390F9E .text C:\windows\system32\svchost.exe[3168] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00390040 .text C:\windows\system32\svchost.exe[3168] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00390025 .text C:\windows\system32\svchost.exe[3168] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00390FE5 .text C:\windows\system32\svchost.exe[3168] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00390051 .text C:\windows\system32\svchost.exe[3168] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 00390FD4 .text C:\windows\system32\svchost.exe[3168] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00390FB9 .text C:\windows\system32\svchost.exe[3928] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 0004000A .text C:\windows\system32\svchost.exe[3928] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 0004002C .text C:\windows\system32\svchost.exe[3928] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 0004001B .text C:\windows\system32\svchost.exe[3928] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 0001008E .text C:\windows\system32\svchost.exe[3928] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 000100BA .text C:\windows\system32\svchost.exe[3928] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 00010F2F .text C:\windows\system32\svchost.exe[3928] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00010FC0 .text C:\windows\system32\svchost.exe[3928] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 0001007D .text C:\windows\system32\svchost.exe[3928] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 0001006C .text C:\windows\system32\svchost.exe[3928] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 00010F9E .text C:\windows\system32\svchost.exe[3928] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00010051 .text C:\windows\system32\svchost.exe[3928] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 00010000 .text C:\windows\system32\svchost.exe[3928] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 000100D5 .text C:\windows\system32\svchost.exe[3928] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00010FAF .text C:\windows\system32\svchost.exe[3928] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 00010036 .text C:\windows\system32\svchost.exe[3928] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00010FEF .text C:\windows\system32\svchost.exe[3928] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 0001009F .text C:\windows\system32\svchost.exe[3928] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 0001001B .text C:\windows\system32\svchost.exe[3928] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 00010F40 .text C:\windows\system32\svchost.exe[3928] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 00010F6F .text C:\windows\system32\svchost.exe[3928] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 000E0FEF .text C:\windows\system32\svchost.exe[3928] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 000E0FB2 .text C:\windows\system32\svchost.exe[3928] msvcrt.dll!system 76E0B16F 5 Bytes JMP 000E003D .text C:\windows\system32\svchost.exe[3928] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 000E0022 .text C:\windows\system32\svchost.exe[3928] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 000E0FCD .text C:\windows\system32\svchost.exe[3928] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 000E0FDE .text C:\windows\system32\svchost.exe[3928] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00100FEF .text C:\windows\system32\svchost.exe[3928] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00100022 .text C:\windows\system32\svchost.exe[3928] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 0010003D .text C:\windows\system32\svchost.exe[3928] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00100F9B .text C:\windows\system32\svchost.exe[3928] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00100FD4 .text C:\windows\system32\svchost.exe[3928] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00100F8A .text C:\windows\system32\svchost.exe[3928] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 00100000 .text C:\windows\system32\svchost.exe[3928] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00100011 .text C:\windows\system32\svchost.exe[3928] WS2_32.dll!socket 76C23F00 5 Bytes JMP 003B000A .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtCreateFile + 6 77CE4876 4 Bytes [28, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtCreateFile + B 77CE487B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 1 Byte [28] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 4 Bytes [28, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtMapViewOfSection + B 77CE4EDB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenFile + 6 77CE4F86 4 Bytes [68, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenFile + B 77CE4F8B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenProcess + 6 77CE5036 4 Bytes [A8, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenProcess + B 77CE503B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenProcessToken + B 77CE504B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5056 4 Bytes [A8, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenProcessTokenEx + B 77CE505B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenThread + 6 77CE50B6 4 Bytes [68, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenThread + B 77CE50BB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenThreadToken + 6 77CE50C6 4 Bytes [68, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenThreadToken + B 77CE50CB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtOpenThreadTokenEx + B 77CE50DB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtQueryAttributesFile + 6 77CE51E6 4 Bytes [A8, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtQueryAttributesFile + B 77CE51EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtQueryFullAttributesFile + B 77CE529B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtSetInformationFile + 6 77CE58E6 4 Bytes [28, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtSetInformationFile + B 77CE58EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtSetInformationThread + 6 77CE5946 4 Bytes [28, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtSetInformationThread + B 77CE594B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 1 Byte [68] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 4 Bytes [68, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[4692] ntdll.dll!NtUnmapViewOfSection + B 77CE5C6B 1 Byte [E2] .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 00040FEF .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 00040FD4 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 0004000A .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 00010098 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 000100CE .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 00010F39 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00010051 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 00010F6F .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 00010F94 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 00010062 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00010FA5 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 0001001B .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 00010F14 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00010FE5 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 00010FC0 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00010000 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!SetUnhandledExceptionFilter 76153162 5 Bytes JMP 617B8FA9 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation) .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 00010F4A .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 0001002C .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 000100A9 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 0001007D .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 000F0FEF .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 000F0F9E .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] msvcrt.dll!system 76E0B16F 5 Bytes JMP 000F0FC3 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 000F0029 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 000F0FD4 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 000F0018 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00100FEF .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00100FC3 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00100FB2 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00100054 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00100014 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 0010006F .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 00100FDE .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 0010002F .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] ole32.dll!OleLoadFromStream 762C5BF6 5 Bytes JMP 61CF86A0 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation) .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] WININET.dll!InternetOpenA 76897DDC 5 Bytes JMP 03470FEF .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] WININET.dll!InternetOpenW 76899D58 5 Bytes JMP 03470FD4 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] WININET.dll!InternetOpenUrlA 7689DBD0 5 Bytes JMP 03470FB9 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] WININET.dll!InternetOpenUrlW 768EE094 5 Bytes JMP 03470000 .text C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE[5036] WS2_32.dll!socket 76C23F00 5 Bytes JMP 034B000A .text C:\windows\Explorer.EXE[5080] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 00040FEF .text C:\windows\Explorer.EXE[5080] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 00040FCA .text C:\windows\Explorer.EXE[5080] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 0004000A .text C:\windows\Explorer.EXE[5080] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 0001009F .text C:\windows\Explorer.EXE[5080] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 000100C4 .text C:\windows\Explorer.EXE[5080] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 00010F2F .text C:\windows\Explorer.EXE[5080] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00010FD4 .text C:\windows\Explorer.EXE[5080] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 00010F76 .text C:\windows\Explorer.EXE[5080] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 0001008E .text C:\windows\Explorer.EXE[5080] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 0001007D .text C:\windows\Explorer.EXE[5080] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 00010062 .text C:\windows\Explorer.EXE[5080] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 0001000A .text C:\windows\Explorer.EXE[5080] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 000100D5 .text C:\windows\Explorer.EXE[5080] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 00010040 .text C:\windows\Explorer.EXE[5080] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 00010051 .text C:\windows\Explorer.EXE[5080] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00010FEF .text C:\windows\Explorer.EXE[5080] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 00010F5B .text C:\windows\Explorer.EXE[5080] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 00010025 .text C:\windows\Explorer.EXE[5080] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 00010F4A .text C:\windows\Explorer.EXE[5080] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 00010F91 .text C:\windows\Explorer.EXE[5080] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 000E0FEF .text C:\windows\Explorer.EXE[5080] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 000E002F .text C:\windows\Explorer.EXE[5080] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 000E005B .text C:\windows\Explorer.EXE[5080] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 000E004A .text C:\windows\Explorer.EXE[5080] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 000E0FDE .text C:\windows\Explorer.EXE[5080] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 000E0F9E .text C:\windows\Explorer.EXE[5080] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 000E0FCD .text C:\windows\Explorer.EXE[5080] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 000E001E .text C:\windows\Explorer.EXE[5080] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 000F000C .text C:\windows\Explorer.EXE[5080] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 000F004E .text C:\windows\Explorer.EXE[5080] msvcrt.dll!system 76E0B16F 5 Bytes JMP 000F0FB9 .text C:\windows\Explorer.EXE[5080] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 000F0029 .text C:\windows\Explorer.EXE[5080] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 000F0FD4 .text C:\windows\Explorer.EXE[5080] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 000F0FEF .text C:\windows\Explorer.EXE[5080] WININET.dll!InternetOpenA 76897DDC 5 Bytes JMP 02D90000 .text C:\windows\Explorer.EXE[5080] WININET.dll!InternetOpenW 76899D58 5 Bytes JMP 02D9001B .text C:\windows\Explorer.EXE[5080] WININET.dll!InternetOpenUrlA 7689DBD0 5 Bytes JMP 02D90036 .text C:\windows\Explorer.EXE[5080] WININET.dll!InternetOpenUrlW 768EE094 5 Bytes JMP 02D90FDB .text C:\windows\Explorer.EXE[5080] WS2_32.dll!socket 76C23F00 5 Bytes JMP 03980FE5 .text C:\Program Files\Microsoft Office Communicator\communicator.exe[5576] USER32.dll!SetProcessDPIAware 76ED0B01 5 Bytes JMP 00C395D2 C:\Program Files\Microsoft Office Communicator\communicator.exe (Microsoft Office Communicator 2007 R2/Microsoft Corporation) .text C:\Program Files\Microsoft Office Communicator\communicator.exe[5576] ole32.dll!OleLoadFromStream 762C5BF6 5 Bytes JMP 61CF86A0 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation) .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtCreateFile + 6 77CE4876 4 Bytes [28, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtCreateFile + B 77CE487B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 1 Byte [28] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 4 Bytes [28, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtMapViewOfSection + B 77CE4EDB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenFile + 6 77CE4F86 4 Bytes [68, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenFile + B 77CE4F8B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenProcess + 6 77CE5036 4 Bytes [A8, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenProcess + B 77CE503B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenProcessToken + B 77CE504B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5056 4 Bytes [A8, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenProcessTokenEx + B 77CE505B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenThread + 6 77CE50B6 4 Bytes [68, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenThread + B 77CE50BB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenThreadToken + 6 77CE50C6 4 Bytes [68, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenThreadToken + B 77CE50CB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtOpenThreadTokenEx + B 77CE50DB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtQueryAttributesFile + 6 77CE51E6 4 Bytes [A8, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtQueryAttributesFile + B 77CE51EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtQueryFullAttributesFile + B 77CE529B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtSetInformationFile + 6 77CE58E6 4 Bytes [28, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtSetInformationFile + B 77CE58EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtSetInformationThread + 6 77CE5946 4 Bytes [28, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtSetInformationThread + B 77CE594B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 1 Byte [68] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 4 Bytes [68, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5736] ntdll.dll!NtUnmapViewOfSection + B 77CE5C6B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtCreateFile + 6 77CE4876 4 Bytes [28, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtCreateFile + B 77CE487B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 1 Byte [28] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 4 Bytes [28, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtMapViewOfSection + B 77CE4EDB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenFile + 6 77CE4F86 4 Bytes [68, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenFile + B 77CE4F8B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenProcess + 6 77CE5036 4 Bytes [A8, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenProcess + B 77CE503B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenProcessToken + B 77CE504B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5056 4 Bytes [A8, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenProcessTokenEx + B 77CE505B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenThread + 6 77CE50B6 4 Bytes [68, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenThread + B 77CE50BB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenThreadToken + 6 77CE50C6 4 Bytes [68, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenThreadToken + B 77CE50CB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtOpenThreadTokenEx + B 77CE50DB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtQueryAttributesFile + 6 77CE51E6 4 Bytes [A8, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtQueryAttributesFile + B 77CE51EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtQueryFullAttributesFile + B 77CE529B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtSetInformationFile + 6 77CE58E6 4 Bytes [28, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtSetInformationFile + B 77CE58EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtSetInformationThread + 6 77CE5946 4 Bytes [28, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtSetInformationThread + B 77CE594B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 1 Byte [68] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 4 Bytes [68, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[5984] ntdll.dll!NtUnmapViewOfSection + B 77CE5C6B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtCreateFile + 6 77CE4876 4 Bytes [28, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtCreateFile + B 77CE487B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 1 Byte [28] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 4 Bytes [28, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtMapViewOfSection + B 77CE4EDB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenFile + 6 77CE4F86 4 Bytes [68, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenFile + B 77CE4F8B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenProcess + 6 77CE5036 4 Bytes [A8, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenProcess + B 77CE503B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenProcessToken + B 77CE504B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5056 4 Bytes [A8, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenProcessTokenEx + B 77CE505B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenThread + 6 77CE50B6 4 Bytes [68, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenThread + B 77CE50BB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenThreadToken + 6 77CE50C6 4 Bytes [68, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenThreadToken + B 77CE50CB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtOpenThreadTokenEx + B 77CE50DB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtQueryAttributesFile + 6 77CE51E6 4 Bytes [A8, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtQueryAttributesFile + B 77CE51EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtQueryFullAttributesFile + B 77CE529B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtSetInformationFile + 6 77CE58E6 4 Bytes [28, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtSetInformationFile + B 77CE58EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtSetInformationThread + 6 77CE5946 4 Bytes [28, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtSetInformationThread + B 77CE594B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 1 Byte [68] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 4 Bytes [68, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[6164] ntdll.dll!NtUnmapViewOfSection + B 77CE5C6B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtCreateFile + 6 77CE4876 4 Bytes [28, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtCreateFile + B 77CE487B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 1 Byte [28] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 4 Bytes [28, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtMapViewOfSection + B 77CE4EDB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenFile + 6 77CE4F86 4 Bytes [68, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenFile + B 77CE4F8B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenProcess + 6 77CE5036 4 Bytes [A8, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenProcess + B 77CE503B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenProcessToken + B 77CE504B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5056 4 Bytes [A8, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenProcessTokenEx + B 77CE505B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenThread + 6 77CE50B6 4 Bytes [68, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenThread + B 77CE50BB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenThreadToken + 6 77CE50C6 4 Bytes [68, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenThreadToken + B 77CE50CB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtOpenThreadTokenEx + B 77CE50DB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtQueryAttributesFile + 6 77CE51E6 4 Bytes [A8, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtQueryAttributesFile + B 77CE51EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtQueryFullAttributesFile + B 77CE529B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtSetInformationFile + 6 77CE58E6 4 Bytes [28, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtSetInformationFile + B 77CE58EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtSetInformationThread + 6 77CE5946 4 Bytes [28, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtSetInformationThread + B 77CE594B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 1 Byte [68] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 4 Bytes [68, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7128] ntdll.dll!NtUnmapViewOfSection + B 77CE5C6B 1 Byte [E2] .text C:\windows\system32\svchost.exe[7352] ntdll.dll!NtCreateFile 77CE4870 5 Bytes JMP 00040000 .text C:\windows\system32\svchost.exe[7352] ntdll.dll!NtCreateProcess 77CE4940 5 Bytes JMP 00040FD4 .text C:\windows\system32\svchost.exe[7352] ntdll.dll!NtProtectVirtualMemory 77CE51C0 5 Bytes JMP 00040FE5 .text C:\windows\system32\svchost.exe[7352] kernel32.dll!GetStartupInfoA 76101DF0 5 Bytes JMP 000100A9 .text C:\windows\system32\svchost.exe[7352] kernel32.dll!CreateProcessW 7610202D 5 Bytes JMP 00010F2F .text C:\windows\system32\svchost.exe[7352] kernel32.dll!CreateProcessA 76102062 5 Bytes JMP 00010F4A .text C:\windows\system32\svchost.exe[7352] kernel32.dll!CreateNamedPipeW 76131FD6 5 Bytes JMP 00010FC3 .text C:\windows\system32\svchost.exe[7352] kernel32.dll!CreatePipe 76134A8B 5 Bytes JMP 00010098 .text C:\windows\system32\svchost.exe[7352] kernel32.dll!VirtualProtect 761450AB 5 Bytes JMP 00010087 .text C:\windows\system32\svchost.exe[7352] kernel32.dll!LoadLibraryExW 7614B6BF 5 Bytes JMP 0001006C .text C:\windows\system32\svchost.exe[7352] kernel32.dll!LoadLibraryExA 7614BC8B 5 Bytes JMP 0001005B .text C:\windows\system32\svchost.exe[7352] kernel32.dll!CreateFileW 76150B7D 5 Bytes JMP 00010014 .text C:\windows\system32\svchost.exe[7352] kernel32.dll!GetProcAddress 76151857 5 Bytes JMP 000100E9 .text C:\windows\system32\svchost.exe[7352] kernel32.dll!LoadLibraryA 76152884 5 Bytes JMP 0001002F .text C:\windows\system32\svchost.exe[7352] kernel32.dll!LoadLibraryW 761528D2 5 Bytes JMP 0001004A .text C:\windows\system32\svchost.exe[7352] kernel32.dll!CreateFileA 7615291C 5 Bytes JMP 00010FEF .text C:\windows\system32\svchost.exe[7352] kernel32.dll!GetStartupInfoW 76157CD5 5 Bytes JMP 000100BA .text C:\windows\system32\svchost.exe[7352] kernel32.dll!CreateNamedPipeA 7618D5BF 5 Bytes JMP 00010FD4 .text C:\windows\system32\svchost.exe[7352] kernel32.dll!WinExec 7618E76D 5 Bytes JMP 00010F5B .text C:\windows\system32\svchost.exe[7352] kernel32.dll!VirtualProtectEx 7618F729 5 Bytes JMP 00010F8A .text C:\windows\system32\svchost.exe[7352] msvcrt.dll!_open 76DD7E48 5 Bytes JMP 000E0FEF .text C:\windows\system32\svchost.exe[7352] msvcrt.dll!_wsystem 76E0B04F 5 Bytes JMP 000E006E .text C:\windows\system32\svchost.exe[7352] msvcrt.dll!system 76E0B16F 5 Bytes JMP 000E0053 .text C:\windows\system32\svchost.exe[7352] msvcrt.dll!_creat 76E0ED29 5 Bytes JMP 000E0027 .text C:\windows\system32\svchost.exe[7352] msvcrt.dll!_wcreat 76E1038E 5 Bytes JMP 000E0038 .text C:\windows\system32\svchost.exe[7352] msvcrt.dll!_wopen 76E10570 5 Bytes JMP 000E000C .text C:\windows\system32\svchost.exe[7352] ADVAPI32.dll!RegOpenKeyA 76C6D2ED 5 Bytes JMP 00170FE5 .text C:\windows\system32\svchost.exe[7352] ADVAPI32.dll!RegCreateKeyA 76C6D3C1 5 Bytes JMP 00170047 .text C:\windows\system32\svchost.exe[7352] ADVAPI32.dll!RegCreateKeyExA 76C71B71 5 Bytes JMP 00170FAF .text C:\windows\system32\svchost.exe[7352] ADVAPI32.dll!RegCreateKeyW 76C71CC0 5 Bytes JMP 00170FC0 .text C:\windows\system32\svchost.exe[7352] ADVAPI32.dll!RegOpenKeyW 76C73129 5 Bytes JMP 00170000 .text C:\windows\system32\svchost.exe[7352] ADVAPI32.dll!RegCreateKeyExW 76C7B946 5 Bytes JMP 00170062 .text C:\windows\system32\svchost.exe[7352] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 1 Byte [E9] .text C:\windows\system32\svchost.exe[7352] ADVAPI32.dll!RegOpenKeyExA 76C7BC0D 5 Bytes JMP 00170011 .text C:\windows\system32\svchost.exe[7352] ADVAPI32.dll!RegOpenKeyExW 76C7BEC4 5 Bytes JMP 00170022 .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtCreateFile + 6 77CE4876 4 Bytes [28, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtCreateFile + B 77CE487B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 1 Byte [28] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 4 Bytes [28, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtMapViewOfSection + B 77CE4EDB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenFile + 6 77CE4F86 4 Bytes [68, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenFile + B 77CE4F8B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenProcess + 6 77CE5036 4 Bytes [A8, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenProcess + B 77CE503B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenProcessToken + B 77CE504B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5056 4 Bytes [A8, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenProcessTokenEx + B 77CE505B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenThread + 6 77CE50B6 4 Bytes [68, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenThread + B 77CE50BB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenThreadToken + 6 77CE50C6 4 Bytes [68, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenThreadToken + B 77CE50CB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtOpenThreadTokenEx + B 77CE50DB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtQueryAttributesFile + 6 77CE51E6 4 Bytes [A8, 00, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtQueryAttributesFile + B 77CE51EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtQueryFullAttributesFile + B 77CE529B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtSetInformationFile + 6 77CE58E6 4 Bytes [28, 01, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtSetInformationFile + B 77CE58EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtSetInformationThread + 6 77CE5946 4 Bytes [28, 02, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtSetInformationThread + B 77CE594B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 1 Byte [68] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 4 Bytes [68, 03, 07, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7524] ntdll.dll!NtUnmapViewOfSection + B 77CE5C6B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtCreateFile + 6 77CE4876 4 Bytes [28, 00, 17, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtCreateFile + B 77CE487B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 1 Byte [28] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtMapViewOfSection + 6 77CE4ED6 4 Bytes [28, 03, 17, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtMapViewOfSection + B 77CE4EDB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenFile + 6 77CE4F86 4 Bytes [68, 00, 17, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenFile + B 77CE4F8B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenProcess + 6 77CE5036 4 Bytes [A8, 01, 17, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenProcess + B 77CE503B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenProcessToken + B 77CE504B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5056 4 Bytes [A8, 02, 17, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenProcessTokenEx + B 77CE505B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenThread + 6 77CE50B6 4 Bytes [68, 01, 17, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenThread + B 77CE50BB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenThreadToken + 6 77CE50C6 4 Bytes [68, 02, 17, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenThreadToken + B 77CE50CB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtOpenThreadTokenEx + B 77CE50DB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtQueryAttributesFile + 6 77CE51E6 4 Bytes [A8, 00, 17, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtQueryAttributesFile + B 77CE51EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtQueryFullAttributesFile + B 77CE529B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtSetInformationFile + 6 77CE58E6 4 Bytes [28, 01, 17, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtSetInformationFile + B 77CE58EB 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtSetInformationThread + 6 77CE5946 4 Bytes [28, 02, 17, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtSetInformationThread + B 77CE594B 1 Byte [E2] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 1 Byte [68] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtUnmapViewOfSection + 6 77CE5C66 4 Bytes [68, 03, 17, 00] .text C:\Users\kwieka\AppData\Local\Google\Chrome\Application\chrome.exe[7696] ntdll.dll!NtUnmapViewOfSection + B 77CE5C6B 1 Byte [E2] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\system32\mfevtps.exe[2992] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004056B0] C:\windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73702494] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [736E5624] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [736E56E2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [7370250F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [736F8573] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [736F4D27] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [736F50CE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [736F51A3] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [736F66D0] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [736F82CA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [736F8819] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [736F907A] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [736FE21D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[5080] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [736F4C59] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (Sterownik systemu plików NT/Microsoft Corporation) AttachedDevice mfehidk.sys (McAfee Link Driver/McAfee, Inc.) Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cf6e89 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cf6e89@6c9b02ef194f 0x34 0xB7 0xFB 0x42 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cf6e89@0025e75eed00 0xD0 0xC6 0xC7 0x3C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cf6e89@1c4bd602ef80 0xF9 0x43 0xCD 0xE8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cf6e89 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cf6e89@6c9b02ef194f 0x34 0xB7 0xFB 0x42 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cf6e89@0025e75eed00 0xD0 0xC6 0xC7 0x3C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cf6e89@1c4bd602ef80 0xF9 0x43 0xCD 0xE8 ... ---- Files - GMER 1.0.15 ---- File C:\Windows\SoftwareDistribution\Download\97875b2c70acf6c807ca8ab6164148d5\$dpx$.tmp\e41ef7ef5e54454b9551ccf2f23b4ffa.tmp 2809 bytes ---- EOF - GMER 1.0.15 ----