GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-24 15:46:21 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HITACHI_ rev.EC1Z Running: ww7k8xtn.exe; Driver: C:\Users\kkaczor\AppData\Local\Temp\kftirpoc.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8C7B1918] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8C7B192C] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8C7B1942] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8C7B19CE] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8C7B197E] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0x8C7B19A6] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0x8C7B1992] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8C7B196A] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8C7B1956] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8C7B19FD] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8C7B19E4] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8C7B19BA] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwYieldExecution 82C365C5 5 Bytes JMP 8C7B19BE \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) .text ntkrnlpa.exe!ZwSaveKey + 13D1 82C48369 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C81D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} PAGE ntkrnlpa.exe!ZwNotifyChangeKey 82E04E8D 5 Bytes JMP 8C7B1982 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 82E436AD 5 Bytes JMP 8C7B195A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 82E51452 7 Bytes JMP 8C7B19D2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 82E65A7D 5 Bytes JMP 8C7B1A01 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82E6F6FA 5 Bytes JMP 8C7B19E8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateUserProcess 82E79116 5 Bytes JMP 8C7B1946 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 82E9C9CC 5 Bytes JMP 8C7B1996 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 82EA6968 5 Bytes JMP 8C7B19AA \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 82EE6EE5 5 Bytes JMP 8C7B191C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82EE6F30 7 Bytes JMP 8C7B1930 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 82EE7DEF 5 Bytes JMP 8C7B196E \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\Explorer.EXE[372] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 002D0000 .text C:\Windows\Explorer.EXE[372] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 002D0FD4 .text C:\Windows\Explorer.EXE[372] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 002D0FE5 .text C:\Windows\Explorer.EXE[372] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 002B0080 .text C:\Windows\Explorer.EXE[372] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 002B00A5 .text C:\Windows\Explorer.EXE[372] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 002B0F10 .text C:\Windows\Explorer.EXE[372] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 002B0022 .text C:\Windows\Explorer.EXE[372] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 002B005B .text C:\Windows\Explorer.EXE[372] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 002B0F94 .text C:\Windows\Explorer.EXE[372] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 002B0F83 .text C:\Windows\Explorer.EXE[372] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 002B0EF5 .text C:\Windows\Explorer.EXE[372] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 002B0FB6 .text C:\Windows\Explorer.EXE[372] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 002B0F3C .text C:\Windows\Explorer.EXE[372] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 002B0000 .text C:\Windows\Explorer.EXE[372] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 002B0FEF .text C:\Windows\Explorer.EXE[372] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 002B0FA5 .text C:\Windows\Explorer.EXE[372] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 002B0F4D .text C:\Windows\Explorer.EXE[372] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 002B0011 .text C:\Windows\Explorer.EXE[372] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 002B0F2B .text C:\Windows\Explorer.EXE[372] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 002B0F68 .text C:\Windows\Explorer.EXE[372] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 003B0FEF .text C:\Windows\Explorer.EXE[372] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 003B0040 .text C:\Windows\Explorer.EXE[372] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 003B006C .text C:\Windows\Explorer.EXE[372] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 003B005B .text C:\Windows\Explorer.EXE[372] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 003B0FDE .text C:\Windows\Explorer.EXE[372] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 003B0087 .text C:\Windows\Explorer.EXE[372] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 003B002F .text C:\Windows\Explorer.EXE[372] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 003B0014 .text C:\Windows\Explorer.EXE[372] msvcrt.dll!_open 75C77E48 5 Bytes JMP 003C0FEF .text C:\Windows\Explorer.EXE[372] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 003C0FC3 .text C:\Windows\Explorer.EXE[372] msvcrt.dll!system 75CAB177 5 Bytes JMP 003C0FD4 .text C:\Windows\Explorer.EXE[372] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 003C0033 .text C:\Windows\Explorer.EXE[372] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 003C0044 .text C:\Windows\Explorer.EXE[372] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 003C000C .text C:\Windows\Explorer.EXE[372] WININET.dll!InternetOpenW 770E9197 5 Bytes JMP 036A0FCA .text C:\Windows\Explorer.EXE[372] WININET.dll!InternetOpenA 770EF18E 5 Bytes JMP 036A0FEF .text C:\Windows\Explorer.EXE[372] WININET.dll!InternetOpenUrlA 771030E9 5 Bytes JMP 036A0000 .text C:\Windows\Explorer.EXE[372] WININET.dll!InternetOpenUrlW 7713BF94 5 Bytes JMP 036A001B .text C:\Windows\Explorer.EXE[372] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 03D00000 .text C:\Windows\system32\services.exe[592] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 00660000 .text C:\Windows\system32\services.exe[592] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 00660FD4 .text C:\Windows\system32\services.exe[592] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 00660FE5 .text C:\Windows\system32\services.exe[592] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 002200BA .text C:\Windows\system32\services.exe[592] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 00220F65 .text C:\Windows\system32\services.exe[592] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 002200F0 .text C:\Windows\system32\services.exe[592] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 0022002C .text C:\Windows\system32\services.exe[592] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 0022007D .text C:\Windows\system32\services.exe[592] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00220FB6 .text C:\Windows\system32\services.exe[592] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00220FA5 .text C:\Windows\system32\services.exe[592] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 00220F40 .text C:\Windows\system32\services.exe[592] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 00220047 .text C:\Windows\system32\services.exe[592] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 00220F76 .text C:\Windows\system32\services.exe[592] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 0022001B .text C:\Windows\system32\services.exe[592] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00220000 .text C:\Windows\system32\services.exe[592] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 00220058 .text C:\Windows\system32\services.exe[592] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 002200A9 .text C:\Windows\system32\services.exe[592] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 00220FE5 .text C:\Windows\system32\services.exe[592] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 002200D5 .text C:\Windows\system32\services.exe[592] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 00220098 .text C:\Windows\system32\services.exe[592] msvcrt.dll!_open 75C77E48 5 Bytes JMP 00100FEF .text C:\Windows\system32\services.exe[592] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 00100F9C .text C:\Windows\system32\services.exe[592] msvcrt.dll!system 75CAB177 5 Bytes JMP 00100FAD .text C:\Windows\system32\services.exe[592] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 00100FD2 .text C:\Windows\system32\services.exe[592] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 0010001D .text C:\Windows\system32\services.exe[592] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 0010000C .text C:\Windows\system32\services.exe[592] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 002C0000 .text C:\Windows\system32\services.exe[592] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 002C0047 .text C:\Windows\system32\services.exe[592] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 002C0FAF .text C:\Windows\system32\services.exe[592] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 002C0FC0 .text C:\Windows\system32\services.exe[592] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 002C001B .text C:\Windows\system32\services.exe[592] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 002C006C .text C:\Windows\system32\services.exe[592] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 002C0036 .text C:\Windows\system32\services.exe[592] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 002C0FE5 .text C:\Windows\system32\services.exe[592] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00670FE5 .text C:\Windows\system32\lsass.exe[656] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 00FA0FEF .text C:\Windows\system32\lsass.exe[656] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 00FA0FCA .text C:\Windows\system32\lsass.exe[656] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 00FA0000 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 00240F54 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 002400B3 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 002400A2 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 00240036 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 00240F80 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00240051 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00240062 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 002400CE .text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 00240FCA .text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 00240F39 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 00240FE5 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00240000 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 00240FAF .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 00240F6F .text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 0024001B .text C:\Windows\system32\lsass.exe[656] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 00240F28 .text C:\Windows\system32\lsass.exe[656] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 0024007D .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_open 75C77E48 5 Bytes JMP 00220FEF .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 00220FA6 .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!system 75CAB177 5 Bytes JMP 00220FC1 .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 0022000C .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 00220027 .text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 00220FD2 .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 00250FEF .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00250025 .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 0025005B .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 0025004A .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 00250000 .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00250F9E .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 00250FB9 .text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 00250FCA .text C:\Windows\system32\lsass.exe[656] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00230FE5 .text C:\Windows\system32\svchost.exe[768] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 00D3000A .text C:\Windows\system32\svchost.exe[768] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 00D3002C .text C:\Windows\system32\svchost.exe[768] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 00D3001B .text C:\Windows\system32\svchost.exe[768] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 004300E9 .text C:\Windows\system32\svchost.exe[768] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 00430129 .text C:\Windows\system32\svchost.exe[768] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 00430F94 .text C:\Windows\system32\svchost.exe[768] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 0043003D .text C:\Windows\system32\svchost.exe[768] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 00430098 .text C:\Windows\system32\svchost.exe[768] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00430FD1 .text C:\Windows\system32\svchost.exe[768] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00430FC0 .text C:\Windows\system32\svchost.exe[768] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 00430144 .text C:\Windows\system32\svchost.exe[768] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 0043004E .text C:\Windows\system32\svchost.exe[768] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 004300FA .text C:\Windows\system32\svchost.exe[768] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 0043001B .text C:\Windows\system32\svchost.exe[768] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00430000 .text C:\Windows\system32\svchost.exe[768] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 00430069 .text C:\Windows\system32\svchost.exe[768] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 004300CE .text C:\Windows\system32\svchost.exe[768] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 0043002C .text C:\Windows\system32\svchost.exe[768] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 00430FA5 .text C:\Windows\system32\svchost.exe[768] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 004300B3 .text C:\Windows\system32\svchost.exe[768] msvcrt.dll!_open 75C77E48 5 Bytes JMP 002C0000 .text C:\Windows\system32\svchost.exe[768] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 002C0064 .text C:\Windows\system32\svchost.exe[768] msvcrt.dll!system 75CAB177 5 Bytes JMP 002C0053 .text C:\Windows\system32\svchost.exe[768] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 002C0FE3 .text C:\Windows\system32\svchost.exe[768] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 002C0038 .text C:\Windows\system32\svchost.exe[768] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 002C001D .text C:\Windows\system32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 00490FEF .text C:\Windows\system32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00490FA8 .text C:\Windows\system32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 00490054 .text C:\Windows\system32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 0049002F .text C:\Windows\system32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 0049000A .text C:\Windows\system32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00490F8D .text C:\Windows\system32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 00490FC3 .text C:\Windows\system32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 00490FDE .text C:\Windows\system32\svchost.exe[768] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 0042000A .text C:\Windows\system32\svchost.exe[884] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 004C0FEF .text C:\Windows\system32\svchost.exe[884] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 004C0FCA .text C:\Windows\system32\svchost.exe[884] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 004C000A .text C:\Windows\system32\svchost.exe[884] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 003A0F21 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 003A0EEB .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 003A0EFC .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 003A0014 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 003A002F .text C:\Windows\system32\svchost.exe[884] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 003A0F72 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 003A0F57 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 003A00A5 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 003A0F9E .text C:\Windows\system32\svchost.exe[884] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 003A0065 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 003A0FD4 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 003A0FEF .text C:\Windows\system32\svchost.exe[884] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 003A0F83 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 003A004A .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 003A0FC3 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 003A0076 .text C:\Windows\system32\svchost.exe[884] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 003A0F32 .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!_open 75C77E48 5 Bytes JMP 00330FE3 .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 00330058 .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!system 75CAB177 5 Bytes JMP 0033003D .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 00330011 .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 00330022 .text C:\Windows\system32\svchost.exe[884] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 00330000 .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 00470000 .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00470025 .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 00470051 .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 00470040 .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 00470FE5 .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00470F8A .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 00470FC3 .text C:\Windows\system32\svchost.exe[884] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 00470FD4 .text C:\Windows\system32\svchost.exe[884] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00340FEF .text C:\Windows\System32\svchost.exe[972] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 00BB0FE5 .text C:\Windows\System32\svchost.exe[972] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 00BB0FD4 .text C:\Windows\System32\svchost.exe[972] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 00BB000A .text C:\Windows\System32\svchost.exe[972] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 00B30F32 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 00B30EF2 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 00B30F03 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 00B3000A .text C:\Windows\System32\svchost.exe[972] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 00B30040 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00B30F83 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00B30F68 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 00B30ED7 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 00B30F9E .text C:\Windows\System32\svchost.exe[972] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 00B3006C .text C:\Windows\System32\svchost.exe[972] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 00B30FD4 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00B30FEF .text C:\Windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 00B30025 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 00B30F4D .text C:\Windows\System32\svchost.exe[972] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 00B30FB9 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 00B30087 .text C:\Windows\System32\svchost.exe[972] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 00B30051 .text C:\Windows\System32\svchost.exe[972] msvcrt.dll!_open 75C77E48 5 Bytes JMP 00AD0FEF .text C:\Windows\System32\svchost.exe[972] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 00AD0FAD .text C:\Windows\System32\svchost.exe[972] msvcrt.dll!system 75CAB177 5 Bytes JMP 00AD0FC8 .text C:\Windows\System32\svchost.exe[972] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 00AD001D .text C:\Windows\System32\svchost.exe[972] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 00AD002E .text C:\Windows\System32\svchost.exe[972] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 00AD000C .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 00BA000A .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00BA0FDE .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 00BA0FB9 .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 00BA005B .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 00BA0FEF .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00BA0F94 .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 00BA004A .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 00BA002F .text C:\Windows\System32\svchost.exe[972] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00AE000A .text C:\Windows\System32\svchost.exe[1020] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 00EC0FEF .text C:\Windows\System32\svchost.exe[1020] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 00EC0FD4 .text C:\Windows\System32\svchost.exe[1020] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 00EC000A .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 00E60F46 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 00E600C0 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 00E6009B .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 00E60FC3 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 00E60054 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00E6002F .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00E60F7C .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 00E600DB .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 00E60FA8 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 00E60080 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 00E60FDE .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00E60FEF .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 00E60F97 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 00E60F57 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 00E60014 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 00E60F21 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 00E6006F .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_open 75C77E48 5 Bytes JMP 0065000C .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 00650FBE .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!system 75CAB177 5 Bytes JMP 00650049 .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 0065002E .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 00650FD9 .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 0065001D .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 00EB0FEF .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00EB0FB9 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 00EB0040 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 00EB0F9E .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 00EB000A .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00EB0051 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 00EB0025 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 00EB0FD4 .text C:\Windows\System32\svchost.exe[1020] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00B40FE5 .text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 01140000 .text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 01140FE5 .text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 01140011 .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 010A0087 .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 010A0F0D .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 010A0F28 .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 010A001B .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 010A005B .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 010A0F9E .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 010A0F8D .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 010A0EFC .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 010A0036 .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 010A0098 .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 010A0FEF .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 010A0000 .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 010A0FAF .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 010A0076 .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 010A0FD4 .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 010A0F39 .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 010A0F5E .text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_open 75C77E48 5 Bytes JMP 01080FEF .text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 01080022 .text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!system 75CAB177 5 Bytes JMP 01080F97 .text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 01080FC6 .text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 01080011 .text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 01080000 .text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 010F0000 .text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 010F0FC0 .text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 010F0F9E .text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 010F0FAF .text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 010F0011 .text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 010F005B .text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 010F0FD1 .text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 010F002C .text C:\Windows\system32\svchost.exe[1072] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 01090000 .text C:\Windows\system32\svchost.exe[1072] WININET.dll!InternetOpenW 770E9197 5 Bytes JMP 0189000A .text C:\Windows\system32\svchost.exe[1072] WININET.dll!InternetOpenA 770EF18E 5 Bytes JMP 01890FEF .text C:\Windows\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 771030E9 5 Bytes JMP 01890FD4 .text C:\Windows\system32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 7713BF94 5 Bytes JMP 01890025 .text C:\Windows\system32\svchost.exe[1232] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 009D0FEF .text C:\Windows\system32\svchost.exe[1232] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 009D0014 .text C:\Windows\system32\svchost.exe[1232] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 009D0FDE .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 00970F5E .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 009700D1 .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 00970F3C .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 00970FCA .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 00970F8A .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00970FA5 .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00970062 .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 00970F17 .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 00970040 .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 009700A2 .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 00970011 .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00970000 .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 00970051 .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 00970087 .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 00970FDB .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 00970F4D .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 00970F79 .text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_open 75C77E48 5 Bytes JMP 00400000 .text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 00400064 .text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!system 75CAB177 5 Bytes JMP 00400053 .text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 00400038 .text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 00400FE3 .text C:\Windows\system32\svchost.exe[1232] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 0040001D .text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 0098000A .text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00980062 .text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 00980098 .text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 0098007D .text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 0098001B .text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00980FD1 .text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 00980047 .text C:\Windows\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 0098002C .text C:\Windows\system32\svchost.exe[1232] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00960FEF .text C:\Windows\system32\svchost.exe[1592] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 0095000A .text C:\Windows\system32\svchost.exe[1592] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 00950040 .text C:\Windows\system32\svchost.exe[1592] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 0095001B .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 00930F5B .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 009300D5 .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 00930F40 .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 00930FCA .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 0093007A .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00930058 .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00930069 .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 009300F0 .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 0093002C .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 0093009F .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 00930000 .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00930FEF .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 0093003D .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 00930F6C .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 00930011 .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 009300B0 .text C:\Windows\system32\svchost.exe[1592] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 00930F87 .text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_open 75C77E48 5 Bytes JMP 00400FE3 .text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 00400034 .text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!system 75CAB177 5 Bytes JMP 00400F9F .text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 00400FC1 .text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 00400FB0 .text C:\Windows\system32\svchost.exe[1592] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 00400FD2 .text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 00940FEF .text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00940F97 .text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 00940028 .text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 00940F86 .text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 00940FDE .text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00940F75 .text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 00940FA8 .text C:\Windows\system32\svchost.exe[1592] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 00940FCD .text C:\Windows\system32\svchost.exe[1592] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00410FE5 .text C:\Windows\System32\svchost.exe[1624] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 00AB0FEF .text C:\Windows\System32\svchost.exe[1624] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 00AB0FCD .text C:\Windows\System32\svchost.exe[1624] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 00AB0FDE .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 00A500A8 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 00A50F4C .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 00A50F5D .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 00A50FD4 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 00A50068 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00A50FA1 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00A50F90 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 00A50F31 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 00A50FC3 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 00A500C3 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 00A50FEF .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00A50000 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 00A50FB2 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 00A50097 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 00A50025 .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 00A50F6E .text C:\Windows\System32\svchost.exe[1624] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 00A50F7F .text C:\Windows\System32\svchost.exe[1624] msvcrt.dll!_open 75C77E48 5 Bytes JMP 009F0000 .text C:\Windows\System32\svchost.exe[1624] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 009F0044 .text C:\Windows\System32\svchost.exe[1624] msvcrt.dll!system 75CAB177 5 Bytes JMP 009F0FB9 .text C:\Windows\System32\svchost.exe[1624] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 009F0029 .text C:\Windows\System32\svchost.exe[1624] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 009F0FCA .text C:\Windows\System32\svchost.exe[1624] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 009F0FEF .text C:\Windows\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 00A60000 .text C:\Windows\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00A60F9E .text C:\Windows\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 00A60040 .text C:\Windows\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 00A60025 .text C:\Windows\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 00A60FE5 .text C:\Windows\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00A60F79 .text C:\Windows\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 00A60FAF .text C:\Windows\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 00A60FCA .text C:\Windows\System32\svchost.exe[1624] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00A40FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 04510FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 04510FCD .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 04510FDE .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 044F00AC .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 044F0F39 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 044F0F4A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 044F001B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 044F006C .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 044F0040 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 044F0051 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 044F00E9 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 044F0FA5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 044F00BD .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 044F0FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 044F0FEF .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 044F0F94 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 044F0F83 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 044F000A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 044F00CE .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 044F0091 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] msvcrt.dll!_open 75C77E48 5 Bytes JMP 044D0000 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 044D0F9F .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] msvcrt.dll!system 75CAB177 5 Bytes JMP 044D0FB0 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 044D0FD2 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 044D0FC1 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 044D0FE3 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 04500FE5 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 0450001B .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 04500051 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 04500036 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 04500FD4 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 04500F94 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 04500FB9 .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 0450000A .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1688] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 044E0FEF .text C:\Windows\system32\svchost.exe[1832] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 017C0000 .text C:\Windows\system32\svchost.exe[1832] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 017C0FE5 .text C:\Windows\system32\svchost.exe[1832] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 017C001B .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 017600C0 .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 01760107 .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 01760F68 .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 01760025 .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 01760FB2 .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 01760065 .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 0176008A .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 01760118 .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 01760FC3 .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 017600DB .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 01760FEF .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 0176000A .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 01760054 .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 017600AF .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 01760FD4 .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 017600EC .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 01760FA1 .text C:\Windows\system32\svchost.exe[1832] msvcrt.dll!_open 75C77E48 5 Bytes JMP 00500000 .text C:\Windows\system32\svchost.exe[1832] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 0050003D .text C:\Windows\system32\svchost.exe[1832] msvcrt.dll!system 75CAB177 5 Bytes JMP 0050002C .text C:\Windows\system32\svchost.exe[1832] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 00500FD7 .text C:\Windows\system32\svchost.exe[1832] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 00500FBC .text C:\Windows\system32\svchost.exe[1832] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 00500011 .text C:\Windows\system32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 01770000 .text C:\Windows\system32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 01770036 .text C:\Windows\system32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 01770062 .text C:\Windows\system32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 01770047 .text C:\Windows\system32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 01770FE5 .text C:\Windows\system32\svchost.exe[1832] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 01770FA5 .text C:\Windows\system32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 01770FCA .text C:\Windows\system32\svchost.exe[1832] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 0177001B .text C:\Windows\system32\svchost.exe[1832] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 0175000A .text C:\Windows\System32\svchost.exe[2220] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 002E0FEF .text C:\Windows\System32\svchost.exe[2220] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 002E001B .text C:\Windows\System32\svchost.exe[2220] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 002E000A .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 00270098 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 00270F39 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 002700CE .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 00270047 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 0027006C .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00270FA5 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00270F94 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 00270F14 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 00270FE5 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 00270F54 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 00270025 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00270000 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 00270FC0 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 00270F6F .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 00270036 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 002700B3 .text C:\Windows\System32\svchost.exe[2220] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 0027007D .text C:\Windows\System32\svchost.exe[2220] msvcrt.dll!_open 75C77E48 5 Bytes JMP 0021000C .text C:\Windows\System32\svchost.exe[2220] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 00210FC1 .text C:\Windows\System32\svchost.exe[2220] msvcrt.dll!system 75CAB177 5 Bytes JMP 0021004C .text C:\Windows\System32\svchost.exe[2220] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 00210FD2 .text C:\Windows\System32\svchost.exe[2220] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 00210027 .text C:\Windows\System32\svchost.exe[2220] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 00210FEF .text C:\Windows\System32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 00290FE5 .text C:\Windows\System32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00290FC3 .text C:\Windows\System32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 00290F8D .text C:\Windows\System32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 00290FA8 .text C:\Windows\System32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 00290FD4 .text C:\Windows\System32\svchost.exe[2220] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00290F72 .text C:\Windows\System32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 0029002F .text C:\Windows\System32\svchost.exe[2220] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 0029000A .text C:\Windows\System32\svchost.exe[2220] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00220FE5 .text C:\Windows\System32\svchost.exe[2248] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 00330000 .text C:\Windows\System32\svchost.exe[2248] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 00330FD4 .text C:\Windows\System32\svchost.exe[2248] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 00330FE5 .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 00310F46 .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 00310F1A .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 003100AF .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 00310025 .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 0031004A .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00310F8D .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00310F7C .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 00310EFF .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 00310FC3 .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 00310F2B .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 00310FDE .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00310FEF .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 00310FA8 .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 00310F57 .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 00310014 .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 00310094 .text C:\Windows\System32\svchost.exe[2248] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 00310065 .text C:\Windows\System32\svchost.exe[2248] msvcrt.dll!_open 75C77E48 5 Bytes JMP 00260000 .text C:\Windows\System32\svchost.exe[2248] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 00260FA1 .text C:\Windows\System32\svchost.exe[2248] msvcrt.dll!system 75CAB177 5 Bytes JMP 00260FBC .text C:\Windows\System32\svchost.exe[2248] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 00260011 .text C:\Windows\System32\svchost.exe[2248] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 0026002C .text C:\Windows\System32\svchost.exe[2248] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 00260FD7 .text C:\Windows\System32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 00320000 .text C:\Windows\System32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00320047 .text C:\Windows\System32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 00320FAF .text C:\Windows\System32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 00320FC0 .text C:\Windows\System32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 00320011 .text C:\Windows\System32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00320062 .text C:\Windows\System32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 00320FDB .text C:\Windows\System32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 0032002C .text C:\Windows\System32\svchost.exe[2248] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00270FE5 .text C:\Windows\system32\svchost.exe[2280] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 002F0FEF .text C:\Windows\system32\svchost.exe[2280] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 002F001B .text C:\Windows\system32\svchost.exe[2280] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 002F000A .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 002D0062 .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 002D00B0 .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 002D009F .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 002D0FC3 .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 002D0040 .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 002D0F79 .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 002D0F68 .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 002D0F0A .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 002D0F9E .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 002D0073 .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 002D000A .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 002D0FEF .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 002D0025 .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 002D0051 .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 002D0FD4 .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 002D008E .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 002D0F43 .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_open 75C77E48 5 Bytes JMP 00230000 .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 00230FC8 .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!system 75CAB177 5 Bytes JMP 00230049 .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 0023001D .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 00230038 .text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 00230FE3 .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 002E0000 .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 002E0FB9 .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 002E005B .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 002E004A .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 002E001B .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 002E0076 .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 002E0FD4 .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 002E0FE5 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 009B0FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 009B0025 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 009B0014 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 00880F61 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 00880F46 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 008800DB .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 00880FCD .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 00880079 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00880FA1 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 0088005E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 008800F6 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 00880039 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 008800A5 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 0088000A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00880FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 00880FB2 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 00880094 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 00880FDE .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!WinExec 75F0EDB2 1 Byte [E9] .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 008800B6 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 00880F86 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] msvcrt.dll!_open 75C77E48 5 Bytes JMP 003D000C .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 003D0FD4 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] msvcrt.dll!system 75CAB177 5 Bytes JMP 003D0FE5 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 003D0044 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 003D0055 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 003D001D .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 009A000A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 009A004A .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 009A0FAF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 009A005B .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 009A0FEF .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 009A0F9E .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 009A0FD4 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 009A0025 .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[2536] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00870FE5 .text C:\Windows\system32\svchost.exe[3992] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 00040FEF .text C:\Windows\system32\svchost.exe[3992] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 0004000A .text C:\Windows\system32\svchost.exe[3992] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 00040FD4 .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 00010098 .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 000100DF .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 000100CE .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 00010051 .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 00010FAF .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00010FDB .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00010FC0 .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 00010F2F .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 00010062 .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 00010F54 .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 0001001B .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00010000 .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 00010073 .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 00010F6F .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 00010036 .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 000100B3 .text C:\Windows\system32\svchost.exe[3992] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 00010F8A .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!_open 75C77E48 5 Bytes JMP 00070FEF .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 0007001D .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!system 75CAB177 5 Bytes JMP 00070F92 .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 00070FC1 .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 0007000C .text C:\Windows\system32\svchost.exe[3992] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 00070FD2 .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 00080000 .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00080FA5 .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 00080F80 .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 00080022 .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 00080FE5 .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00080F6F .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 00080FC0 .text C:\Windows\system32\svchost.exe[3992] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 00080011 .text C:\Windows\system32\svchost.exe[3992] WS2_32.dll!socket 75DF3EB8 5 Bytes JMP 00300FE5 .text C:\Windows\system32\svchost.exe[5524] ntdll.dll!NtCreateFile 776B55C8 5 Bytes JMP 00040000 .text C:\Windows\system32\svchost.exe[5524] ntdll.dll!NtCreateProcess 776B5698 5 Bytes JMP 00040FDB .text C:\Windows\system32\svchost.exe[5524] ntdll.dll!NtProtectVirtualMemory 776B5F18 5 Bytes JMP 00040011 .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!GetStartupInfoA 75E81E10 5 Bytes JMP 00010062 .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!CreateProcessW 75E8204D 5 Bytes JMP 00010EE8 .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!CreateProcessA 75E82082 5 Bytes JMP 00010EF9 .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!CreateNamedPipeW 75EB2D47 5 Bytes JMP 00010FAF .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!VirtualProtect 75EC2BCD 5 Bytes JMP 00010F5E .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!LoadLibraryExA 75EC4466 5 Bytes JMP 00010F79 .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!LoadLibraryExW 75EC5079 5 Bytes JMP 00010036 .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!GetProcAddress 75ECCC94 5 Bytes JMP 00010ECD .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!LoadLibraryA 75ECDC65 5 Bytes JMP 00010F9E .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!GetStartupInfoW 75ECE2DD 5 Bytes JMP 00010F1E .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!CreateFileW 75ECE8A5 5 Bytes JMP 00010FDE .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!CreateFileA 75ECEA61 5 Bytes JMP 00010FEF .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!LoadLibraryW 75ECEF42 5 Bytes JMP 0001001B .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!CreatePipe 75EE12A6 5 Bytes JMP 00010051 .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!CreateNamedPipeA 75F0DBA8 5 Bytes JMP 0001000A .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!WinExec 75F0EDB2 5 Bytes JMP 00010073 .text C:\Windows\system32\svchost.exe[5524] kernel32.dll!VirtualProtectEx 75F0FD51 5 Bytes JMP 00010F43 .text C:\Windows\system32\svchost.exe[5524] msvcrt.dll!_open 75C77E48 5 Bytes JMP 000E0FEF .text C:\Windows\system32\svchost.exe[5524] msvcrt.dll!_wsystem 75CAB057 5 Bytes JMP 000E0053 .text C:\Windows\system32\svchost.exe[5524] msvcrt.dll!system 75CAB177 5 Bytes JMP 000E0FC8 .text C:\Windows\system32\svchost.exe[5524] msvcrt.dll!_creat 75CAED31 5 Bytes JMP 000E001D .text C:\Windows\system32\svchost.exe[5524] msvcrt.dll!_wcreat 75CB0396 5 Bytes JMP 000E0038 .text C:\Windows\system32\svchost.exe[5524] msvcrt.dll!_wopen 75CB0578 5 Bytes JMP 000E000C .text C:\Windows\system32\svchost.exe[5524] ADVAPI32.dll!RegOpenKeyA 76F5CC15 5 Bytes JMP 0024000A .text C:\Windows\system32\svchost.exe[5524] ADVAPI32.dll!RegCreateKeyA 76F5CD01 5 Bytes JMP 00240FC3 .text C:\Windows\system32\svchost.exe[5524] ADVAPI32.dll!RegCreateKeyExA 76F61469 5 Bytes JMP 00240065 .text C:\Windows\system32\svchost.exe[5524] ADVAPI32.dll!RegCreateKeyW 76F61514 5 Bytes JMP 00240054 .text C:\Windows\system32\svchost.exe[5524] ADVAPI32.dll!RegOpenKeyW 76F62459 5 Bytes JMP 0024001B .text C:\Windows\system32\svchost.exe[5524] ADVAPI32.dll!RegCreateKeyExW 76F640FE 5 Bytes JMP 00240FA8 .text C:\Windows\system32\svchost.exe[5524] ADVAPI32.dll!RegOpenKeyExW 76F6468D 5 Bytes JMP 00240FD4 .text C:\Windows\system32\svchost.exe[5524] ADVAPI32.dll!RegOpenKeyExA 76F64907 5 Bytes JMP 00240FE5 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\mfevtps.exe[2180] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004056B0] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) IAT C:\Program Files\Liquidware Labs\Connector ID\tntupdsvc.exe[2308] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7576FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Program Files\Liquidware Labs\Connector ID\tntupdsvc.exe[2308] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7576FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Program Files\Liquidware Labs\Connector ID\tntupdsvc.exe[2308] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7576FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Program Files\Liquidware Labs\Connector ID\tntupdsvc.exe[2308] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7576FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Program Files\Liquidware Labs\Connector ID\tntupdsvc.exe[2308] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7576FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Program Files\Liquidware Labs\Connector ID\tntupdsvc.exe[2308] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7576FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) AttachedDevice mfehidk.sys (McAfee Link Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.) Device \Driver\ACPI_HAL \Device\0000005d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device Fs_Rec.sys (File System Recognizer Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf4519c4d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\78dd08b4208d Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf4519c4d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\78dd08b4208d (not active ControlSet) ---- EOF - GMER 1.0.15 ----