GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-14 19:02:54 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHX2250BT rev.0040000C 232,89GB Running: gmer.exe; Driver: C:\Users\remik\AppData\Local\Temp\uxldrpod.sys ---- System - GMER 2.1 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x843AD2E8] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x843AD312] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x843AD2FE] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x843AD2D4] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwYieldExecution 834825F5 5 Bytes JMP 843AD2D8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 834943C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 834CDD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x84131346] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F60F000, 0x23097E, 0xE8000020] .text USBPORT.SYS!DllUnload 8FDD5DB9 5 Bytes JMP 86AAF1D8 .text autochk.exe 004211D1 3 Bytes [0F, 85, 8D] .text autochk.exe 004211D7 14 Bytes [8B, 45, FC, 83, E3, FE, 83, ...] .text autochk.exe 004211E8 14 Bytes [89, 45, FC, EB, 7D, 39, 7D, ...] .text autochk.exe 004211F9 34 Bytes [83, CB, 20, EB, 6C, 83, E8, ...] .text autochk.exe 0042121C 1 Byte [C0] .text ... ? \Program Files\DAEMON Tools Lite\Engine.dll System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[616] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 00110000 .text C:\Windows\system32\services.exe[616] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 00110FDB .text C:\Windows\system32\services.exe[616] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00110011 .text C:\Windows\system32\services.exe[616] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 00670F3F .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 00670EFF .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 00670F1A .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 00670FAF .text C:\Windows\system32\services.exe[616] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 0067004A .text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 00670F7C .text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 00670039 .text C:\Windows\system32\services.exe[616] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 00670EE4 .text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 00670F9E .text C:\Windows\system32\services.exe[616] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 00670083 .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 00670FCA .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 00670FEF .text C:\Windows\system32\services.exe[616] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 00670F8D .text C:\Windows\system32\services.exe[616] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 00670F50 .text C:\Windows\system32\services.exe[616] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 0067000A .text C:\Windows\system32\services.exe[616] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 00670094 .text C:\Windows\system32\services.exe[616] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 00670F61 .text C:\Windows\system32\services.exe[616] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00120000 .text C:\Windows\system32\services.exe[616] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 00120FB9 .text C:\Windows\system32\services.exe[616] msvcrt.dll!system 773DB177 5 Bytes JMP 00120044 .text C:\Windows\system32\services.exe[616] msvcrt.dll!_creat 773DED31 5 Bytes JMP 00120FEF .text C:\Windows\system32\services.exe[616] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 00120FDE .text C:\Windows\system32\services.exe[616] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 0012001D .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 005E000A .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 005E0FD4 .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 005E0F9E .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 005E0FB9 .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 005E0FEF .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 005E005B .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 005E0040 .text C:\Windows\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 005E0025 .text C:\Windows\system32\services.exe[616] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 00680000 .text C:\Windows\system32\lsass.exe[640] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 000B0000 .text C:\Windows\system32\lsass.exe[640] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 000B0FDB .text C:\Windows\system32\lsass.exe[640] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 000B001B .text C:\Windows\system32\lsass.exe[640] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 000E0F79 .text C:\Windows\system32\lsass.exe[640] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 000E0F43 .text C:\Windows\system32\lsass.exe[640] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 000E00D8 .text C:\Windows\system32\lsass.exe[640] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 000E0FC0 .text C:\Windows\system32\lsass.exe[640] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 000E007D .text C:\Windows\system32\lsass.exe[640] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 000E0FA5 .text C:\Windows\system32\lsass.exe[640] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 000E0062 .text C:\Windows\system32\lsass.exe[640] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 000E00FD .text C:\Windows\system32\lsass.exe[640] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 000E002C .text C:\Windows\system32\lsass.exe[640] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 000E00BD .text C:\Windows\system32\lsass.exe[640] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 000E0FDB .text C:\Windows\system32\lsass.exe[640] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 000E0000 .text C:\Windows\system32\lsass.exe[640] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 000E0051 .text C:\Windows\system32\lsass.exe[640] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 000E0F94 .text C:\Windows\system32\lsass.exe[640] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 000E0011 .text C:\Windows\system32\lsass.exe[640] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 000E0F5E .text C:\Windows\system32\lsass.exe[640] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 000E00A2 .text C:\Windows\system32\lsass.exe[640] msvcrt.dll!_open 773A7E48 5 Bytes JMP 000C0FE3 .text C:\Windows\system32\lsass.exe[640] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 000C003B .text C:\Windows\system32\lsass.exe[640] msvcrt.dll!system 773DB177 5 Bytes JMP 000C0020 .text C:\Windows\system32\lsass.exe[640] msvcrt.dll!_creat 773DED31 5 Bytes JMP 000C0FC1 .text C:\Windows\system32\lsass.exe[640] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 000C0FB0 .text C:\Windows\system32\lsass.exe[640] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 000C0FD2 .text C:\Windows\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 000D0FEF .text C:\Windows\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 000D0F9E .text C:\Windows\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 000D0025 .text C:\Windows\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 000D0F83 .text C:\Windows\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 000D0FD4 .text C:\Windows\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 000D0036 .text C:\Windows\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 000D0FB9 .text C:\Windows\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 000D000A .text C:\Windows\system32\lsass.exe[640] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 006B000A .text C:\Windows\system32\svchost.exe[744] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 00380FEF .text C:\Windows\system32\svchost.exe[744] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 00380FC3 .text C:\Windows\system32\svchost.exe[744] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00380FDE .text C:\Windows\system32\svchost.exe[744] kernel32.dll!GetStartupInfoA 77AF1E10 3 Bytes JMP 003B0F68 .text C:\Windows\system32\svchost.exe[744] kernel32.dll!GetStartupInfoA + 4 77AF1E14 1 Byte [88] .text C:\Windows\system32\svchost.exe[744] kernel32.dll!CreateProcessW 77AF204D 3 Bytes JMP 003B00F3 .text C:\Windows\system32\svchost.exe[744] kernel32.dll!CreateProcessW + 4 77AF2051 1 Byte [88] .text C:\Windows\system32\svchost.exe[744] kernel32.dll!CreateProcessA 77AF2082 3 Bytes JMP 003B00D8 .text C:\Windows\system32\svchost.exe[744] kernel32.dll!CreateProcessA + 4 77AF2086 1 Byte [88] .text C:\Windows\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 003B0FD4 .text C:\Windows\system32\svchost.exe[744] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 003B006F .text C:\Windows\system32\svchost.exe[744] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 003B0FA8 .text C:\Windows\system32\svchost.exe[744] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 003B0F8D .text C:\Windows\system32\svchost.exe[744] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 003B010E .text C:\Windows\system32\svchost.exe[744] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 003B0040 .text C:\Windows\system32\svchost.exe[744] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 003B00A2 .text C:\Windows\system32\svchost.exe[744] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 003B000A .text C:\Windows\system32\svchost.exe[744] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 003B0FEF .text C:\Windows\system32\svchost.exe[744] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 003B0FB9 .text C:\Windows\system32\svchost.exe[744] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 003B0091 .text C:\Windows\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 003B0025 .text C:\Windows\system32\svchost.exe[744] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 003B00C7 .text C:\Windows\system32\svchost.exe[744] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 003B0080 .text C:\Windows\system32\svchost.exe[744] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00390000 .text C:\Windows\system32\svchost.exe[744] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 00390031 .text C:\Windows\system32\svchost.exe[744] msvcrt.dll!system 773DB177 5 Bytes JMP 00390FA6 .text C:\Windows\system32\svchost.exe[744] msvcrt.dll!_creat 773DED31 5 Bytes JMP 00390FD2 .text C:\Windows\system32\svchost.exe[744] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 00390FC1 .text C:\Windows\system32\svchost.exe[744] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 00390FEF .text C:\Windows\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 003A000A .text C:\Windows\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 003A0FB9 .text C:\Windows\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 003A0F8D .text C:\Windows\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 003A0F9E .text C:\Windows\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 003A0FEF .text C:\Windows\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 003A004A .text C:\Windows\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 003A0FDE .text C:\Windows\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 003A002F .text C:\Windows\system32\svchost.exe[744] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 003C000A .text C:\Windows\system32\svchost.exe[816] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 0021000A .text C:\Windows\system32\svchost.exe[816] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 0021001B .text C:\Windows\system32\svchost.exe[816] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00210FE5 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 00240080 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 00240F10 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 002400A5 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 00240FCA .text C:\Windows\system32\svchost.exe[816] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 00240F83 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 00240051 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 00240F94 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 00240EF5 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 00240FAF .text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 00240F3C .text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 00240011 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 00240000 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 00240040 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 00240F57 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 00240FE5 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 00240F2B .text C:\Windows\system32\svchost.exe[816] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 00240F72 .text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00220000 .text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 00220F9A .text C:\Windows\system32\svchost.exe[816] msvcrt.dll!system 773DB177 5 Bytes JMP 00220FAB .text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_creat 773DED31 5 Bytes JMP 00220FD7 .text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 00220FC6 .text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 00220011 .text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 00230FEF .text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 0023002C .text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 0023004E .text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 0023003D .text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 0023000A .text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 0023005F .text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 0023001B .text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 00230FD4 .text C:\Windows\system32\svchost.exe[816] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 00310FEF .text C:\Windows\System32\svchost.exe[932] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 00D60FE5 .text C:\Windows\System32\svchost.exe[932] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 00D60FCA .text C:\Windows\System32\svchost.exe[932] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00D6000A .text C:\Windows\System32\svchost.exe[932] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 00E20F38 .text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 00E20EFB .text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 00E20F0C .text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 00E20FB9 .text C:\Windows\System32\svchost.exe[932] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 00E20F6B .text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 00E2002F .text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 00E20F7C .text C:\Windows\System32\svchost.exe[932] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 00E20EE0 .text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 00E20F9E .text C:\Windows\System32\svchost.exe[932] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 00E20F1D .text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 00E20000 .text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 00E20FEF .text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 00E20F8D .text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 00E20F49 .text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 00E20FCA .text C:\Windows\System32\svchost.exe[932] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 00E2007C .text C:\Windows\System32\svchost.exe[932] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 00E20F5A .text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00E00FEF .text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 00E00044 .text C:\Windows\System32\svchost.exe[932] msvcrt.dll!system 773DB177 5 Bytes JMP 00E00033 .text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_creat 773DED31 5 Bytes JMP 00E00018 .text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 00E00FC3 .text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 00E00FDE .text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 00E1000A .text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 00E10FD4 .text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 00E10076 .text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 00E1005B .text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 00E10025 .text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 00E10FB9 .text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 00E10040 .text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 00E10FEF .text C:\Windows\System32\svchost.exe[932] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 00E30FEF .text C:\Windows\System32\svchost.exe[984] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 00B90FE5 .text C:\Windows\System32\svchost.exe[984] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 00B9000A .text C:\Windows\System32\svchost.exe[984] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00B90FCA .text C:\Windows\System32\svchost.exe[984] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 00BC0098 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 00BC00D8 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 00BC00BD .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 00BC0FDB .text C:\Windows\System32\svchost.exe[984] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 00BC006C .text C:\Windows\System32\svchost.exe[984] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 00BC0FAF .text C:\Windows\System32\svchost.exe[984] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 00BC0F94 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 00BC00E9 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 00BC0047 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 00BC0F54 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 00BC0011 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 00BC0000 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 00BC0FC0 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 00BC0087 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 00BC002C .text C:\Windows\System32\svchost.exe[984] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 00BC0F43 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 00BC0F79 .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00BA0FEF .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 00BA0020 .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!system 773DB177 5 Bytes JMP 00BA0F95 .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!_creat 773DED31 5 Bytes JMP 00BA0FB7 .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 00BA0FA6 .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 00BA0FD2 .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 00BB0000 .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 00BB0022 .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 00BB004E .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 00BB003D .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 00BB0011 .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 00BB0069 .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 00BB0FC0 .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 00BB0FD1 .text C:\Windows\System32\svchost.exe[984] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 00D10FEF .text C:\Windows\system32\svchost.exe[1012] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 009F000A .text C:\Windows\system32\svchost.exe[1012] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 009F0036 .text C:\Windows\system32\svchost.exe[1012] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 009F001B .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 00A60F76 .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 00A60F40 .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 00A600DF .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 00A60022 .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 00A6008E .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 00A60058 .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 77B35079 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 00A6007D .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 00A60F2F .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 00A60FB6 .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 00A60F65 .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 00A60FDB .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 00A60000 .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 00A6003D .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 00A600A9 .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 00A60011 .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 00A600C4 .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 00A60F9B .text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00A40000 .text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 00A4007F .text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!system 773DB177 5 Bytes JMP 00A4005A .text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!_creat 773DED31 5 Bytes JMP 00A4002E .text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 00A40049 .text C:\Windows\system32\svchost.exe[1012] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 00A4001D .text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 00A50FEF .text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 00A5001B .text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 00A5005B .text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 00A50040 .text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 00A50FD4 .text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 00A5006C .text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 00A50000 .text C:\Windows\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 00A50FB9 .text C:\Windows\system32\svchost.exe[1012] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 00B30000 .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 00750FEF .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 00750FB9 .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00750FDE .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 007C00B3 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 007C0F54 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 007C0F65 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 007C0FEF .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 007C0087 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 007C0FAF .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 007C006C .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 007C0104 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 007C0051 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 007C00CE .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 007C0025 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 007C0000 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 007C0FCA .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 007C0F94 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 007C0040 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 007C00E9 .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 007C0098 .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00760000 .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 00760FAB .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!system 773DB177 5 Bytes JMP 00760FBC .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_creat 773DED31 5 Bytes JMP 00760FD7 .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 0076002C .text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 00760011 .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 007B0FE5 .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 007B0FCA .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 007B0062 .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 007B0051 .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 007B0000 .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 007B007D .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 007B0036 .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 007B001B .text C:\Windows\system32\svchost.exe[1184] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 007D0FE5 .text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 00690FEF .text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 00690FCA .text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00690000 .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 006B0F57 .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 006B00C0 .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 006B00AF .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 006B0FDE .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 006B0065 .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 006B0054 .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 006B0F8D .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 006B0F10 .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 006B0FB9 .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 006B0F46 .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 006B000A .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 006B0FEF .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 006B0FA8 .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 006B0076 .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 006B002F .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 006B0F35 .text C:\Windows\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 006B0F68 .text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00350000 .text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 00350FAD .text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!system 773DB177 5 Bytes JMP 00350038 .text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_creat 773DED31 5 Bytes JMP 0035001D .text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 00350FC8 .text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 00350FEF .text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 006A0FEF .text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 006A0047 .text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 006A0FC0 .text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 006A0058 .text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 006A000A .text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 006A007D .text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 006A0036 .text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 006A001B .text C:\Windows\system32\svchost.exe[1216] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 006C0000 .text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 00D60000 .text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 00D60025 .text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00D60FE5 .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 011F0F46 .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 011F00C0 .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 011F00A5 .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 011F0FC3 .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 011F0F7C .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 011F004A .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 011F0F8D .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 011F00D1 .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 011F002F .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 011F0F2B .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 011F0014 .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 011F0FEF .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 011F0FA8 .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 011F0F57 .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 011F0FDE .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 011F0094 .text C:\Windows\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 011F006F .text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00D70FEF .text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 00D70F97 .text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!system 773DB177 5 Bytes JMP 00D70022 .text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_creat 773DED31 5 Bytes JMP 00D70000 .text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 00D70011 .text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 00D70FC6 .text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 00D80FEF .text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 00D80FC3 .text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 00D80FB2 .text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 00D8004A .text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 00D8000A .text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 00D8006F .text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 00D80FD4 .text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 00D80025 .text C:\Windows\system32\svchost.exe[1356] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 0131000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtCreateFile + 6 77CE55CE 4 Bytes [28, 30, 14, 01] {SUB [EAX], DH; ADC AL, 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtCreateFile + B 77CE55D3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtMapViewOfSection + 6 77CE5C2E 4 Bytes [28, 33, 14, 01] {SUB [EBX], DH; ADC AL, 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtMapViewOfSection + B 77CE5C33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenFile + 6 77CE5CDE 4 Bytes [68, 30, 14, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenFile + B 77CE5CE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenProcess + 6 77CE5D8E 4 Bytes [A8, 31, 14, 01] {TEST AL, 0x31; ADC AL, 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenProcess + B 77CE5D93 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenProcessToken + B 77CE5DA3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5DAE 4 Bytes [A8, 32, 14, 01] {TEST AL, 0x32; ADC AL, 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenProcessTokenEx + B 77CE5DB3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenThread + 6 77CE5E0E 4 Bytes [68, 31, 14, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenThread + B 77CE5E13 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenThreadToken + 6 77CE5E1E 4 Bytes [68, 32, 14, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenThreadToken + B 77CE5E23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtOpenThreadTokenEx + B 77CE5E33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtQueryAttributesFile + 6 77CE5F3E 4 Bytes [A8, 30, 14, 01] {TEST AL, 0x30; ADC AL, 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtQueryAttributesFile + B 77CE5F43 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtQueryFullAttributesFile + B 77CE5FF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtSetInformationFile + 6 77CE663E 4 Bytes [28, 31, 14, 01] {SUB [ECX], DH; ADC AL, 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtSetInformationFile + B 77CE6643 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtSetInformationThread + 6 77CE669E 4 Bytes [28, 32, 14, 01] {SUB [EDX], DH; ADC AL, 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtSetInformationThread + B 77CE66A3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtUnmapViewOfSection + 6 77CE69BE 4 Bytes [68, 33, 14, 01] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1552] ntdll.dll!NtUnmapViewOfSection + B 77CE69C3 1 Byte [E2] .text C:\Windows\system32\svchost.exe[1668] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 00560000 .text C:\Windows\system32\svchost.exe[1668] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 00560FEF .text C:\Windows\system32\svchost.exe[1668] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00560025 .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 00590080 .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 00590F10 .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 005900A5 .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 0059001B .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 0059004A .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 00590F83 .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 00590F72 .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 005900B6 .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 00590FAF .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 00590F3C .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 00590FD4 .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 00590FEF .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 00590F9E .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 00590F57 .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 0059000A .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 00590F2B .text C:\Windows\system32\svchost.exe[1668] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 0059005B .text C:\Windows\system32\svchost.exe[1668] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00570FEF .text C:\Windows\system32\svchost.exe[1668] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 00570FCA .text C:\Windows\system32\svchost.exe[1668] msvcrt.dll!system 773DB177 5 Bytes JMP 00570055 .text C:\Windows\system32\svchost.exe[1668] msvcrt.dll!_creat 773DED31 5 Bytes JMP 00570029 .text C:\Windows\system32\svchost.exe[1668] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 0057003A .text C:\Windows\system32\svchost.exe[1668] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 0057000C .text C:\Windows\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 00580FEF .text C:\Windows\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 00580FCD .text C:\Windows\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 00580FA8 .text C:\Windows\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 0058004A .text C:\Windows\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 00580014 .text C:\Windows\system32\svchost.exe[1668] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 0058006F .text C:\Windows\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 00580FDE .text C:\Windows\system32\svchost.exe[1668] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 00580025 .text C:\Windows\Explorer.EXE[1764] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 07810000 .text C:\Windows\Explorer.EXE[1764] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 07810FE5 .text C:\Windows\Explorer.EXE[1764] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 07810011 .text C:\Windows\Explorer.EXE[1764] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 07CE0F79 .text C:\Windows\Explorer.EXE[1764] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 07CE00D8 .text C:\Windows\Explorer.EXE[1764] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 07CE00C7 .text C:\Windows\Explorer.EXE[1764] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 07CE001E .text C:\Windows\Explorer.EXE[1764] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 07CE009B .text C:\Windows\Explorer.EXE[1764] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 07CE0065 .text C:\Windows\Explorer.EXE[1764] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 07CE0080 .text C:\Windows\Explorer.EXE[1764] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 07CE00FD .text C:\Windows\Explorer.EXE[1764] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 07CE0039 .text C:\Windows\Explorer.EXE[1764] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 07CE0F68 .text C:\Windows\Explorer.EXE[1764] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 07CE0FD4 .text C:\Windows\Explorer.EXE[1764] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 07CE0FEF .text C:\Windows\Explorer.EXE[1764] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 07CE004A .text C:\Windows\Explorer.EXE[1764] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 07CE0F9E .text C:\Windows\Explorer.EXE[1764] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 07CE0FC3 .text C:\Windows\Explorer.EXE[1764] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 07CE0F4D .text C:\Windows\Explorer.EXE[1764] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 07CE00AC .text C:\Windows\Explorer.EXE[1764] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 07880FEF .text C:\Windows\Explorer.EXE[1764] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 07880022 .text C:\Windows\Explorer.EXE[1764] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 07880058 .text C:\Windows\Explorer.EXE[1764] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 07880047 .text C:\Windows\Explorer.EXE[1764] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 07880FD4 .text C:\Windows\Explorer.EXE[1764] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 07880F9B .text C:\Windows\Explorer.EXE[1764] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 07880011 .text C:\Windows\Explorer.EXE[1764] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 07880000 .text C:\Windows\Explorer.EXE[1764] msvcrt.dll!_open 773A7E48 5 Bytes JMP 07870000 .text C:\Windows\Explorer.EXE[1764] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 07870FB2 .text C:\Windows\Explorer.EXE[1764] msvcrt.dll!system 773DB177 5 Bytes JMP 0787003D .text C:\Windows\Explorer.EXE[1764] msvcrt.dll!_creat 773DED31 5 Bytes JMP 07870FD7 .text C:\Windows\Explorer.EXE[1764] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 0787002C .text C:\Windows\Explorer.EXE[1764] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 07870011 .text C:\Windows\Explorer.EXE[1764] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 07CF000A .text C:\Windows\Explorer.EXE[1764] WININET.dll!InternetOpenA 7727D5E8 5 Bytes JMP 07820FEF .text C:\Windows\Explorer.EXE[1764] WININET.dll!InternetOpenUrlA 7728E1C6 5 Bytes JMP 07820FD4 .text C:\Windows\Explorer.EXE[1764] WININET.dll!InternetOpenW 7729C596 5 Bytes JMP 07820000 .text C:\Windows\Explorer.EXE[1764] WININET.dll!InternetOpenUrlW 772EDBF8 5 Bytes JMP 07820025 .text C:\Windows\system32\svchost.exe[2060] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 00220FEF .text C:\Windows\system32\svchost.exe[2060] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 00220FC3 .text C:\Windows\system32\svchost.exe[2060] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00220FD4 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 00390F4A .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 00390F1E .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 003900A9 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 0039002C .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 00390058 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 00390F9B .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 00390F80 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 00390F03 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 00390047 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 00390084 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 00390FE5 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 00390000 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 00390FB6 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 00390F65 .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 0039001B .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 00390F2F .text C:\Windows\system32\svchost.exe[2060] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 00390073 .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00270FEF .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 0027002C .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!system 773DB177 5 Bytes JMP 00270FA1 .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!_creat 773DED31 5 Bytes JMP 00270FCD .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 00270FBC .text C:\Windows\system32\svchost.exe[2060] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 00270FDE .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 00280FEF .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 00280025 .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 00280040 .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 00280F9E .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 0028000A .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 0028005B .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 00280FB9 .text C:\Windows\system32\svchost.exe[2060] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 00280FD4 .text C:\Windows\system32\svchost.exe[2060] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 003A000A .text C:\Windows\System32\svchost.exe[2436] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 00240FEF .text C:\Windows\System32\svchost.exe[2436] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 00240014 .text C:\Windows\System32\svchost.exe[2436] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00240FD4 .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 002B0F7D .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 002B0F2F .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 002B0F40 .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 002B0FC0 .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 002B007A .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 002B004E .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 002B005F .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 002B0F14 .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 002B0022 .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 002B0F6C .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 002B0000 .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 002B0FE5 .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 002B003D .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 002B00A6 .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 002B0011 .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 002B0F51 .text C:\Windows\System32\svchost.exe[2436] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 002B008B .text C:\Windows\System32\svchost.exe[2436] msvcrt.dll!_open 773A7E48 5 Bytes JMP 00290FEF .text C:\Windows\System32\svchost.exe[2436] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 00290058 .text C:\Windows\System32\svchost.exe[2436] msvcrt.dll!system 773DB177 5 Bytes JMP 00290047 .text C:\Windows\System32\svchost.exe[2436] msvcrt.dll!_creat 773DED31 5 Bytes JMP 00290018 .text C:\Windows\System32\svchost.exe[2436] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 00290FCD .text C:\Windows\System32\svchost.exe[2436] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 00290FDE .text C:\Windows\System32\svchost.exe[2436] WS2_32.dll!socket 77DE3EB8 5 Bytes JMP 002C0FE5 .text C:\Windows\System32\svchost.exe[2436] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 002A0000 .text C:\Windows\System32\svchost.exe[2436] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 002A0051 .text C:\Windows\System32\svchost.exe[2436] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 002A006C .text C:\Windows\System32\svchost.exe[2436] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 002A0FC0 .text C:\Windows\System32\svchost.exe[2436] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 002A001B .text C:\Windows\System32\svchost.exe[2436] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 002A007D .text C:\Windows\System32\svchost.exe[2436] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 002A0FE5 .text C:\Windows\System32\svchost.exe[2436] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 002A0036 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtCreateFile + 6 77CE55CE 4 Bytes [28, DC, DE, 00] {SUB AH, BL; FIADD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtCreateFile + B 77CE55D3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtMapViewOfSection + 6 77CE5C2E 4 Bytes [28, DF, DE, 00] {SUB BH, BL; FIADD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtMapViewOfSection + B 77CE5C33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenFile + 6 77CE5CDE 4 Bytes [68, DC, DE, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenFile + B 77CE5CE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenProcess + 6 77CE5D8E 4 Bytes [A8, DD, DE, 00] {TEST AL, 0xdd; FIADD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenProcess + B 77CE5D93 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenProcessToken + B 77CE5DA3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5DAE 4 Bytes [A8, DE, DE, 00] {TEST AL, 0xde; FIADD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenProcessTokenEx + B 77CE5DB3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenThread + 6 77CE5E0E 4 Bytes [68, DD, DE, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenThread + B 77CE5E13 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenThreadToken + 6 77CE5E1E 4 Bytes [68, DE, DE, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenThreadToken + B 77CE5E23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtOpenThreadTokenEx + B 77CE5E33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtQueryAttributesFile + 6 77CE5F3E 4 Bytes [A8, DC, DE, 00] {TEST AL, 0xdc; FIADD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtQueryAttributesFile + B 77CE5F43 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtQueryFullAttributesFile + B 77CE5FF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtSetInformationFile + 6 77CE663E 4 Bytes [28, DD, DE, 00] {SUB CH, BL; FIADD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtSetInformationFile + B 77CE6643 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtSetInformationThread + 6 77CE669E 4 Bytes [28, DE, DE, 00] {SUB DH, BL; FIADD WORD [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtSetInformationThread + B 77CE66A3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtUnmapViewOfSection + 6 77CE69BE 4 Bytes [68, DF, DE, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2460] ntdll.dll!NtUnmapViewOfSection + B 77CE69C3 1 Byte [E2] .text C:\Windows\system32\svchost.exe[3068] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 001C0000 .text C:\Windows\system32\svchost.exe[3068] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 001C0FDB .text C:\Windows\system32\svchost.exe[3068] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 001C001B .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 00200091 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 00200F17 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 002000AC .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 00200FA8 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 00200065 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 00200F8D .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 00200054 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 002000D1 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 00200014 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 00200F4D .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 00200FCA .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 00200FEF .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 00200039 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 00200F68 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 00200FB9 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 00200F28 .text C:\Windows\system32\svchost.exe[3068] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 00200076 .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!_open 773A7E48 5 Bytes JMP 001D0FEF .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 001D0F6E .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!system 773DB177 5 Bytes JMP 001D0F89 .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!_creat 773DED31 5 Bytes JMP 001D0FB5 .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 001D0FA4 .text C:\Windows\system32\svchost.exe[3068] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 001D0FD2 .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 001F0FEF .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 001F001E .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 001F0F86 .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 001F0FA1 .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 001F0FD4 .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 001F004D .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 001F0FB2 .text C:\Windows\system32\svchost.exe[3068] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 001F0FC3 .text C:\Windows\System32\svchost.exe[3208] ntdll.dll!NtCreateFile 77CE55C8 5 Bytes JMP 00020000 .text C:\Windows\System32\svchost.exe[3208] ntdll.dll!NtCreateProcess 77CE5698 5 Bytes JMP 0002002C .text C:\Windows\System32\svchost.exe[3208] ntdll.dll!NtProtectVirtualMemory 77CE5F18 5 Bytes JMP 00020011 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!GetStartupInfoA 77AF1E10 5 Bytes JMP 00120F32 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!CreateProcessW 77AF204D 5 Bytes JMP 001200AC .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!CreateProcessA 77AF2082 5 Bytes JMP 00120F17 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!CreateNamedPipeW 77B22D47 5 Bytes JMP 00120FC3 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!VirtualProtect 77B32BCD 5 Bytes JMP 00120054 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!LoadLibraryExA 77B34466 5 Bytes JMP 00120039 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!LoadLibraryExW 77B35079 5 Bytes JMP 00120F7C .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!GetProcAddress 77B3CC94 5 Bytes JMP 00120EFC .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 00120FB2 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!GetStartupInfoW 77B3E2DD 5 Bytes JMP 00120080 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!CreateFileW 77B3E8A5 5 Bytes JMP 0012000A .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!CreateFileA 77B3EA61 5 Bytes JMP 00120FE5 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 00120FA1 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!CreatePipe 77B512A6 5 Bytes JMP 00120065 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!CreateNamedPipeA 77B7DBA8 5 Bytes JMP 00120FD4 .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!WinExec 77B7EDB2 5 Bytes JMP 0012009B .text C:\Windows\System32\svchost.exe[3208] kernel32.dll!VirtualProtectEx 77B7FD51 5 Bytes JMP 00120F57 .text C:\Windows\System32\svchost.exe[3208] msvcrt.dll!_open 773A7E48 5 Bytes JMP 000D0FEF .text C:\Windows\System32\svchost.exe[3208] msvcrt.dll!_wsystem 773DB057 5 Bytes JMP 000D0F7A .text C:\Windows\System32\svchost.exe[3208] msvcrt.dll!system 773DB177 5 Bytes JMP 000D0F95 .text C:\Windows\System32\svchost.exe[3208] msvcrt.dll!_creat 773DED31 5 Bytes JMP 000D0FC1 .text C:\Windows\System32\svchost.exe[3208] msvcrt.dll!_wcreat 773E0396 5 Bytes JMP 000D0FB0 .text C:\Windows\System32\svchost.exe[3208] msvcrt.dll!_wopen 773E0578 5 Bytes JMP 000D0FD2 .text C:\Windows\System32\svchost.exe[3208] ADVAPI32.dll!RegOpenKeyA 779ACC15 5 Bytes JMP 000E0FEF .text C:\Windows\System32\svchost.exe[3208] ADVAPI32.dll!RegCreateKeyA 779ACD01 5 Bytes JMP 000E002F .text C:\Windows\System32\svchost.exe[3208] ADVAPI32.dll!RegCreateKeyExA 779B1469 5 Bytes JMP 000E005B .text C:\Windows\System32\svchost.exe[3208] ADVAPI32.dll!RegCreateKeyW 779B1514 5 Bytes JMP 000E004A .text C:\Windows\System32\svchost.exe[3208] ADVAPI32.dll!RegOpenKeyW 779B2459 5 Bytes JMP 000E000A .text C:\Windows\System32\svchost.exe[3208] ADVAPI32.dll!RegCreateKeyExW 779B40FE 5 Bytes JMP 000E0076 .text C:\Windows\System32\svchost.exe[3208] ADVAPI32.dll!RegOpenKeyExW 779B468D 5 Bytes JMP 000E0FC3 .text C:\Windows\System32\svchost.exe[3208] ADVAPI32.dll!RegOpenKeyExA 779B4907 5 Bytes JMP 000E0FD4 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtCreateFile + 6 77CE55CE 4 Bytes [28, 08, A1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtCreateFile + B 77CE55D3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtMapViewOfSection + 6 77CE5C2E 4 Bytes [28, 0B, A1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtMapViewOfSection + B 77CE5C33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenFile + 6 77CE5CDE 4 Bytes [68, 08, A1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenFile + B 77CE5CE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenProcess + 6 77CE5D8E 4 Bytes [A8, 09, A1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenProcess + B 77CE5D93 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenProcessToken + B 77CE5DA3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5DAE 4 Bytes [A8, 0A, A1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenProcessTokenEx + B 77CE5DB3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenThread + 6 77CE5E0E 4 Bytes [68, 09, A1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenThread + B 77CE5E13 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenThreadToken + 6 77CE5E1E 4 Bytes [68, 0A, A1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenThreadToken + B 77CE5E23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtOpenThreadTokenEx + B 77CE5E33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtQueryAttributesFile + 6 77CE5F3E 4 Bytes [A8, 08, A1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtQueryAttributesFile + B 77CE5F43 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtQueryFullAttributesFile + B 77CE5FF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtSetInformationFile + 6 77CE663E 4 Bytes [28, 09, A1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtSetInformationFile + B 77CE6643 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtSetInformationThread + 6 77CE669E 4 Bytes [28, 0A, A1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtSetInformationThread + B 77CE66A3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtUnmapViewOfSection + 6 77CE69BE 4 Bytes [68, 0B, A1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3404] ntdll.dll!NtUnmapViewOfSection + B 77CE69C3 1 Byte [E2] .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[3748] kernel32.dll!LoadLibraryA 77B3DC65 5 Bytes JMP 68F68590 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[3748] kernel32.dll!LoadLibraryW 77B3EF42 5 Bytes JMP 68F68690 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtCreateFile + 6 77CE55CE 4 Bytes [28, C4, A8, 00] {SUB AH, AL; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtCreateFile + B 77CE55D3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtMapViewOfSection + 6 77CE5C2E 4 Bytes [28, C7, A8, 00] {SUB BH, AL; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtMapViewOfSection + B 77CE5C33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenFile + 6 77CE5CDE 4 Bytes [68, C4, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenFile + B 77CE5CE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenProcess + 6 77CE5D8E 4 Bytes [A8, C5, A8, 00] {TEST AL, 0xc5; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenProcess + B 77CE5D93 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenProcessToken + B 77CE5DA3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5DAE 4 Bytes [A8, C6, A8, 00] {TEST AL, 0xc6; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenProcessTokenEx + B 77CE5DB3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenThread + 6 77CE5E0E 4 Bytes [68, C5, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenThread + B 77CE5E13 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenThreadToken + 6 77CE5E1E 4 Bytes [68, C6, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenThreadToken + B 77CE5E23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtOpenThreadTokenEx + B 77CE5E33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtQueryAttributesFile + 6 77CE5F3E 4 Bytes [A8, C4, A8, 00] {TEST AL, 0xc4; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtQueryAttributesFile + B 77CE5F43 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtQueryFullAttributesFile + B 77CE5FF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtSetInformationFile + 6 77CE663E 4 Bytes [28, C5, A8, 00] {SUB CH, AL; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtSetInformationFile + B 77CE6643 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtSetInformationThread + 6 77CE669E 4 Bytes [28, C6, A8, 00] {SUB DH, AL; TEST AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtSetInformationThread + B 77CE66A3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtUnmapViewOfSection + 6 77CE69BE 4 Bytes [68, C7, A8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5756] ntdll.dll!NtUnmapViewOfSection + B 77CE69C3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtCreateFile + 6 77CE55CE 4 Bytes [28, 5C, 49, 00] {SUB [ECX+ECX*2+0x0], BL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtCreateFile + B 77CE55D3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtMapViewOfSection + 6 77CE5C2E 4 Bytes [28, 5F, 49, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtMapViewOfSection + B 77CE5C33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenFile + 6 77CE5CDE 4 Bytes [68, 5C, 49, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenFile + B 77CE5CE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenProcess + 6 77CE5D8E 4 Bytes [A8, 5D, 49, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenProcess + B 77CE5D93 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenProcessToken + B 77CE5DA3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenProcessTokenEx + 6 77CE5DAE 4 Bytes [A8, 5E, 49, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenProcessTokenEx + B 77CE5DB3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenThread + 6 77CE5E0E 4 Bytes [68, 5D, 49, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenThread + B 77CE5E13 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenThreadToken + 6 77CE5E1E 4 Bytes [68, 5E, 49, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenThreadToken + B 77CE5E23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtOpenThreadTokenEx + B 77CE5E33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtQueryAttributesFile + 6 77CE5F3E 4 Bytes [A8, 5C, 49, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtQueryAttributesFile + B 77CE5F43 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtQueryFullAttributesFile + B 77CE5FF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtSetInformationFile + 6 77CE663E 4 Bytes [28, 5D, 49, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtSetInformationFile + B 77CE6643 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtSetInformationThread + 6 77CE669E 4 Bytes [28, 5E, 49, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtSetInformationThread + B 77CE66A3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtUnmapViewOfSection + 6 77CE69BE 4 Bytes [68, 5F, 49, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5992] ntdll.dll!NtUnmapViewOfSection + B 77CE69C3 1 Byte [E2] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [84036730] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [84036F12] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [84037232] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [840370F0] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [84036914] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AB24CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74A9562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74A956EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AB2546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74AA85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74AA4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74AA5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74AA51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74AA6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74AA8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AA8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74AA90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74AAE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1764] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74AA4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\system32\mfevtps.exe[1992] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [001CA210] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8598C1F8 AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.) Device \Driver\usbohci \Device\USBPDO-0 86AA81F8 Device \Driver\usbohci \Device\USBPDO-1 86AA81F8 Device \Driver\usbohci \Device\USBPDO-2 86AA81F8 Device \Driver\usbohci \Device\USBPDO-3 86AA81F8 Device \Driver\usbohci \Device\USBPDO-4 86AA81F8 Device \Driver\usbehci \Device\USBPDO-5 86AB01F8 Device \Driver\cdrom \Device\CdRom0 86949430 Device \Driver\NetBT \Device\NetBT_Tcpip_{67685E5E-1359-4205-B611-45CEC0EC059C} 869C41F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8598A1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 8598A1F8 Device \Driver\atapi \Device\Ide\IdePort0 8598A1F8 Device \Driver\atapi \Device\Ide\IdePort1 8598A1F8 Device \Driver\atapi \Device\Ide\IdePort2 8598A1F8 Device \Driver\atapi \Device\Ide\IdePort3 8598A1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 869C41F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{16BC7CEC-CFA3-467B-9285-B3C69AED37D2} 869C41F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{87D5BACF-B6D0-483C-B3DB-0F9455DDAD41} 869C41F8 Device \Driver\usbohci \Device\USBFDO-0 86AA81F8 Device \Driver\usbohci \Device\USBFDO-1 86AA81F8 Device \Driver\usbohci \Device\USBFDO-2 86AA81F8 Device \Driver\usbohci \Device\USBFDO-3 86AA81F8 Device \Driver\usbohci \Device\USBFDO-4 86AA81F8 Device \Driver\usbehci \Device\USBFDO-5 86AB01F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8598a1f8]<< 8598a1f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x867da030] 867da030 Trace 3 CLASSPNP.SYS[8940459e] -> nt!IofCallDriver -> [0x866cf918] 866cf918 Trace 5 ACPI.sys[841543d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x859cb908] 859cb908 Trace \Driver\atapi[0x866b1f38] -> IRP_MJ_CREATE -> 0x8598a1f8 8598a1f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x62 0x83 0x30 0x48 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCB 0xEB 0x88 0x70 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x20 0xD4 0xA4 0x0E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 1369 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{85F685C3-20D9-4943-95E4-EB4224056C3F}\iexplore@Count 7602 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C14E4E2B-FB02-4508-1297-49AA81C6911A} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C14E4E2B-FB02-4508-1297-49AA81C6911A}@oajbmjbomkabdiefpdjkbihmkolofp 0x69 0x61 0x6E 0x70 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C14E4E2B-FB02-4508-1297-49AA81C6911A}@napanojgnpnbhmffiaimmomibeoe 0x69 0x61 0x6E 0x70 ... ---- Files - GMER 2.1 ---- File C:\Windows\$NtUninstallKB27523$\222586567 0 bytes File C:\Windows\$NtUninstallKB27523$\222586567\@ 2048 bytes File C:\Windows\$NtUninstallKB27523$\222586567\bckfg.tmp 894 bytes File C:\Windows\$NtUninstallKB27523$\222586567\cfg.ini 207 bytes File C:\Windows\$NtUninstallKB27523$\222586567\Desktop.ini 4608 bytes File C:\Windows\$NtUninstallKB27523$\222586567\keywords 150 bytes File C:\Windows\$NtUninstallKB27523$\222586567\kwrd.dll 223744 bytes File C:\Windows\$NtUninstallKB27523$\222586567\L 0 bytes File C:\Windows\$NtUninstallKB27523$\222586567\L\xadqgnnk 108544 bytes File C:\Windows\$NtUninstallKB27523$\222586567\lsflt7.ver 5176 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U 0 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\00000001.@ 1536 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\00000002.@ 224768 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\00000004.@ 1024 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\80000000.@ 1024 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\80000004.@ 12800 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\80000032.@ 98304 bytes File C:\Windows\$NtUninstallKB27523$\3102072711 0 bytes ---- EOF - GMER 2.1 ----