GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-22 22:27:43 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST320LT0 rev.0010 298,09GB Running: 19ufc226.exe; Driver: C:\Users\Sara\AppData\Local\Temp\kwlyquod.sys ---- System - GMER 2.1 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x86A6E5A8] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x86A6E5D2] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x86A6E5BE] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x86A6E594] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwYieldExecution 81E2C5F5 5 Bytes JMP 86A6E598 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 81E3E3C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81E77D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[668] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 001E0FEF .text C:\Windows\system32\services.exe[668] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 001E0025 .text C:\Windows\system32\services.exe[668] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 001E0000 .text C:\Windows\system32\services.exe[668] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 001D0F21 .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 001D009B .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 001D0F10 .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 001D0014 .text C:\Windows\system32\services.exe[668] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 001D0F72 .text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 001D0040 .text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 001D0F83 .text C:\Windows\system32\services.exe[668] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 001D0EE1 .text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 001D002F .text C:\Windows\system32\services.exe[668] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 001D006F .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 001D0FD4 .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 001D0FEF .text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 001D0F9E .text C:\Windows\system32\services.exe[668] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 001D0F3C .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 001D0FC3 .text C:\Windows\system32\services.exe[668] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 001D0080 .text C:\Windows\system32\services.exe[668] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 001D0F4D .text C:\Windows\system32\services.exe[668] msvcrt.dll!_open 76647E48 5 Bytes JMP 00290FEF .text C:\Windows\system32\services.exe[668] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 00290FB2 .text C:\Windows\system32\services.exe[668] msvcrt.dll!system 7667B177 5 Bytes JMP 00290FC3 .text C:\Windows\system32\services.exe[668] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 00290029 .text C:\Windows\system32\services.exe[668] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 00290FDE .text C:\Windows\system32\services.exe[668] msvcrt.dll!_wopen 76680578 5 Bytes JMP 0029000C .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 001F0FE5 .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 001F0040 .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 001F0062 .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 001F0051 .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 001F0000 .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 001F007D .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 001F0FD4 .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 001F0025 .text C:\Windows\system32\services.exe[668] WS2_32.dll!socket 76443EB8 5 Bytes JMP 0028000A .text C:\Windows\system32\lsass.exe[712] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 000E0FE5 .text C:\Windows\system32\lsass.exe[712] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 000E0011 .text C:\Windows\system32\lsass.exe[712] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 000E0000 .text C:\Windows\system32\lsass.exe[712] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 000C0F8D .text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 000C0F61 .text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 000C00F6 .text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 000C0025 .text C:\Windows\system32\lsass.exe[712] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 000C0080 .text C:\Windows\system32\lsass.exe[712] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 000C0FB9 .text C:\Windows\system32\lsass.exe[712] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 000C0FA8 .text C:\Windows\system32\lsass.exe[712] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 000C0111 .text C:\Windows\system32\lsass.exe[712] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 000C0040 .text C:\Windows\system32\lsass.exe[712] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 000C0F7C .text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 000C000A .text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 000C0FEF .text C:\Windows\system32\lsass.exe[712] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 000C005B .text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 000C00AC .text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 000C0FDE .text C:\Windows\system32\lsass.exe[712] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 000C00DB .text C:\Windows\system32\lsass.exe[712] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 000C009B .text C:\Windows\system32\lsass.exe[712] msvcrt.dll!_open 76647E48 5 Bytes JMP 006E0FEF .text C:\Windows\system32\lsass.exe[712] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 006E0FBE .text C:\Windows\system32\lsass.exe[712] msvcrt.dll!system 7667B177 5 Bytes JMP 006E0049 .text C:\Windows\system32\lsass.exe[712] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 006E001D .text C:\Windows\system32\lsass.exe[712] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 006E002E .text C:\Windows\system32\lsass.exe[712] msvcrt.dll!_wopen 76680578 5 Bytes JMP 006E000C .text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 000D0FEF .text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 000D0FB2 .text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 000D0F86 .text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 000D0FA1 .text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 000D0FD4 .text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 000D0F75 .text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 000D0014 .text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 000D0FC3 .text C:\Windows\system32\lsass.exe[712] WS2_32.dll!socket 76443EB8 5 Bytes JMP 000F0000 .text C:\Windows\system32\svchost.exe[824] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 003D0FEF .text C:\Windows\system32\svchost.exe[824] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 003D0FCD .text C:\Windows\system32\svchost.exe[824] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 003D0FDE .text C:\Windows\system32\svchost.exe[824] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 0024009F .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 00240F0A .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 00240F25 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 00240036 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 0024007D .text C:\Windows\system32\svchost.exe[824] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 00240FAF .text C:\Windows\system32\svchost.exe[824] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 0024006C .text C:\Windows\system32\svchost.exe[824] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 002400BA .text C:\Windows\system32\svchost.exe[824] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 00240047 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 00240F5B .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 0024001B .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 00240000 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 00240FC0 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 0024008E .text C:\Windows\system32\svchost.exe[824] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 00240FE5 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 00240F40 .text C:\Windows\system32\svchost.exe[824] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 00240F8A .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!_open 76647E48 5 Bytes JMP 00270FEF .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 00270064 .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!system 7667B177 5 Bytes JMP 00270053 .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 00270027 .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 00270038 .text C:\Windows\system32\svchost.exe[824] msvcrt.dll!_wopen 76680578 5 Bytes JMP 0027000C .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 00250000 .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 00250033 .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 00250055 .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 00250044 .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 00250FE5 .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 00250F98 .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 00250022 .text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 00250011 .text C:\Windows\system32\svchost.exe[824] WS2_32.dll!socket 76443EB8 5 Bytes JMP 00260FEF .text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 00280FE5 .text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 00280011 .text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 00280000 .text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 00200F2B .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 0020009B .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 0020008A .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 00200FCA .text C:\Windows\system32\svchost.exe[904] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 00200F5E .text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 00200036 .text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 00200F79 .text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 002000B6 .text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 00200FB9 .text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 00200F10 .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 00200000 .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 00200FEF .text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 00200F94 .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 00200F3C .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 00200011 .text C:\Windows\system32\svchost.exe[904] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 0020006F .text C:\Windows\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 00200F4D .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_open 76647E48 5 Bytes JMP 00270FEF .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 00270FA8 .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!system 7667B177 5 Bytes JMP 00270033 .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 00270FCD .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 00270022 .text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wopen 76680578 5 Bytes JMP 00270FDE .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 0025000A .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 00250051 .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 0025007D .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 00250062 .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 00250FEF .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 00250FC0 .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 00250040 .text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 0025002F .text C:\Windows\system32\svchost.exe[904] WS2_32.dll!socket 76443EB8 5 Bytes JMP 00260FEF .text C:\Windows\System32\svchost.exe[988] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 00BF000A .text C:\Windows\System32\svchost.exe[988] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 00BF0FD4 .text C:\Windows\System32\svchost.exe[988] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 00BF0FEF .text C:\Windows\System32\svchost.exe[988] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 00B60F50 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 00B600B6 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 00B6009B .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 00B60FCA .text C:\Windows\System32\svchost.exe[988] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 00B60054 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 00B60F97 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 00B60F86 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 00B60F06 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 00B60FB9 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 00B60F2B .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 00B60FEF .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 00B60000 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 00B60FA8 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 00B60F61 .text C:\Windows\System32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 00B6001B .text C:\Windows\System32\svchost.exe[988] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 00B6008A .text C:\Windows\System32\svchost.exe[988] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 00B6006F .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_open 76647E48 5 Bytes JMP 00B90FEF .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 00B90031 .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!system 7667B177 5 Bytes JMP 00B90FA6 .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 00B90FB7 .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 00B9000C .text C:\Windows\System32\svchost.exe[988] msvcrt.dll!_wopen 76680578 5 Bytes JMP 00B90FDE .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 00B70FEF .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 00B7002C .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 00B7006C .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 00B70047 .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 00B70FDE .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 00B70087 .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 00B7001B .text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 00B7000A .text C:\Windows\System32\svchost.exe[988] WS2_32.dll!socket 76443EB8 5 Bytes JMP 00B80FEF .text C:\Windows\System32\svchost.exe[1032] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 00650FEF .text C:\Windows\System32\svchost.exe[1032] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 00650FB9 .text C:\Windows\System32\svchost.exe[1032] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 00650FD4 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 005D0F4A .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 005D00A9 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 005D0F14 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 005D0FB9 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 005D0051 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 005D0040 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 005D0F83 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 005D0EF9 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 005D0FA8 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 005D0F2F .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 005D0FDB .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 005D0000 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 005D0025 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 005D0073 .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 005D0FCA .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 005D008E .text C:\Windows\System32\svchost.exe[1032] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 005D0062 .text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!_open 76647E48 5 Bytes JMP 00600000 .text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 00600064 .text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!system 7667B177 5 Bytes JMP 00600053 .text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 0060002E .text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 00600FD9 .text C:\Windows\System32\svchost.exe[1032] msvcrt.dll!_wopen 76680578 5 Bytes JMP 00600011 .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 005E0FEF .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 005E0FB2 .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 005E0FA1 .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 005E0039 .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 005E0FDE .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 005E0068 .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 005E001E .text C:\Windows\System32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 005E0FCD .text C:\Windows\System32\svchost.exe[1032] WS2_32.dll!socket 76443EB8 5 Bytes JMP 005F0000 .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 016A000A .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 016A001B .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 016A0FEF .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 012100B6 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 012100FD .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 012100E2 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 01210FCA .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 0121006C .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 01210FAF .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 01210F9E .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 01210122 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 01210040 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 01210F72 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 01210FEF .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 0121000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 01210051 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 0121009B .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 01210025 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 012100D1 .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 01210F83 .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_open 76647E48 5 Bytes JMP 01690FEF .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 01690FA6 .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!system 7667B177 5 Bytes JMP 01690FB7 .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 0169001D .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 01690FD2 .text C:\Windows\system32\svchost.exe[1068] msvcrt.dll!_wopen 76680578 5 Bytes JMP 0169000C .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 0167000A .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 01670058 .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 01670098 .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 0167007D .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 0167001B .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 01670FD1 .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 01670047 .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 01670036 .text C:\Windows\system32\svchost.exe[1068] WS2_32.dll!socket 76443EB8 5 Bytes JMP 0168000A .text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 005F0FE5 .text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 005F0000 .text C:\Windows\system32\svchost.exe[1212] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 005F0FD4 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 00570F42 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 00570EE0 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 00570EFB .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 00570FC3 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 00570F7F .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 00570FA1 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 00570F90 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 00570EC5 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 00570FB2 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 00570F27 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 00570FDE .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 00570FEF .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 00570043 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 00570F5D .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 0057001E .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 00570F16 .text C:\Windows\system32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 00570F6E .text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_open 76647E48 5 Bytes JMP 005E0FEF .text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 005E0FB9 .text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!system 7667B177 5 Bytes JMP 005E0044 .text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 005E0FDE .text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 005E0033 .text C:\Windows\system32\svchost.exe[1212] msvcrt.dll!_wopen 76680578 5 Bytes JMP 005E0018 .text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 0058000A .text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 00580FAF .text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 00580F94 .text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 00580036 .text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 00580FEF .text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 00580F83 .text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 00580FCA .text C:\Windows\system32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 00580025 .text C:\Windows\system32\svchost.exe[1212] WS2_32.dll!socket 76443EB8 5 Bytes JMP 00590FEF .text C:\Windows\system32\svchost.exe[1424] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 00C00000 .text C:\Windows\system32\svchost.exe[1424] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 00C00FE5 .text C:\Windows\system32\svchost.exe[1424] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 00C0001B .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 00690F6B .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 006900CA .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 00690F35 .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 00690025 .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 0069006F .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 00690F97 .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 0069005E .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 00690F1A .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 00690FC3 .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 006900AF .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 0069000A .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 00690FEF .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 00690FB2 .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 0069008A .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 00690FD4 .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 00690F46 .text C:\Windows\system32\svchost.exe[1424] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 00690F7C .text C:\Windows\system32\svchost.exe[1424] msvcrt.dll!_open 76647E48 5 Bytes JMP 006C0000 .text C:\Windows\system32\svchost.exe[1424] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 006C0053 .text C:\Windows\system32\svchost.exe[1424] msvcrt.dll!system 7667B177 5 Bytes JMP 006C0FC8 .text C:\Windows\system32\svchost.exe[1424] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 006C0FE3 .text C:\Windows\system32\svchost.exe[1424] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 006C0038 .text C:\Windows\system32\svchost.exe[1424] msvcrt.dll!_wopen 76680578 5 Bytes JMP 006C001D .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 006A0FEF .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 006A0040 .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 006A0FB9 .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 006A005B .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 006A0FD4 .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 006A0FA8 .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 006A0025 .text C:\Windows\system32\svchost.exe[1424] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 006A000A .text C:\Windows\system32\svchost.exe[1424] WS2_32.dll!socket 76443EB8 5 Bytes JMP 006B0000 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtCreateFile + 6 777455CE 4 Bytes [28, A4, F8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtCreateFile + B 777455D3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtMapViewOfSection + 6 77745C2E 4 Bytes [28, A7, F8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtMapViewOfSection + B 77745C33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenFile + 6 77745CDE 4 Bytes [68, A4, F8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenFile + B 77745CE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenProcess + 6 77745D8E 4 Bytes [A8, A5, F8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenProcess + B 77745D93 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenProcessToken + B 77745DA3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenProcessTokenEx + 6 77745DAE 4 Bytes [A8, A6, F8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenProcessTokenEx + B 77745DB3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenThread + 6 77745E0E 4 Bytes [68, A5, F8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenThread + B 77745E13 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenThreadToken + 6 77745E1E 4 Bytes [68, A6, F8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenThreadToken + B 77745E23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtOpenThreadTokenEx + B 77745E33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtQueryAttributesFile + 6 77745F3E 4 Bytes [A8, A4, F8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtQueryAttributesFile + B 77745F43 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtQueryFullAttributesFile + B 77745FF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtSetInformationFile + 6 7774663E 4 Bytes [28, A5, F8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtSetInformationFile + B 77746643 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtSetInformationThread + 6 7774669E 4 Bytes [28, A6, F8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtSetInformationThread + B 777466A3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtUnmapViewOfSection + 6 777469BE 4 Bytes [68, A7, F8, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1608] ntdll.dll!NtUnmapViewOfSection + B 777469C3 1 Byte [E2] .text C:\Windows\system32\svchost.exe[1672] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 00610000 .text C:\Windows\system32\svchost.exe[1672] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 00610011 .text C:\Windows\system32\svchost.exe[1672] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 00610FE5 .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 005D0F3C .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 005D0EFC .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 005D0F0D .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 005D0FA8 .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 005D0F61 .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 005D0F7C .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 005D002F .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 005D0EEB .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 005D0F97 .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 005D0076 .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 005D0FDE .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 005D0FEF .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 005D001E .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 005D0065 .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 005D0FC3 .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 005D0087 .text C:\Windows\system32\svchost.exe[1672] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 005D0054 .text C:\Windows\system32\svchost.exe[1672] msvcrt.dll!_open 76647E48 5 Bytes JMP 00600000 .text C:\Windows\system32\svchost.exe[1672] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 0060003D .text C:\Windows\system32\svchost.exe[1672] msvcrt.dll!system 7667B177 5 Bytes JMP 00600022 .text C:\Windows\system32\svchost.exe[1672] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 00600011 .text C:\Windows\system32\svchost.exe[1672] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 00600FBC .text C:\Windows\system32\svchost.exe[1672] msvcrt.dll!_wopen 76680578 5 Bytes JMP 00600FD7 .text C:\Windows\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 005E0000 .text C:\Windows\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 005E002F .text C:\Windows\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 005E004A .text C:\Windows\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 005E0FA8 .text C:\Windows\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 005E0FE5 .text C:\Windows\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 005E005B .text C:\Windows\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 005E0FB9 .text C:\Windows\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 005E0FD4 .text C:\Windows\system32\svchost.exe[1672] WS2_32.dll!socket 76443EB8 5 Bytes JMP 005F0000 .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2024] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 70EE99A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2024] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 70EE9A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Windows\system32\svchost.exe[2408] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 004E0FEF .text C:\Windows\system32\svchost.exe[2408] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 004E000A .text C:\Windows\system32\svchost.exe[2408] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 004E0FCA .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 00260F40 .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 00260F0A .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 0026009F .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 00260FC0 .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 0026005F .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 0026003D .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 0026004E .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 002600BA .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 00260FA5 .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 00260084 .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 00260FEF .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 00260000 .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 0026002C .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 00260F5B .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 0026001B .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 00260F25 .text C:\Windows\system32\svchost.exe[2408] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 00260F6C .text C:\Windows\system32\svchost.exe[2408] msvcrt.dll!_open 76647E48 5 Bytes JMP 00490FEF .text C:\Windows\system32\svchost.exe[2408] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 00490033 .text C:\Windows\system32\svchost.exe[2408] msvcrt.dll!system 7667B177 5 Bytes JMP 00490022 .text C:\Windows\system32\svchost.exe[2408] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 00490FCD .text C:\Windows\system32\svchost.exe[2408] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 00490FB2 .text C:\Windows\system32\svchost.exe[2408] msvcrt.dll!_wopen 76680578 5 Bytes JMP 00490FDE .text C:\Windows\system32\svchost.exe[2408] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 00470000 .text C:\Windows\system32\svchost.exe[2408] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 0047004A .text C:\Windows\system32\svchost.exe[2408] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 00470FC3 .text C:\Windows\system32\svchost.exe[2408] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 0047005B .text C:\Windows\system32\svchost.exe[2408] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 0047001B .text C:\Windows\system32\svchost.exe[2408] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 00470FB2 .text C:\Windows\system32\svchost.exe[2408] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 00470FD4 .text C:\Windows\system32\svchost.exe[2408] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 00470FE5 .text C:\Windows\system32\svchost.exe[2408] WS2_32.dll!socket 76443EB8 5 Bytes JMP 00480000 .text C:\Windows\Explorer.EXE[2624] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 00040FEF .text C:\Windows\Explorer.EXE[2624] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 00040014 .text C:\Windows\Explorer.EXE[2624] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 00040FDE .text C:\Windows\Explorer.EXE[2624] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 000100A2 .text C:\Windows\Explorer.EXE[2624] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 00010F4A .text C:\Windows\Explorer.EXE[2624] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 000100DF .text C:\Windows\Explorer.EXE[2624] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 0001002C .text C:\Windows\Explorer.EXE[2624] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 00010F94 .text C:\Windows\Explorer.EXE[2624] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 00010FA5 .text C:\Windows\Explorer.EXE[2624] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 0001006C .text C:\Windows\Explorer.EXE[2624] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 00010F2F .text C:\Windows\Explorer.EXE[2624] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 00010051 .text C:\Windows\Explorer.EXE[2624] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 000100BD .text C:\Windows\Explorer.EXE[2624] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 0001001B .text C:\Windows\Explorer.EXE[2624] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 00010000 .text C:\Windows\Explorer.EXE[2624] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 00010FCA .text C:\Windows\Explorer.EXE[2624] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 00010091 .text C:\Windows\Explorer.EXE[2624] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 00010FE5 .text C:\Windows\Explorer.EXE[2624] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 000100CE .text C:\Windows\Explorer.EXE[2624] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 00010F79 .text C:\Windows\Explorer.EXE[2624] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 00070000 .text C:\Windows\Explorer.EXE[2624] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 00070047 .text C:\Windows\Explorer.EXE[2624] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 00070073 .text C:\Windows\Explorer.EXE[2624] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 00070058 .text C:\Windows\Explorer.EXE[2624] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 00070FDB .text C:\Windows\Explorer.EXE[2624] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 00070FAC .text C:\Windows\Explorer.EXE[2624] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 00070022 .text C:\Windows\Explorer.EXE[2624] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 00070011 .text C:\Windows\Explorer.EXE[2624] msvcrt.dll!_open 76647E48 5 Bytes JMP 000C0FEF .text C:\Windows\Explorer.EXE[2624] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 000C0F70 .text C:\Windows\Explorer.EXE[2624] msvcrt.dll!system 7667B177 5 Bytes JMP 000C0F81 .text C:\Windows\Explorer.EXE[2624] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 000C0FC1 .text C:\Windows\Explorer.EXE[2624] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 000C0FA6 .text C:\Windows\Explorer.EXE[2624] msvcrt.dll!_wopen 76680578 5 Bytes JMP 000C0FD2 .text C:\Windows\Explorer.EXE[2624] WININET.dll!InternetOpenA 7629D5E8 5 Bytes JMP 02E20FEF .text C:\Windows\Explorer.EXE[2624] WININET.dll!InternetOpenUrlA 762AE1C6 5 Bytes JMP 02E2000A .text C:\Windows\Explorer.EXE[2624] WININET.dll!InternetOpenW 762BC596 5 Bytes JMP 02E20FD4 .text C:\Windows\Explorer.EXE[2624] WININET.dll!InternetOpenUrlW 7630DBF8 5 Bytes JMP 02E2002F .text C:\Windows\Explorer.EXE[2624] WS2_32.dll!socket 76443EB8 5 Bytes JMP 03540000 .text C:\Windows\system32\svchost.exe[3216] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 00240FEF .text C:\Windows\system32\svchost.exe[3216] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 00240FD4 .text C:\Windows\system32\svchost.exe[3216] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 00240014 .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 00100065 .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 00100F10 .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 001000A5 .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 0010001B .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 00100F68 .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 00100F8A .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 00100F79 .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 001000B6 .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 0010002C .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 00100080 .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 00100000 .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 00100FEF .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 00100FA5 .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 00100F3C .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 00100FCA .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 00100F21 .text C:\Windows\system32\svchost.exe[3216] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 00100F57 .text C:\Windows\system32\svchost.exe[3216] msvcrt.dll!_open 76647E48 5 Bytes JMP 00230FE3 .text C:\Windows\system32\svchost.exe[3216] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 00230036 .text C:\Windows\system32\svchost.exe[3216] msvcrt.dll!system 7667B177 5 Bytes JMP 00230FAB .text C:\Windows\system32\svchost.exe[3216] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 00230000 .text C:\Windows\system32\svchost.exe[3216] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 0023001B .text C:\Windows\system32\svchost.exe[3216] msvcrt.dll!_wopen 76680578 5 Bytes JMP 00230FC6 .text C:\Windows\system32\svchost.exe[3216] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 00110000 .text C:\Windows\system32\svchost.exe[3216] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 00110FCA .text C:\Windows\system32\svchost.exe[3216] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 0011006C .text C:\Windows\system32\svchost.exe[3216] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 0011005B .text C:\Windows\system32\svchost.exe[3216] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 00110FE5 .text C:\Windows\system32\svchost.exe[3216] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 00110FAF .text C:\Windows\system32\svchost.exe[3216] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 00110036 .text C:\Windows\system32\svchost.exe[3216] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 0011001B .text C:\Windows\system32\svchost.exe[3216] WS2_32.dll!socket 76443EB8 5 Bytes JMP 005B0FE5 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtCreateFile + 6 777455CE 4 Bytes [28, 04, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtCreateFile + B 777455D3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtMapViewOfSection + 6 77745C2E 4 Bytes [28, 07, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtMapViewOfSection + B 77745C33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenFile + 6 77745CDE 4 Bytes [68, 04, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenFile + B 77745CE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenProcess + 6 77745D8E 4 Bytes [A8, 05, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenProcess + B 77745D93 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenProcessToken + B 77745DA3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenProcessTokenEx + 6 77745DAE 4 Bytes [A8, 06, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenProcessTokenEx + B 77745DB3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenThread + 6 77745E0E 4 Bytes [68, 05, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenThread + B 77745E13 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenThreadToken + 6 77745E1E 4 Bytes [68, 06, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenThreadToken + B 77745E23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtOpenThreadTokenEx + B 77745E33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtQueryAttributesFile + 6 77745F3E 4 Bytes [A8, 04, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtQueryAttributesFile + B 77745F43 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtQueryFullAttributesFile + B 77745FF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtSetInformationFile + 6 7774663E 4 Bytes [28, 05, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtSetInformationFile + B 77746643 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtSetInformationThread + 6 7774669E 4 Bytes [28, 06, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtSetInformationThread + B 777466A3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtUnmapViewOfSection + 6 777469BE 4 Bytes [68, 07, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4476] ntdll.dll!NtUnmapViewOfSection + B 777469C3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtCreateFile + 6 777455CE 4 Bytes [28, 9C, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtCreateFile + B 777455D3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtMapViewOfSection + 6 77745C2E 4 Bytes [28, 9F, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtMapViewOfSection + B 77745C33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenFile + 6 77745CDE 4 Bytes [68, 9C, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenFile + B 77745CE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenProcess + 6 77745D8E 4 Bytes [A8, 9D, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenProcess + B 77745D93 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenProcessToken + B 77745DA3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenProcessTokenEx + 6 77745DAE 4 Bytes [A8, 9E, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenProcessTokenEx + B 77745DB3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenThread + 6 77745E0E 4 Bytes [68, 9D, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenThread + B 77745E13 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenThreadToken + 6 77745E1E 4 Bytes [68, 9E, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenThreadToken + B 77745E23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtOpenThreadTokenEx + B 77745E33 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtQueryAttributesFile + 6 77745F3E 4 Bytes [A8, 9C, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtQueryAttributesFile + B 77745F43 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtQueryFullAttributesFile + B 77745FF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtSetInformationFile + 6 7774663E 4 Bytes [28, 9D, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtSetInformationFile + B 77746643 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtSetInformationThread + 6 7774669E 4 Bytes [28, 9E, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtSetInformationThread + B 777466A3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtUnmapViewOfSection + 6 777469BE 4 Bytes [68, 9F, 6C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4872] ntdll.dll!NtUnmapViewOfSection + B 777469C3 1 Byte [E2] .text C:\Windows\system32\wuauclt.exe[5716] ntdll.dll!NtCreateFile 777455C8 5 Bytes JMP 00050FEF .text C:\Windows\system32\wuauclt.exe[5716] ntdll.dll!NtCreateProcess 77745698 5 Bytes JMP 0005002F .text C:\Windows\system32\wuauclt.exe[5716] ntdll.dll!NtProtectVirtualMemory 77745F18 5 Bytes JMP 0005000A .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!GetStartupInfoA 76041E10 5 Bytes JMP 00010054 .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!CreateProcessW 7604204D 5 Bytes JMP 000100A5 .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!CreateProcessA 76042082 5 Bytes JMP 00010094 .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!CreateNamedPipeW 76072D47 5 Bytes JMP 00010FB9 .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!VirtualProtect 76082BCD 5 Bytes JMP 00010F5A .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!LoadLibraryExA 76084466 5 Bytes JMP 00010F7C .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!LoadLibraryExW 76085079 5 Bytes JMP 00010F6B .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!GetProcAddress 7608CC94 5 Bytes JMP 000100B6 .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!LoadLibraryA 7608DC65 5 Bytes JMP 00010FA8 .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!GetStartupInfoW 7608E2DD 5 Bytes JMP 00010079 .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!CreateFileW 7608E8A5 5 Bytes JMP 00010FE5 .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!CreateFileA 7608EA61 5 Bytes JMP 00010000 .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!LoadLibraryW 7608EF42 5 Bytes JMP 00010F8D .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!CreatePipe 760A12A6 5 Bytes JMP 00010F35 .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!CreateNamedPipeA 760CDBA8 5 Bytes JMP 00010FD4 .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!WinExec 760CEDB2 5 Bytes JMP 00010F1A .text C:\Windows\system32\wuauclt.exe[5716] kernel32.dll!VirtualProtectEx 760CFD51 5 Bytes JMP 00010043 .text C:\Windows\system32\wuauclt.exe[5716] msvcrt.dll!_open 76647E48 5 Bytes JMP 00100000 .text C:\Windows\system32\wuauclt.exe[5716] msvcrt.dll!_wsystem 7667B057 5 Bytes JMP 00100FB7 .text C:\Windows\system32\wuauclt.exe[5716] msvcrt.dll!system 7667B177 5 Bytes JMP 00100042 .text C:\Windows\system32\wuauclt.exe[5716] msvcrt.dll!_creat 7667ED31 5 Bytes JMP 00100027 .text C:\Windows\system32\wuauclt.exe[5716] msvcrt.dll!_wcreat 76680396 5 Bytes JMP 00100FC8 .text C:\Windows\system32\wuauclt.exe[5716] msvcrt.dll!_wopen 76680578 5 Bytes JMP 00100FE3 .text C:\Windows\system32\wuauclt.exe[5716] ADVAPI32.dll!RegOpenKeyA 763ACC15 5 Bytes JMP 0011000A .text C:\Windows\system32\wuauclt.exe[5716] ADVAPI32.dll!RegCreateKeyA 763ACD01 5 Bytes JMP 00110FDE .text C:\Windows\system32\wuauclt.exe[5716] ADVAPI32.dll!RegCreateKeyExA 763B1469 5 Bytes JMP 00110FC3 .text C:\Windows\system32\wuauclt.exe[5716] ADVAPI32.dll!RegCreateKeyW 763B1514 5 Bytes JMP 0011006F .text C:\Windows\system32\wuauclt.exe[5716] ADVAPI32.dll!RegOpenKeyW 763B2459 5 Bytes JMP 00110025 .text C:\Windows\system32\wuauclt.exe[5716] ADVAPI32.dll!RegCreateKeyExW 763B40FE 5 Bytes JMP 00110080 .text C:\Windows\system32\wuauclt.exe[5716] ADVAPI32.dll!RegOpenKeyExW 763B468D 5 Bytes JMP 00110FEF .text C:\Windows\system32\wuauclt.exe[5716] ADVAPI32.dll!RegOpenKeyExA 763B4907 5 Bytes JMP 00110036 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT \SystemRoot\System32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [86E10D56] \SystemRoot\system32\drivers\BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.) ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\mfevtps.exe[128] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0090A530] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.) IAT C:\Windows\system32\rundll32.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7579FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[532] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7579FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[532] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7579FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7579FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.sys (Bytemobile Kernel Network Provider/Bytemobile, Inc.) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ????????????????? ??????????????????LocalSystem??????????????n?????n?n???????????????????????????????o???????????????????o?????????????s?o???????????o??am???????????l??th??LocalSystem???????????0??????o??am??volume_snapshot_install?C:??? ???????l??????te??.NTx86?iso??? ?????????????????????1??????????Mc????????????????????????????? ?????????????????????1??????????dv?????????????????????????P??gr???????????A??e\??.NTx86?or\???????????f??????:\??Microsoft???? ?????????????????????1???????????\????????? ?????????????????????1??????????re?????????????????????????\??Af???????????s??\S??Microsoft????????????r???????s??????e\??? ???????\?????Mod??6-21-2006???????????????????? ?????????????????????1??????????\P????????????????????????????????????????? ?????????????????????1??????????it?????????????????t???!???????????r?? F??? ???????\??????ni??6.1.7600.16385?\????? ?????????????????????1??????????\S????????? ?????????????????????1??????????te?????????????????????????o??am???????????e??Si??6.1.7600.16385?.tm????????? Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{BF5862DB-E731-11E1-A9CD-806E6F6E6963} 256981056 ---- EOF - GMER 2.1 ----