GMER 1.0.15.15570 -
http://www.gmer.net
Rootkit scan 2011-04-01 01:13:24
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MJA2500BH_G2 rev.0084001C
Running: tucrhnoo.exe; Driver: C:\Users\Shane\AppData\Local\Temp\ugloypog.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8844F0B8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8844F0E2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8844F0CE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8844F0A4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 82E7E5C5 5 Bytes JMP 8844F0A8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKey + 13C1 82E90339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EC9D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\windows\system32\DRIVERS\atipmdag.sys section is writeable [0x8E01B000, 0x2ECEB2, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\windows\system32\services.exe[600] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 004C0FEF
.text C:\windows\system32\services.exe[600] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 004C000A
.text C:\windows\system32\services.exe[600] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 004C0FDE
.text C:\windows\system32\services.exe[600] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 004B00A5
.text C:\windows\system32\services.exe[600] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 004B0F2B
.text C:\windows\system32\services.exe[600] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 004B0F50
.text C:\windows\system32\services.exe[600] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 004B0025
.text C:\windows\system32\services.exe[600] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 004B0065
.text C:\windows\system32\services.exe[600] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 004B0F8D
.text C:\windows\system32\services.exe[600] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 004B0F9E
.text C:\windows\system32\services.exe[600] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 004B0FDE
.text C:\windows\system32\services.exe[600] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 004B0FEF
.text C:\windows\system32\services.exe[600] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 004B00E5
.text C:\windows\system32\services.exe[600] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 004B00C0
.text C:\windows\system32\services.exe[600] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 004B0036
.text C:\windows\system32\services.exe[600] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 004B0FAF
.text C:\windows\system32\services.exe[600] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 004B0F72
.text C:\windows\system32\services.exe[600] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 004B0014
.text C:\windows\system32\services.exe[600] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 004B0F61
.text C:\windows\system32\services.exe[600] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 004B0080
.text C:\windows\system32\services.exe[600] msvcrt.dll!_open 75537E48 5 Bytes JMP 00A60000
.text C:\windows\system32\services.exe[600] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00A60F95
.text C:\windows\system32\services.exe[600] msvcrt.dll!system 7556B16F 5 Bytes JMP 00A60FB0
.text C:\windows\system32\services.exe[600] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 00A60FD2
.text C:\windows\system32\services.exe[600] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00A60FC1
.text C:\windows\system32\services.exe[600] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00A60FE3
.text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00A50FEF
.text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00A50040
.text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00A50F94
.text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00A50FAF
.text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00A5000A
.text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00A5005B
.text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00A50FCA
.text C:\windows\system32\services.exe[600] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00A50025
.text C:\windows\system32\services.exe[600] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00A70FEF
.text C:\windows\system32\lsass.exe[616] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00070000
.text C:\windows\system32\lsass.exe[616] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00070FD4
.text C:\windows\system32\lsass.exe[616] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 00070FE5
.text C:\windows\system32\lsass.exe[616] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 000600B3
.text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 0006010B
.text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 000600FA
.text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 0006002F
.text C:\windows\system32\lsass.exe[616] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 00060F91
.text C:\windows\system32\lsass.exe[616] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 00060073
.text C:\windows\system32\lsass.exe[616] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 00060062
.text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 0006000A
.text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00060FEF
.text C:\windows\system32\lsass.exe[616] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 0006011C
.text C:\windows\system32\lsass.exe[616] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 000600CE
.text C:\windows\system32\lsass.exe[616] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 00060040
.text C:\windows\system32\lsass.exe[616] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00060051
.text C:\windows\system32\lsass.exe[616] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 00060098
.text C:\windows\system32\lsass.exe[616] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00060FDE
.text C:\windows\system32\lsass.exe[616] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 000600DF
.text C:\windows\system32\lsass.exe[616] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00060F80
.text C:\windows\system32\lsass.exe[616] msvcrt.dll!_open 75537E48 5 Bytes JMP 00090FEF
.text C:\windows\system32\lsass.exe[616] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00090F9C
.text C:\windows\system32\lsass.exe[616] msvcrt.dll!system 7556B16F 5 Bytes JMP 00090FB7
.text C:\windows\system32\lsass.exe[616] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 0009000C
.text C:\windows\system32\lsass.exe[616] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 0009001D
.text C:\windows\system32\lsass.exe[616] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00090FD2
.text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00080000
.text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00080025
.text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00080F83
.text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00080F9E
.text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00080FE5
.text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00080F72
.text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00080FC3
.text C:\windows\system32\lsass.exe[616] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00080FD4
.text C:\windows\system32\lsass.exe[616] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 006A0FE5
.text C:\windows\system32\svchost.exe[740] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 0040000A
.text C:\windows\system32\svchost.exe[740] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 0040002C
.text C:\windows\system32\svchost.exe[740] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 0040001B
.text C:\windows\system32\svchost.exe[740] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 003F0F83
.text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 003F00E2
.text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 003F0F57
.text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 003F0036
.text C:\windows\system32\svchost.exe[740] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 003F0098
.text C:\windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 003F0087
.text C:\windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 003F006C
.text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 003F0FE5
.text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 003F0000
.text C:\windows\system32\svchost.exe[740] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 003F0F32
.text C:\windows\system32\svchost.exe[740] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 003F0F68
.text C:\windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 003F0FCA
.text C:\windows\system32\svchost.exe[740] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 003F0051
.text C:\windows\system32\svchost.exe[740] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 003F0F94
.text C:\windows\system32\svchost.exe[740] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 003F001B
.text C:\windows\system32\svchost.exe[740] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 003F00D1
.text C:\windows\system32\svchost.exe[740] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 003F0FAF
.text C:\windows\system32\svchost.exe[740] msvcrt.dll!_open 75537E48 5 Bytes JMP 00420FEF
.text C:\windows\system32\svchost.exe[740] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00420040
.text C:\windows\system32\svchost.exe[740] msvcrt.dll!system 7556B16F 5 Bytes JMP 00420025
.text C:\windows\system32\svchost.exe[740] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 0042000A
.text C:\windows\system32\svchost.exe[740] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00420FB5
.text C:\windows\system32\svchost.exe[740] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00420FD2
.text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00410000
.text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00410047
.text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00410FA5
.text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00410FC0
.text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00410FE5
.text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00410F94
.text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00410036
.text C:\windows\system32\svchost.exe[740] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00410025
.text C:\windows\system32\svchost.exe[740] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00430FEF
.text C:\windows\system32\svchost.exe[812] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 001D0FEF
.text C:\windows\system32\svchost.exe[812] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 001D0FCA
.text C:\windows\system32\svchost.exe[812] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 001D0000
.text C:\windows\system32\svchost.exe[812] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 00180F46
.text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 00180EE4
.text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 00180EFF
.text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 00180FAF
.text C:\windows\system32\svchost.exe[812] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 00180F79
.text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 00180051
.text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 00180F94
.text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 00180FE5
.text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00180000
.text C:\windows\system32\svchost.exe[812] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 00180ED3
.text C:\windows\system32\svchost.exe[812] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 00180F2B
.text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 0018001B
.text C:\windows\system32\svchost.exe[812] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00180036
.text C:\windows\system32\svchost.exe[812] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 00180F57
.text C:\windows\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00180FCA
.text C:\windows\system32\svchost.exe[812] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 00180F10
.text C:\windows\system32\svchost.exe[812] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00180F68
.text C:\windows\system32\svchost.exe[812] msvcrt.dll!_open 75537E48 5 Bytes JMP 002B0FE3
.text C:\windows\system32\svchost.exe[812] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 002B0F7F
.text C:\windows\system32\svchost.exe[812] msvcrt.dll!system 7556B16F 5 Bytes JMP 002B0FA4
.text C:\windows\system32\svchost.exe[812] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 002B000A
.text C:\windows\system32\svchost.exe[812] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 002B0FB5
.text C:\windows\system32\svchost.exe[812] msvcrt.dll!_wopen 75570570 5 Bytes JMP 002B0FC6
.text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 001E0FEF
.text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 001E0025
.text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 001E0047
.text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 001E0036
.text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 001E000A
.text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 001E0F8A
.text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 001E0FC3
.text C:\windows\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 001E0FD4
.text C:\windows\system32\svchost.exe[812] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 002C0FEF
.text C:\windows\System32\svchost.exe[972] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00A00FEF
.text C:\windows\System32\svchost.exe[972] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00A00000
.text C:\windows\System32\svchost.exe[972] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 00A00FCA
.text C:\windows\System32\svchost.exe[972] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 009F009E
.text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 009F00C3
.text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 009F0F2E
.text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 009F001B
.text C:\windows\System32\svchost.exe[972] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 009F0F97
.text C:\windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 009F0FA8
.text C:\windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 009F0FB9
.text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 009F0FCA
.text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 009F0FE5
.text C:\windows\System32\svchost.exe[972] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 009F0F1D
.text C:\windows\System32\svchost.exe[972] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 009F0F64
.text C:\windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 009F0036
.text C:\windows\System32\svchost.exe[972] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 009F0051
.text C:\windows\System32\svchost.exe[972] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 009F0F75
.text C:\windows\System32\svchost.exe[972] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 009F000A
.text C:\windows\System32\svchost.exe[972] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 009F0F49
.text C:\windows\System32\svchost.exe[972] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 009F0F86
.text C:\windows\System32\svchost.exe[972] msvcrt.dll!_open 75537E48 5 Bytes JMP 00A20FE3
.text C:\windows\System32\svchost.exe[972] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00A20FA4
.text C:\windows\System32\svchost.exe[972] msvcrt.dll!system 7556B16F 5 Bytes JMP 00A2002F
.text C:\windows\System32\svchost.exe[972] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 00A20FC6
.text C:\windows\System32\svchost.exe[972] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00A20FB5
.text C:\windows\System32\svchost.exe[972] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00A20000
.text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00A10FE5
.text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00A10FC3
.text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00A10054
.text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00A10FB2
.text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00A10000
.text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00A1006F
.text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00A10FD4
.text C:\windows\System32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00A1001B
.text C:\windows\System32\svchost.exe[972] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00E4000A
.text C:\windows\System32\svchost.exe[1004] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00990000
.text C:\windows\System32\svchost.exe[1004] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00990FD4
.text C:\windows\System32\svchost.exe[1004] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 00990FEF
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 00980F46
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 009800D1
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 009800C0
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 0098002F
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 00980F7C
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 00980F97
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 00980FA8
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 00980FDE
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00980FEF
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 009800E2
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 00980094
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 00980040
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00980FB9
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 0098006F
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00980014
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 009800A5
.text C:\windows\System32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00980F61
.text C:\windows\System32\svchost.exe[1004] msvcrt.dll!_open 75537E48 5 Bytes JMP 00A30000
.text C:\windows\System32\svchost.exe[1004] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 00A30FB2
.text C:\windows\System32\svchost.exe[1004] msvcrt.dll!system 7556B16F 5 Bytes JMP 00A3003D
.text C:\windows\System32\svchost.exe[1004] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 00A30FD7
.text C:\windows\System32\svchost.exe[1004] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 00A3002C
.text C:\windows\System32\svchost.exe[1004] msvcrt.dll!_wopen 75570570 5 Bytes JMP 00A30011
.text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00A20FE5
.text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00A20FC3
.text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00A20FA1
.text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00A20FB2
.text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00A20000
.text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00A2005E
.text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00A2002F
.text C:\windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00A20FD4
.text C:\windows\System32\svchost.exe[1004] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 00A40FEF
.text C:\windows\system32\svchost.exe[1044] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00A80FEF
.text C:\windows\system32\svchost.exe[1044] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00A8001B
.text C:\windows\system32\svchost.exe[1044] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 00A8000A
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 009F00CE
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 009F0F65
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 009F00FA
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 009F0047
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 009F0FAF
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 009F0087
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 009F006C
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 009F0025
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 009F000A
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 009F0F4A
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 009F00DF
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 009F0FDB
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 009F0FCA
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 009F00BD
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 009F0036
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 009F0F80
.text C:\windows\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 009F00A2
.text C:\windows\system32\svchost.exe[1044] msvcrt.dll!_open 75537E48 5 Bytes JMP 010B0000
.text C:\windows\system32\svchost.exe[1044] msvcrt.dll!_wsystem 7556B04F 5 Bytes JMP 010B0FD9
.text C:\windows\system32\svchost.exe[1044] msvcrt.dll!system 7556B16F 5 Bytes JMP 010B0064
.text C:\windows\system32\svchost.exe[1044] msvcrt.dll!_creat 7556ED29 5 Bytes JMP 010B002E
.text C:\windows\system32\svchost.exe[1044] msvcrt.dll!_wcreat 7557038E 5 Bytes JMP 010B003F
.text C:\windows\system32\svchost.exe[1044] msvcrt.dll!_wopen 75570570 5 Bytes JMP 010B001D
.text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 7541CC15 5 Bytes JMP 00F60000
.text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 7541CD01 5 Bytes JMP 00F60036
.text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 75421469 5 Bytes JMP 00F6005B
.text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 75421514 5 Bytes JMP 00F60FB9
.text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 75422459 5 Bytes JMP 00F60FEF
.text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 754240FE 5 Bytes JMP 00F60F9E
.text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 7542468D 5 Bytes JMP 00F60025
.text C:\windows\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 75424907 5 Bytes JMP 00F60FD4
.text C:\windows\system32\svchost.exe[1044] WS2_32.dll!socket 75D53EB8 5 Bytes JMP 01160000
.text C:\windows\system32\svchost.exe[1172] ntdll.dll!NtCreateFile 76E055C8 5 Bytes JMP 00940000
.text C:\windows\system32\svchost.exe[1172] ntdll.dll!NtCreateProcess 76E05698 5 Bytes JMP 00940036
.text C:\windows\system32\svchost.exe[1172] ntdll.dll!NtProtectVirtualMemory 76E05F18 5 Bytes JMP 0094001B
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 75331E10 5 Bytes JMP 00930F72
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateProcessW 7533204D 5 Bytes JMP 00930F21
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateProcessA 75332082 5 Bytes JMP 00930F3C
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 7536270F 5 Bytes JMP 00930FCD
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!VirtualProtect 75372341 5 Bytes JMP 00930065
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 75374775 5 Bytes JMP 00930054
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 753747FA 5 Bytes JMP 00930F97
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateFileW 7537CC56 5 Bytes JMP 00930FDE
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateFileA 7537CEE8 5 Bytes JMP 00930FEF
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!GetProcAddress 753833D3 5 Bytes JMP 00930F10
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 75383891 5 Bytes JMP 009300C0
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!LoadLibraryA 7538395C 5 Bytes JMP 0093002F
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!LoadLibraryW 75383C01 5 Bytes JMP 00930FA8
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreatePipe 753935B7 5 Bytes JMP 00930091
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 753BD44F 5 Bytes JMP 00930014
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!WinExec 753BE5FD 5 Bytes JMP 00930F57
.text C:\windows\system32\svchost.exe[1172] kernel32.dll!VirtualProtectEx 753BF5D9 5 Bytes JMP 00930080