GMER 1.0.12.12011 -
http://www.gmer.netRootkit scan 2009-04-08 02:24:59
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.12 ----
SSDT Lbd.sys ZwCreateKey
SSDT Lbd.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcessEx
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwEnumerateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwEnumerateValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwNotifyChangeKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwQueryKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwQueryMultipleValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwQueryValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwReplaceKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRestoreKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetContextThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetInformationProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnloadKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys NtSetInformationProcess
---- Kernel code sections - GMER 1.0.12 ----
.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP AAD4A9D8 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP AAD4A9AE \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP AAD4A9EE \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP AAD4AA04 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP AAD4A9C2 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP AAD4A934 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP AAD4A948 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP AAD4A986 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP AAD4A970 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP AAD4A95C \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 5 Bytes JMP AAD4A99A \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP AAD4A920 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwQueryValueKey 8061854A 7 Bytes JMP AAD4AA9A \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BC2 7 Bytes JMP AAD4AAF2 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619460 7 Bytes JMP AAD4AAB0 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwRenameKey 80619D34 7 Bytes JMP AAD4AA58 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7A2 7 Bytes JMP AAD4AA42 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A972 7 Bytes JMP AAD4AA6E \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB52 7 Bytes JMP AAD4AADC \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADBC 7 Bytes JMP AAD4AAC6 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwOpenKey 8061B6E4 5 Bytes JMP AAD4AA18 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA0A 7 Bytes JMP AAD4AB44 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BCCA 5 Bytes JMP AAD4AB1C \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C3BE 5 Bytes JMP AAD4AB30 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C4D8 5 Bytes JMP AAD4AB08 \SystemRoot\system32\drivers\mfehidk.sys
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Dell\QuickSet\NicConfigSvc.exe[124] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[128] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00840FEF
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00840F71
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00840065
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 00840054
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00840F97
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00840FC3
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00840F39
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00840F56
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008400C0
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0084009B
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 008400D1
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00840FA8
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00840014
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00840080
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00840FD4
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00840025
.text C:\WINDOWS\system32\svchost.exe[128] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00840F1E
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00830FD4
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00830079
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00830025
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00830FE5
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00830FB2
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00830000
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00830054
.text C:\WINDOWS\system32\svchost.exe[128] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00830FC3
.text C:\WINDOWS\system32\svchost.exe[128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0F, 5F ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 12, 5F ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0C, 5F ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[180] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A008C
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0071
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A004A
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F55
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A009D
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F1F
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00C2
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00D3
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F7C
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0025
.text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F3A
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0029002C
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F8A
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0029001B
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FE5
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290FA5
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0029000A
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00290047
.text C:\WINDOWS\system32\svchost.exe[180] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FB6
.text C:\WINDOWS\system32\svchost.exe[180] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00660FEF
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[204] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[276] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[632] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe[652] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[708] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[840] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\csrss.exe[868] KERNEL32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F64
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F75
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 00070058
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F90
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FA1
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F38
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070073
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F16
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F27
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700BF
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070032
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070F49
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[936] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0007009A
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 26, 88 ]
.text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC0F4C
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0036
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 00FC0F5D
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0F83
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC001B
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC009D
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0082
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC0F16
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC00AE
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FC00C9
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FC0F94
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FC0065
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FC0FAF
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FC0F31
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FB0FE5
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FB0FA5
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FB002C
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FB001B
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FB006C
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FB0051
.text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FB0FCA
.text C:\WINDOWS\system32\lsass.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[996] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024A0FEF
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024A0F6E
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024A0058
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 024A0047
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024A0036
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024A0F9E
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024A009A
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024A0F53
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024A00E1
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024A00C6
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 024A00F2
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 024A0025
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 024A0000
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 024A007D
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 024A0FB9
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 024A0FCA
.text C:\WINDOWS\explorer.exe[996] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 024A00B5
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 022C0040
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 022C0091
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 022C0025
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 022C000A
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 022C0076
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 022C0FEF
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 022C0FD4
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4C, 8A ]
.text C:\WINDOWS\explorer.exe[996] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 022C0051
.text C:\WINDOWS\explorer.exe[996] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 022D0000
.text C:\WINDOWS\explorer.exe[996] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 022D0FDB
.text C:\WINDOWS\explorer.exe[996] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 022D0FC0
.text C:\WINDOWS\explorer.exe[996] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 022D0FAF
.text C:\WINDOWS\explorer.exe[996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01870FE5
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02560000
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025600B4
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025600A3
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 02560087
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0256006C
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02560040
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025600EA
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025600CF
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02560F77
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0256010F
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02560F66
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0256005B
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02560FE5
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02560FA5
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02560FCA
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02560025
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02560F88
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02550FC3
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02550043
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02550FD4
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02550FEF
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02550F86
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02550000
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02550F97
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 75, 8A ]
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02550FB2
.text C:\WINDOWS\system32\svchost.exe[1112] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E30055
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E30F61
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 00E3002F
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E30F72
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E30014
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E3008D
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E30F46
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E300C3
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E30F2B
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E300DE
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E30F8D
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E30FCA
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E30070
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E30FA8
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E30FB9
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E300A8
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E20FD4
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E20F83
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E20025
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E2000A
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E20F9E
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E20040
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E20FB9
.text C:\WINDOWS\system32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateProcess 7C90D130 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateProcess + 4 7C90D134 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateProcessEx 7C90D140 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateProcessEx + 4 7C90D144 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtResumeThread + 4 7C90DB24 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03120000
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03120099
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03120FA5
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 03120FC0
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0312007D
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03120058
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03120F83
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03120F94
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03120F57
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03120F68
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03120F46
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03120FDB
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03120011
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 031200BE
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0312003D
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 7C860B7C 3 Bytes JMP 0312002C
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA + 4 7C860B80 1 Byte [ 86 ]
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec 7C8623AD 3 Bytes JMP 031200EF
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec + 4 7C8623B1 1 Byte [ 86 ]