OK. Sorry.
looks like it'll be in three parts.
thanks.****gmer txt Part 1****GMER 1.0.12.12011 -
http://www.gmer.netRootkit scan 2009-11-07 08:02:18
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.12 ----
SSDT Lbd.sys ZwCreateKey
SSDT Lbd.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcessEx
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetContextThread
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetInformationProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys NtSetInformationProcess
---- Kernel code sections - GMER 1.0.12 ----
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A895C7B8 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A895C78E \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A895C7CE \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A895C7E4 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A895C7A2 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A895C714 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A895C728 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A895C766 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A895C750 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A895C73C \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A895C77A \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A895C7FD \SystemRoot\system32\drivers\mfehidk.sys
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F55
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10F66
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10040
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10F8D
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D1001B
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10F1D
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D1006F
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10EE7
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F0C
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D1009B
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10F9E
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F44
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D1000A
.text C:\WINDOWS\SYSTEM32\services.exe[740] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D10080
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D0003D
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00FCA
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D0002C
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D0001B
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00087
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00000
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D00FDB
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ F0, 88 ]
.text C:\WINDOWS\SYSTEM32\services.exe[740] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00062
.text C:\WINDOWS\SYSTEM32\services.exe[740] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE000A
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F55
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F66
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0F8D
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF004A
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FA8
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F13
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0065
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0EEE
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0087
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0098
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF002F
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0F3A
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FB9
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0076
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F7C
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0025
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE000A
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0F8D
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0FA8
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ DE, 88 ]
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\SYSTEM32\lsass.exe[760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0FA3
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA0098
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA007D
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA006C
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA0040
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA0F6B
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA0F92
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA00DF
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA0F50
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA00FA
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA0051
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA00B3
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0FCA
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA00CE
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A90025
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A9005B
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90000
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A9004A
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A90FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ C9, 88 ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A90FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90062
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90051
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90040
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90F8D
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90095
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90084
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90F28
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900C1
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C900DC
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C9002F
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C90073
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90014
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C900B0
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C80FAF
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C80F79
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C80FC0
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C80000
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C80036
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C8001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C80F94
.text C:\WINDOWS\SYSTEM32\svchost.exe[992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02010000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02010F44
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02010F5F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02010F7C
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02010F97
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02010FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0201005E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02010F18
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02010EE7
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02010080
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0201009B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02010FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0201001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02010F29
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02010FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02010FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0201006F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01D40FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01D40051
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01D40FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01D4000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01D40040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01D40FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01D4002F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01D40FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01D20000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01D10FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01D1000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01D10FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1028] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01D10FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F8F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0065008E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0065007D
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650FC0
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650FD1
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00650F72
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006500BA
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500F0
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006500DF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0065010B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00650062
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00650025
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006500A9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650047
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00650036
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00650F61
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0064001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640F94
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00640FCA
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640051
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00640040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640FAF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660093
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00660078
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660F9E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0066005B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006600E4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006600C9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0066011A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006600FF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00660F66
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00660FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00660FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006600AE
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0066002F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00660014
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00660F81
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00650047
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00650FAF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00650036
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0065001B
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00650FC0
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0065000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00650062
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00650FDB
.text C:\WINDOWS\SYSTEM32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00630000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D0F3E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D003D
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0F6F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D002C
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0FA5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0F17
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D005F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D00A6
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0095
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D0EF2
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0F8A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D004E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0011
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D0084
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009C0F9E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009C0F57
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009C0FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009C0FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009C0F72
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009C0F83
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ BC, 88 ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009C000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1244] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB006E
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0051
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0025
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F43
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F54
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F10
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F21
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0EFF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB007F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FC3
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F32
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660040
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660014
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FDE
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660F83
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0066002F
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00630FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00630000
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00630025
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00630036
.text C:\WINDOWS\SYSTEM32\svchost.exe[1536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640000
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[1748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe[1748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F83
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0078
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0051
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0036
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F4B
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0093
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F1F
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00AE
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EFA
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F68
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0011
.text C:\WINDOWS\explorer.exe[2056] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F30
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FA8
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F83
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FC3
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FD4
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290040
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290025
.text C:\WINDOWS\explorer.exe[2056] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290014
.text C:\WINDOWS\explorer.exe[2056] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\explorer.exe[2056] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\explorer.exe[2056] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\explorer.exe[2056] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0FA8
.text C:\WINDOWS\explorer.exe[2056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02010FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0060
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F61
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F72
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F8D
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F2E
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F3F
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0EFF
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00A2
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EEE
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F50
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0025
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0087
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FA8
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F6B
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FC3
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FDE
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290028
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290F7C
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\SYSTEM32\svchost.exe[2856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290F97
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0FA1
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0FB2
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0080
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F7C
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00C2
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F5A
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F6B
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B010E
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0065
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0025
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B00B1
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0036
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00DF
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0065
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0025
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B004A
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0FA8
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ 4B, 88 ]
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003D0FEF
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + FFFFCF9D 76BF10ED 37 Bytes [ 00, 8D, 7E, 64, EB, 8C, F6, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + FFFFCFC3 76BF1113 16 Bytes [ EB, 24, 90, 90, 90, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + FFFFCFD4 76BF1124 125 Bytes [ 53, 56, 8B, F1, 57, 8D, 5E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + FFFFD0B3 76BF1203 15 Bytes CALL 76BD7996
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + FFFFD0C3 76BF1213 80 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameA + B 76BF1485 82 Bytes [ 00, 89, 32, C7, 42, 20, 01, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameA + 5E 76BF14D8 22 Bytes [ 00, C9, C2, 08, 00, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameA + 76 76BF14F0 77 Bytes [ 04, 75, 38, 57, 8B, 79, 04, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameA + C5 76BF153F 3 Bytes [ 74, 02, 02 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameA + C9 76BF1543 77 Bytes [ 56, 8B, 75, 14, 57, 56, E8, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumDeviceDrivers + 15 76BF1650 1 Byte [ 7D ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumDeviceDrivers + 17 76BF1652 74 Bytes [ 83, 4F, 70, 10, 8B, 45, 0C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumDeviceDrivers + 62 76BF169D 24 Bytes CALL 76BF16BE C:\WINDOWS\system32\PSAPI.DLL
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumDeviceDrivers + 7D 76BF16B8 23 Bytes JMP 074FA734
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumDeviceDrivers + 95 76BF16D0 19 Bytes [ FF, 55, 8B, EC, 8B, 45, 0C, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExW + 4 76BF176E 144 Bytes [ 45, 14, 0F, 85, 91, FF, 01, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExW + 95 76BF17FF 36 Bytes [ 57, FF, 75, 14, 89, 4E, 60, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExW + BA 76BF1824 133 Bytes CALL 76BF14A6 C:\WINDOWS\system32\PSAPI.DLL
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExW + 140 76BF18AA 72 Bytes [ EC, 8B, 4D, 08, 80, B9, E5, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExW + 189 76BF18F3 33 Bytes JMP 76BF1436 C:\WINDOWS\system32\PSAPI.DLL
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverFileNameA + 25 76BF1CEA 93 Bytes [ F3, A5, 8B, CA, 83, E1, 03, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverFileNameW + 8 76BF1D48 51 Bytes [ 4D, 0C, 89, 01, 33, C0, 5F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverFileNameW + 3C 76BF1D7C 12 Bytes [ FF, FF, C7, 45, FC, 0E, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverFileNameW + 49 76BF1D89 24 Bytes JMP 76BF1CFE C:\WINDOWS\system32\PSAPI.DLL
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameW + 6 76BF1DA2 13 Bytes CALL 76BD91C3
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameW + 14 76BF1DB0 18 Bytes [ 35, AC, 10, E7, 77, 8D, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetDeviceDriverBaseNameW + 27 76BF1DC3 62 Bytes [ C0, 0F, 84, 18, 79, 01, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetMappedFileNameW + B 76BF1E03 147 Bytes CALL 76BD76BB
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetMappedFileNameA + 7 76BF1E97 37 Bytes [ 8D, 45, F8, 50, 53, FF, 75, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetMappedFileNameA + 2D 76BF1EBD 67 Bytes CALL 76BD76BD
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcessModules + D 76BF1F01 133 Bytes [ 00, 00, 00, 68, C0, B2, EF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcessModules + 93 76BF1F87 39 Bytes [ 83, F8, FF, 8B, CB, 0F, 84, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcessModules + BD 76BF1FB1 17 Bytes [ 90, 90, 90, 90, 90, 83, 3D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcessModules + CF 76BF1FC3 33 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcessModules + F1 76BF1FE5 21 Bytes [ 45, 08, 39, 05, 60, B3, EF, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExA + 11 76BF205E 14 Bytes [ 88, 7C, 8B, 70, 04, E9, 87, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExA + 20 76BF206D 28 Bytes JMP 76BE289E
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExA + 3D 76BF208A 23 Bytes [ 6A, 01, 8D, 85, D8, FD, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleFileNameExA + 55 76BF20A2 41 Bytes JMP 76C0EA35
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleBaseNameW + 17 76BF20CC 31 Bytes [ 75, 10, FF, 75, 14, FF, 15, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleBaseNameW + 37 76BF20EC 64 Bytes [ FF, 90, 90, 90, 90, 90, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleBaseNameW + 78 76BF212D 103 Bytes [ 6A, 00, FF, B6, A8, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleBaseNameA + 63 76BF2195 75 Bytes CALL 76BE2D0E
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleInformation + 47 76BF21E1 74 Bytes [ EC, 53, 56, 8B, 75, 10, 57, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetModuleInformation + 92 76BF222C 130 Bytes [ 05, A4, 50, 88, 7C, E9, B3, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!QueryWorkingSet + B 76BF22AF 59 Bytes [ FF, 90, 90, 90, 90, 90, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!QueryWorkingSet + 47 76BF22EB 187 Bytes [ 51, 8D, 45, 08, 50, FF, 76, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!QueryWorkingSet + 103 76BF23A7 174 Bytes CALL 3E74A8BB
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!QueryWorkingSet + 1B2 76BF2456 32 Bytes [ FF, 8B, F8, 85, FF, 0F, 8C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!QueryWorkingSet + 1D3 76BF2477 14 Bytes [ 83, 3E, 03, 0F, 84, 03, 69, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcesses + A1 76BF3B17 59 Bytes CALL 76BF438B C:\WINDOWS\system32\PSAPI.DLL
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcesses + DD 76BF3B53 2 Bytes [ 8B, 75 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcesses + E0 76BF3B56 5 Bytes [ 85, C0, 74, 03, 50 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcesses + E6 76BF3B5C 83 Bytes [ 08, 83, 7D, E4, 00, 74, 0C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumProcesses + 13A 76BF3BB0 40 Bytes [ C2, 14, 00, 90, 90, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessMemoryInfo + 1C 76BF3BD9 201 Bytes [ F9, 0C, 73, 08, 8D, 45, D4, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessMemoryInfo + E6 76BF3CA3 28 Bytes [ C3, 90, 90, 90, 90, 90, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!InitializeProcessForWsWatch + 10 76BF3CC1 5 Bytes [ 4C, 11, DD, 77, 33 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!InitializeProcessForWsWatch + 16 76BF3CC7 12 Bytes [ EB, 03, 33, C0, 40, E8, BE, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!InitializeProcessForWsWatch + 23 76BF3CD4 4 Bytes [ 90, 90, 90, 90 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!InitializeProcessForWsWatch + 28 76BF3CD9 61 Bytes [ FF, FF, FF, 93, 7C, E3, 77, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetWsChanges + 22 76BF3D17 18 Bytes CALL 76BAD871
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetWsChanges + 35 76BF3D2A 6 Bytes [ FF, 75, E4, E8, 22, EC ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessImageFileNameW + 2 76BF3D31 61 Bytes [ FF, 83, 4D, FC, FF, 85, C0, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessImageFileNameW + 40 76BF3D6F 135 Bytes [ 75, 1C, FF, 75, 18, FF, 75, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessImageFileNameA + 3A 76BF3DF7 2 Bytes [ 75, 07 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetProcessImageFileNameA + 3D 76BF3DFA 131 Bytes [ 45, E4, 08, 00, 00, 00, 83, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetPerformanceInfo + 3D 76BF3E7E 10 Bytes CALL 76B9298C
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetPerformanceInfo + 48 76BF3E89 9 Bytes [ 90, 90, 90, 90, 90, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetPerformanceInfo + 52 76BF3E93 39 Bytes [ FF, 0B, 7E, E3, 77, 1E, 7E, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetPerformanceInfo + 7A 76BF3EBB 32 Bytes [ 8D, 45, 94, 50, 6A, 64, 8D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!GetPerformanceInfo + 9B 76BF3EDC 46 Bytes [ C9, C2, 04, 00, 90, 90, 90, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesW + 41 76BF4022 4 Bytes [ 00, 68, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesW + 47 76BF4028 27 Bytes [ 04, 00, 0C, 00, 30, E8, 04, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesW + 63 76BF4044 17 Bytes [ 03, 00, 18, 01, 04, 00, 40, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesW + 77 76BF4058 8 Bytes [ 05, 00, 10, 00, 32, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesW + 80 76BF4061 87 Bytes [ 00, 08, 00, 46, 03, 08, 01, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + E4 76BF4234 51 Bytes [ 64, 00, 73, 00, 41, 00, 64, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + 118 76BF4268 19 Bytes [ 72, 00, 69, 00, 63, 00, 74, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + 12C 76BF427C 79 Bytes [ 69, 00, 64, 00, 73, 00, 54, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + 17C 76BF42CC 1 Byte [ 61 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] PSAPI.DLL!EnumPageFilesA + 17E 76BF42CE 7 Bytes [ 78, 00, 50, 00, 72, 00, 69 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + FFF66A1B 3D931671 159 Bytes [ 39, 5D, 08, 0F, 85, 87, DB, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + FFF66ABB 3D931711 28 Bytes [ 00, 00, 89, 45, D8, 89, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + FFF66AD8 3D93172E 101 Bytes [ D4, 18, 00, 00, 00, C7, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + FFF66B3E 3D931794 28 Bytes [ FC, FF, 15, 28, 14, DD, 77, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetConfirmZoneCrossing + FFF66B5B 3D9317B1 32 Bytes [ 15, 94, 14, DD, 77, 85, DB, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlW + 4 3D9340C4 72 Bytes [ 45, F8, 8B, 75, 10, 8D, 7C, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlW + 4E 3D93410E 14 Bytes [ F0, 39, 5D, F0, 74, 46, 8D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlW + 5D 3D93411D 20 Bytes CALL 3D933D85 C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlW + 72 3D934132 10 Bytes [ 15, 70, 14, F6, 77, 8B, 7D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCrackUrlW + 7D 3D93413D 54 Bytes [ 02, 8B, C8, 8B, D1, C1, E9, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoA + 9 3D934F17 53 Bytes [ 50, 8D, 85, FC, F5, FF, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoA + 3F 3D934F4D 50 Bytes [ FF, 75, 10, 89, 45, E8, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoA + 72 3D934F80 102 Bytes [ 8B, 45, 08, 89, 46, 10, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoA + D9 3D934FE7 23 Bytes CALL 3D934F6E C:\WINDOWS\system32\WININET.dll
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoA + F1 3D934FFF 4 Bytes [ FF, 02, 0D, 02 ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheHeaderData + 12 3D93526B 33 Bytes [ 00, 00, 00, 00, 00, 06, 06, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheHeaderData + 34 3D93528D 14 Bytes [ 00, 00, 00, 14, 2C, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheHeaderData + 43 3D93529C 2 Bytes [ 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheHeaderData + 48 3D9352A1 7 Bytes [ 00, 00, 00, 2C, 2C, 00, 00 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheHeaderData + 50 3D9352A9 26 Bytes [ 00, 00, 00, 06, 06, 00, 00, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExW + 22 3D93BE65 20 Bytes [ 00, 8D, BE, 90, 09, 00, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExW + 37 3D93BE7A 45 Bytes [ 00, 8B, 4E, 04, 8B, 01, 68, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExW + 65 3D93BEA8 66 Bytes [ 50, 60, 8B, 86, 88, 09, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExW + A8 3D93BEEB 134 Bytes [ 66, 89, 5E, 20, 8B, 01, 57, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoExW + 12F 3D93BF72 17 Bytes [ 52, 8D, 95, CC, FD, FF, FF, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlW + A1 3D93CA47 57 Bytes [ 83, C0, 03, 83, E0, FC, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlW + DB 3D93CA81 21 Bytes [ 55, 8B, EC, 51, 51, 53, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlW + F1 3D93CA97 9 Bytes [ 66, 83, 3F, 5C, 59, 74, 35, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlW + FB 3D93CAA1 64 Bytes [ 0E, 83, C0, 03, 83, E0, FC, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCreateUrlW + 13C 3D93CAE2 41 Bytes CALL 3D8FB417
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionA + 36 3D94007F 5 Bytes [ 75, 14, 56, E8, 15 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionA + 3D 3D940086 40 Bytes [ FF, 3B, C7, 89, 03, 74, 09, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionA + 66 3D9400AF 17 Bytes [ A1, AC, B2, EF, 77, 89, 45, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionA + 78 3D9400C1 55 Bytes [ 77, 89, 45, 94, 8B, 45, 14, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetQueryOptionA + B0 3D9400F9 31 Bytes [ 4E, 2F, FB, FF, 3B, C3, 89, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateExW + 29 3D94070B 5 Bytes [ 55, 8B, EC, 56, 57 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateExW + 2F 3D940711 30 Bytes [ 75, 08, 8B, F1, 8B, 46, 64, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateExW + 4E 3D940730 43 Bytes [ 6A, 5A, 57, 6A, 03, E8, 32, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateExW + 7A 3D94075C 40 Bytes [ 22, 03, 09, 80, 74, 2E, 81, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedStateExW + A5 3D940787 103 Bytes [ 05, 21, 07, 00, 00, 8B, F0, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedState + 26 3D9408CD 24 Bytes [ 46, 64, 8D, 4D, FC, 51, 57, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedState + 3F 3D9408E6 21 Bytes [ BE, E5, 06, 00, 00, 56, 6A, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedState + 55 3D9408FC 276 Bytes [ 01, 00, 00, 00, EB, 06, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedState + 16B 3D940A12 1 Byte [ 08 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetGetConnectedState + 16D 3D940A14 97 Bytes CALL 3D935EA5 C:\WINDOWS\system32\WININET.dll
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetCanonicalizeUrlW + 4 3D940DFC 121 Bytes [ 46, 08, 85, C0, 74, 1E, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoW + 26 3D940E76 29 Bytes [ 46, 08, 85, C0, 74, 0B, 50, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoW + 44 3D940E94 41 Bytes [ 83, 66, 10, 00, 59, 56, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoW + 6E 3D940EBE 33 Bytes [ FC, 75, 07, 33, C0, E9, E8, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoW + 90 3D940EE0 71 Bytes [ 13, 74, 40, 8B, 43, 04, 8D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!GetUrlCacheEntryInfoW + D8 3D940F28 48 Bytes [ 39, 8B, 4B, 0C, 85, C9, 74, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryA + 4 3D940F7C 28 Bytes [ 75, FC, 59, 89, 46, 10, 75, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryA + 21 3D940F99 3 Bytes [ 02, 8B, F8 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryA + 25 3D940F9D 9 Bytes JMP C93A02A4
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryA + 2F 3D940FA7 21 Bytes [ FC, 83, E1, 03, F3, A4, 5F, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!CommitUrlCacheEntryA + 45 3D940FBD 1 Byte [ EC ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionA + B 3D94330D 66 Bytes [ 47, 47, 66, 8B, 07, 66, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionA + 4E 3D943350 92 Bytes [ 00, 83, F8, 0A, 7D, 24, 85, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionA + AB 3D9433AD 19 Bytes [ 4D, EC, 85, C9, 0F, 85, 7D, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionA + BF 3D9433C1 32 Bytes [ 80, 66, 39, F7, 80, 7D, 13, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionA + E0 3D9433E2 98 Bytes [ 8B, 5E, 14, 57, FF, 75, 0C, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionW + 2E 3D9434AE 12 Bytes [ 8B, C2, 83, E0, 07, 56, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionW + 3B 3D9434BB 5 Bytes [ 45, EC, 8B, 46, 1C ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionW + 41 3D9434C1 5 Bytes [ 5D, F0, 83, C3, 04 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionW + 47 3D9434C7 25 Bytes [ 45, DC, 89, 56, 1C, 66, 8B, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetSetOptionW + 61 3D9434E1 73 Bytes [ 00, 83, 65, F8, 00, 8B, 46, ... ]
.text ...
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetLockRequestFile + 30 3D9463A6 2 Bytes [ FF, 55 ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetLockRequestFile + 33 3D9463A9 10 Bytes [ EC, 8B, 45, 0C, 83, 20, 00, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetLockRequestFile + 3E 3D9463B4 70 Bytes [ 80, 5D, C2, 08, 00, 90, 90, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetLockRequestFile + 85 3D9463FB 62 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe[4008] WININET.dll!InternetLockRequestFile + C4 3D94643A 4 Bytes [ 88, B8, 00, 00 ]
.text ...