[.] Found hidden value:
[REG_SZ] (Standard)
00000000
- Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{1bf6eff2-f87d-4f1a-9f11-3ed2cabe7f3c}
- Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{1bf6eff2-f87d-4f1a-9f11-3ed2cabe7f3c}\1.0
[.] Found hidden value:
[REG_SZ] (Standard)
QSP2IECtl 1.0 Type Library
- Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{1bf6eff2-f87d-4f1a-9f11-3ed2cabe7f3c}\1.0\0
- Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{1bf6eff2-f87d-4f1a-9f11-3ed2cabe7f3c}\1.0\0\win32
[.] Found hidden value:
[REG_SZ] (Standard)
C:\Documents and Settings\Me\Application Data\Move Networks\plugins\npqmp071503000010.dll
- Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{1bf6eff2-f87d-4f1a-9f11-3ed2cabe7f3c}\1.0\FLAGS
[.] Found hidden value:
[REG_SZ] (Standard)
00000030
- Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{3476FAB2-687F-4EA6-9AC2-88D72DC7D7FC}
[.] Found hidden value:
[REG_SZ] (Standard)
00000000
- Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{3476FAB2-687F-4EA6-9AC2-88D72DC7D7FC}\1.0
[.] Found hidden value:
[REG_SZ] (Standard)
Google Earth 1.0 Type Library
- Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{3476FAB2-687F-4EA6-9AC2-88D72DC7D7FC}\1.0\0
[.] Found hidden value:
[REG_SZ] (Standard)
00000000
- Found hidden key: HKEY_USERS\S-1-5-21-1708537768-616249376-725345543-1003_Classes\TypeLib\{3476FAB2-687F-4EA6-9AC2-88D72DC7D7FC}\1.0\0\win32
[.] Found hidden value:
[REG_SZ] (Standard)
C:\Program Files\Google\Google Earth\googleearth.exe
DONE.
-------------------------------------------------------------------------------
--------------------[HKEY_USERS\S-1-5-18 ]-------------------
WARNING: Dumping the registry can take quite some time! Be assured
that the app doesn't hang while dumping!
Dumping...OK.
Scanning...[-] Unable to open key: HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider\S-1-5-18: Access is denied.
DONE.
-------------------------------------------------------------------------------
22:21:47 - Performing check: "Hidden processes":
(01) PID: 0 [00000000] (Idle)
(01) PID: 4 [00000000] (System)
(129) PID: 128 [00000000] (OEM02Mon.exe)
(129) PID: 144 [00000000] (spoolsv.exe)
(129) PID: 152 [00000000] (jqs.exe)
(129) PID: 172 [00000000] (rundll32.exe)
(129) PID: 304 [00000000] (sched.exe)
(129) PID: 336 [00000000] (avguard.exe)
(01) PID: 468 [00000000] (smss.exe)
(129) PID: 504 [00000000] (ZCfgSvc.exe)
(129) PID: 516 [00000000] (nvsvc32.exe)
(129) PID: 524 [00000000] (csrss.exe)
(129) PID: 560 [00000000] (winlogon.exe)
(129) PID: 604 [00000000] (services.exe)
(129) PID: 616 [00000000] (lsass.exe)
(129) PID: 784 [00000000] (svchost.exe)
(129) PID: 844 [00000000] (svchost.exe)
(129) PID: 884 [00000000] (MsMpEng.exe)
(129) PID: 896 [00000000] (svchost.exe)
(129) PID: 924 [00000000] (svchost.exe)
(129) PID: 972 [00000000] (EvtEng.exe)
(129) PID: 1000 [00000000] (iFrmewrk.exe)
(129) PID: 1088 [00000000] (S24EvMon.exe)
(129) PID: 1124 [00000000] (WLKEEPER.exe)
(129) PID: 1212 [00000000] (stsystra.exe)
(129) PID: 1236 [00000000] (explorer.exe)
(129) PID: 1244 [00000000] (svchost.exe)
(129) PID: 1296 [00000000] (svchost.exe)
(129) PID: 1452 [00000000] (oacat.exe)
(129) PID: 1468 [00000000] (oasrv.exe)
(129) PID: 1540 [00000000] (KADxMain.exe)
(129) PID: 1576 [00000000] (RegSrvc.exe)
(129) PID: 1788 [00000000] (PCMService.exe)
(129) PID: 1808 [00000000] (SynTPEnh.exe)
(129) PID: 1896 [00000000] (svchost.exe)
(129) PID: 1944 [00000000] (aawservice.exe)
(129) PID: 1976 [00000000] (rundll32.exe)
(129) PID: 2052 [00000000] (GrooveMonitor.exe)
(129) PID: 2160 [00000000] (Dot1XCfg.exe)
(129) PID: 2796 [00000000] (radixgui.exe)
(129) PID: 2932 [00000000] (iPodService.exe)
(129) PID: 3032 [00000000] (MSASCui.exe)
(129) PID: 3200 [00000000] (iTunesHelper.exe)
(129) PID: 3232 [00000000] (avgnt.exe)
(129) PID: 3316 [00000000] (AppleMobileDeviceService.exe)
(129) PID: 3448 [00000000] (mDNSResponder.exe)
(129) PID: 3476 [00000000] (jusched.exe)
(129) PID: 3584 [00000000] (alg.exe)
(129) PID: 3844 [00000000] (wmiprvse.exe)
(129) PID: 3864 [00000000] (GoogleToolbarNotifier.exe)
(129) PID: 3956 [00000000] (DLG.exe)
(01) PID: 3960 [00000000] (wscntfy.exe)
22:21:53 - Performing check: "Selftest":
Doing a short selftest...
-> Checking IAT
PID 2796 - C:\Documents and Settings\Me\Desktop\radix_installer\radixgui.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
- Patching code of CreateProcessA at 7C80236B
7C80236B: Patching FF -> 8B
7C80236C: Patching 25 -> FF
7C80236D: Patching 1E -> 55
7C80236E: Patching 00 -> 8B
7C80236F: Patching 05 -> EC
7C802370: Patching 5F -> 6A
- Wrote patch to process memory.
- Patching code of CreateProcessW at 7C802336
7C802336: Patching FF -> 8B
7C802337: Patching 25 -> FF
7C802338: Patching 1E -> 55
7C802339: Patching 00 -> 8B
7C80233A: Patching 0B -> EC
7C80233B: Patching 5F -> 6A
- Wrote patch to process memory.
- Patching code of FreeLibrary at 7C80AC93
7C80AC93: Patching A5 -> DC
7C80AC94: Patching 53 -> FF
7C80AC95: Patching 2F -> FF
7C80AC96: Patching F5 -> FF
- Wrote patch to process memory.
USER32.dll (7E410000 - 7E4A1000)
- Patching code of ExitWindowsEx at 7E45A275
7E45A275: Patching FF -> 8B
7E45A276: Patching 25 -> FF
7E45A277: Patching 1E -> 55
7E45A278: Patching 00 -> 8B
7E45A279: Patching 0E -> EC
7E45A27A: Patching 5F -> 83
- Wrote patch to process memory.
GDI32.dll (77F10000 - 77F59000)
comdlg32.dll (763B0000 - 763F9000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
COMCTL32.dll (5D090000 - 5D12A000)
SHELL32.dll (7C9C0000 - 7D1D7000)
msvcrt.dll (77C10000 - 77C68000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
- Patching code of CoCreateInstance at 7750057E
7750057E: Patching FF -> 8B
7750057F: Patching 25 -> FF
77500580: Patching 1E -> 55
77500581: Patching 00 -> 8B
77500582: Patching 11 -> EC
77500583: Patching 5F -> 83
- Wrote patch to process memory.
- Patching code of CoCreateInstanceEx at 77500526
77500526: Patching FF -> 8B
77500527: Patching 25 -> FF
77500528: Patching 1E -> 55
77500529: Patching 00 -> 8B
7750052A: Patching 14 -> EC
7750052B: Patching 5F -> 6A
- Wrote patch to process memory.
VERSION.dll (77C00000 - 77C08000)
dbghelp.dll (59A60000 - 59B01000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
OAwatch.dll (00A90000 - 00B7B000)
oleaut32.dll (77120000 - 771AB000)
wsock32.dll (71AD0000 - 71AD9000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
wintrust.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
uxtheme.dll (5AD70000 - 5ADA8000)
msctfime.ime (755C0000 - 755EE000)
Selftest complete.
22:21:56 - Performing check: "MBR":
22:21:57 - Performing check: "IRP hooks":
Could not open physical memory device!
Make sure you are running as Administrator.
22:21:57 - Performing check: "Patched modules":
Could not open physical memory device!
Make sure you are running as Administrator.
22:21:57 - Performing check: "SDT hooks":
Could not open physical memory device!
Make sure you are running as Administrator.
22:21:57 - Performing check: "IDT hooks":
Could not open physical memory device!
Make sure you are running as Administrator.
22:21:57 - Performing check: "SYSENTER hook":
Could not open physical memory device!
Make sure you are running as Administrator.
22:21:57 - Performing check: "IAT hooks":
PID 468 - C:\WINDOWS\System32\smss.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
PID 524 - C:\WINDOWS\system32\csrss.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
CSRSRV.dll (75B40000 - 75B4B000)
basesrv.dll (75B50000 - 75B60000)
winsrv.dll (75B60000 - 75BAB000)
GDI32.dll (77F10000 - 77F59000)
KERNEL32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
USER32.dll (7E410000 - 7E4A1000)
sxs.dll (7E720000 - 7E7D0000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
PID 560 - C:\WINDOWS\system32\winlogon.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
AUTHZ.dll (776C0000 - 776D2000)
msvcrt.dll (77C10000 - 77C68000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
NDdeApi.dll (75940000 - 75948000)
PROFMAP.dll (75930000 - 7593A000)
NETAPI32.dll (5B860000 - 5B8B5000)
USERENV.dll (769C0000 - 76A74000)
PSAPI.DLL (76BF0000 - 76BFB000)
REGAPI.dll (76BC0000 - 76BCF000)
SETUPAPI.dll (77920000 - 77A13000)
VERSION.dll (77C00000 - 77C08000)
WINSTA.dll (76360000 - 76370000)
WINTRUST.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
IMM32.DLL (76390000 - 763AD000)
MSGINA.dll (75970000 - 75A68000)
COMCTL32.dll (5D090000 - 5D12A000)
ODBC32.dll (74320000 - 7435D000)
comdlg32.dll (763B0000 - 763F9000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
comctl32.dll (773D0000 - 774D3000)
odbcint.dll (00970000 - 00987000)
SHSVCS.dll (776E0000 - 77703000)
sfc.dll (76BB0000 - 76BB5000)
sfc_os.dll (76C60000 - 76C8A000)
ole32.dll (774E0000 - 7761D000)
Apphelp.dll (77B40000 - 77B62000)
msctfime.ime (755C0000 - 755EE000)
WINSCARD.DLL (723D0000 - 723EC000)
WTSAPI32.dll (76F50000 - 76F58000)
sxs.dll (7E720000 - 7E7D0000)
uxtheme.dll (5AD70000 - 5ADA8000)
WINMM.dll (76B40000 - 76B6D000)
SASWINLO.dll (10000000 - 100CC000)
OLEAUT32.dll (77120000 - 771AB000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (00FE0000 - 00FE9000)
iertutil.dll (3DFD0000 - 3E015000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
cscdll.dll (76600000 - 7661D000)
dimsntfy.dll (47020000 - 47028000)
WlNotify.dll (75950000 - 7596A000)
MPR.dll (71B20000 - 71B32000)
WINSPOOL.DRV (73000000 - 73026000)
rsaenh.dll (68000000 - 68036000)
msv1_0.dll (77C70000 - 77C95000)
cryptdll.dll (76790000 - 7679C000)
iphlpapi.dll (76D60000 - 76D79000)
cscui.dll (77A20000 - 77A74000)
xpsp2res.dll (016B0000 - 01975000)
wdmaud.drv (72D20000 - 72D29000)
msacm32.drv (72D10000 - 72D18000)
MSACM32.dll (77BE0000 - 77BF5000)
midimap.dll (77BD0000 - 77BD7000)
COMRes.dll (77050000 - 77115000)
CLBCATQ.DLL (76FD0000 - 7704F000)
PID 604 - C:\WINDOWS\system32\services.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
msvcrt.dll (77C10000 - 77C68000)
NCObjAPI.DLL (5F770000 - 5F77C000)
MSVCP60.dll (76080000 - 760E5000)
SCESRV.dll (7DBD0000 - 7DC21000)
AUTHZ.dll (776C0000 - 776D2000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
USERENV.dll (769C0000 - 76A74000)
umpnpmgr.dll (7DBA0000 - 7DBC1000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
ShimEng.dll (5CB70000 - 5CB96000)
AcAdProc.dll (47260000 - 4726F000)
IMM32.DLL (76390000 - 763AD000)
Apphelp.dll (77B40000 - 77B62000)
VERSION.dll (77C00000 - 77C08000)
eventlog.dll (77B70000 - 77B81000)
PSAPI.DLL (76BF0000 - 76BFB000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
wtsapi32.dll (76F50000 - 76F58000)
PID 616 - C:\WINDOWS\system32\lsass.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
LSASRV.dll (75730000 - 757E5000)
MPR.dll (71B20000 - 71B32000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
MSASN1.dll (77B20000 - 77B32000)
msvcrt.dll (77C10000 - 77C68000)
NETAPI32.dll (5B860000 - 5B8B5000)
NTDSAPI.dll (767A0000 - 767B3000)
DNSAPI.dll (76F20000 - 76F47000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
WLDAP32.dll (76F60000 - 76F8C000)
SAMLIB.dll (71BF0000 - 71C03000)
SAMSRV.dll (74440000 - 744AA000)
cryptdll.dll (76790000 - 7679C000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
msprivs.dll (4D200000 - 4D20E000)
kerberos.dll (71CF0000 - 71D3C000)
msv1_0.dll (77C70000 - 77C95000)
iphlpapi.dll (76D60000 - 76D79000)
netlogon.dll (744B0000 - 74515000)
w32time.dll (767C0000 - 767EC000)
MSVCP60.dll (76080000 - 760E5000)
schannel.dll (767F0000 - 76818000)
CRYPT32.dll (77A80000 - 77B15000)
wdigest.dll (7DFC0000 - 7DFD1000)
rsaenh.dll (68000000 - 68036000)
setupapi.dll (77920000 - 77A13000)
scecli.dll (74410000 - 7443F000)
ipsecsvc.dll (743E0000 - 7440F000)
AUTHZ.dll (776C0000 - 776D2000)
oakley.DLL (75D90000 - 75E60000)
WINIPSEC.DLL (74370000 - 7437B000)
pstorsvc.dll (743A0000 - 743AB000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
psbase.dll (743C0000 - 743DB000)
wshtcpip.dll (71A90000 - 71A98000)
dssenh.dll (68100000 - 68126000)
PID 784 - C:\WINDOWS\system32\svchost.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
msvcrt.dll (77C10000 - 77C68000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
rpcss.dll (76A80000 - 76AE4000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
xpsp2res.dll (006B0000 - 00975000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
termsrv.dll (760F0000 - 76143000)
ICAAPI.dll (74F70000 - 74F76000)
SETUPAPI.dll (77920000 - 77A13000)
WINTRUST.dll (76C30000 - 76C5E000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
IMAGEHLP.dll (76C90000 - 76CB8000)
AUTHZ.dll (776C0000 - 776D2000)
mstlsapi.dll (75110000 - 7512F000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
NETAPI32.dll (5B860000 - 5B8B5000)
ATL.DLL (76B20000 - 76B31000)
REGAPI.dll (76BC0000 - 76BCF000)
Apphelp.dll (77B40000 - 77B62000)
rsaenh.dll (68000000 - 68036000)
WTSAPI32.dll (76F50000 - 76F58000)
WINSTA.dll (76360000 - 76370000)
msv1_0.dll (77C70000 - 77C95000)
cryptdll.dll (76790000 - 7679C000)
iphlpapi.dll (76D60000 - 76D79000)
PID 844 - C:\WINDOWS\system32\svchost.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
msvcrt.dll (77C10000 - 77C68000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
rpcss.dll (76A80000 - 76AE4000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
xpsp2res.dll (006B0000 - 00975000)
rsaenh.dll (68000000 - 68036000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
DNSAPI.dll (76F20000 - 76F47000)
iphlpapi.dll (76D60000 - 76D79000)
winrnr.dll (76FB0000 - 76FB8000)
WLDAP32.dll (76F60000 - 76F8C000)
mdnsNSP.dll (16080000 - 160A5000)
rasadhlp.dll (76FC0000 - 76FC6000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
PID 884 - C:\Program Files\Windows Defender\MsMpEng.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
MSVCR80.dll (78130000 - 781CB000)
msvcrt.dll (77C10000 - 77C68000)
MpSvc.dll (5C800000 - 5C844000)
MSVCP80.dll (7C420000 - 7C4A7000)
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
VERSION.dll (77C00000 - 77C08000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINTRUST.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)
MpClient.dll (5B800000 - 5B84F000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
ole32.dll (774E0000 - 7761D000)
OLEAUT32.dll (77120000 - 771AB000)
USERENV.dll (769C0000 - 76A74000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
rsaenh.dll (68000000 - 68036000)
xpsp2res.dll (00AE0000 - 00DA5000)
netapi32.dll (5B860000 - 5B8B5000)
mpengine.dll (5A100000 - 5A641000)
wininet.dll (3D930000 - 3DA01000)
Normaliz.dll (006F0000 - 006F9000)
iertutil.dll (3DFD0000 - 3E015000)
iphlpapi.dll (76D60000 - 76D79000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
mprtplug.dll (5E800000 - 5E80F000)
PSAPI.DLL (76BF0000 - 76BFB000)
uxtheme.dll (5AD70000 - 5ADA8000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
MpAsDesc.dll (60800000 - 6080D000)
PID 924 - C:\WINDOWS\System32\svchost.exe
-------------------------------------------------------------------------------
ntdll.dll (7C900000 - 7C9B2000)
kernel32.dll (7C800000 - 7C8F6000)
The code of FreeLibrary at 7C80AC93 (21) got patched. Here is the diff:
Address New-Original
7C80AC93: A5 - DC
7C80AC94: 53 - FF
7C80AC95: 2E - FF
7C80AC96: F5 - FF
ADVAPI32.dll (77DD0000 - 77E6B000)
RPCRT4.dll (77E70000 - 77F02000)
Secur32.dll (77FE0000 - 77FF1000)
ShimEng.dll (5CB70000 - 5CB96000)
AcGenral.DLL (6F880000 - 6FA4A000)
USER32.dll (7E410000 - 7E4A1000)
GDI32.dll (77F10000 - 77F59000)
WINMM.dll (76B40000 - 76B6D000)
ole32.dll (774E0000 - 7761D000)
msvcrt.dll (77C10000 - 77C68000)
OLEAUT32.dll (77120000 - 771AB000)
MSACM32.dll (77BE0000 - 77BF5000)
VERSION.dll (77C00000 - 77C08000)
SHELL32.dll (7C9C0000 - 7D1D7000)
SHLWAPI.dll (77F60000 - 77FD6000)
USERENV.dll (769C0000 - 76A74000)
UxTheme.dll (5AD70000 - 5ADA8000)
IMM32.DLL (76390000 - 763AD000)
comctl32.dll (773D0000 - 774D3000)
comctl32.dll (5D090000 - 5D12A000)
NTMARTA.DLL (77690000 - 776B1000)
SAMLIB.dll (71BF0000 - 71C03000)
WLDAP32.dll (76F60000 - 76F8C000)
xpsp2res.dll (00630000 - 008F5000)
shsvcs.dll (776E0000 - 77703000)
WINSTA.dll (76360000 - 76370000)
NETAPI32.dll (5B860000 - 5B8B5000)
rsaenh.dll (68000000 - 68036000)
dhcpcsvc.dll (7D4B0000 - 7D4D2000)
DNSAPI.dll (76F20000 - 76F47000)
WS2_32.dll (71AB0000 - 71AC7000)
WS2HELP.dll (71AA0000 - 71AA8000)
iphlpapi.dll (76D60000 - 76D79000)
wzcsvc.dll (7DB10000 - 7DB9C000)
rtutils.dll (76E80000 - 76E8E000)
WMI.dll (76D30000 - 76D34000)
CRYPT32.dll (77A80000 - 77B15000)
MSASN1.dll (77B20000 - 77B32000)
EapolQec.dll (72810000 - 7281B000)
ATL.DLL (76B20000 - 76B31000)
QUtil.dll (726C0000 - 726D6000)
MSVCP60.dll (76080000 - 760E5000)
dot3api.dll (478C0000 - 478CA000)
WTSAPI32.dll (76F50000 - 76F58000)
ESENT.dll (606B0000 - 607BD000)
CLBCATQ.DLL (76FD0000 - 7704F000)
COMRes.dll (77050000 - 77115000)
rastls.dll (76B70000 - 76B97000)
CRYPTUI.dll (754D0000 - 75550000)
WININET.dll (3D930000 - 3DA01000)
Normaliz.dll (01590000 - 01599000)
iertutil.dll (3DFD0000 - 3E015000)
WINTRUST.dll (76C30000 - 76C5E000)
IMAGEHLP.dll (76C90000 - 76CB8000)
MPRAPI.dll (76D40000 - 76D58000)
ACTIVEDS.dll (77CC0000 - 77CF2000)
adsldpc.dll (76E10000 - 76E35000)
SETUPAPI.dll (77920000 - 77A13000)
RASAPI32.dll (76EE0000 - 76F1C000)
rasman.dll (76E90000 - 76EA2000)
TAPI32.dll (76EB0000 - 76EDF000)
SCHANNEL.dll (767F0000 - 76818000)
WinSCard.dll (723D0000 - 723EC000)
PSAPI.DLL (76BF0000 - 76BFB000)
sw2_ttls.dll (10000000 - 1003F000)
sw2_ttls_res.dll (01730000 - 01752000)
WZCSAPI.DLL (73030000 - 73040000)
raschap.dll (76BD0000 - 76BE6000)
msv1_0.dll (77C70000 - 77C95000)
cryptdll.dll (76790000 - 7679C000)
mswsock.dll (71A50000 - 71A8F000)
hnetcfg.dll (662B0000 - 66308000)
wshtcpip.dll (71A90000 - 71A98000)
schedsvc.dll (77300000 - 77333000)
NTDSAPI.dll (767A0000 - 767B3000)
MSIDLE.DLL (74F50000 - 74F55000)
audiosrv.dll (708B0000 - 708BD000)
wkssvc.dll (76E40000 - 76E63000)
cryptsvc.dll (76CE0000 - 76CF2000)
certcli.dll (77B90000 - 77BC2000)
ersvc.dll (74F80000 - 74F89000)
es.dll (77710000 - 77754000)
pchsvc.dll (74F40000 - 74F4C000)
srvsvc.dll (75090000 - 750AA000)
netman.dll (77D00000 - 77D33000)
netshell.dll (76400000 - 765A5000)
credui.dll (76C00000 - 76C2E000)
dot3dlg.dll (736D0000 - 736D6000)
OneX.DLL (5DCA0000 - 5DCC8000)
eappcfg.dll (745B0000 - 745D2000)
eappprxy.dll (5DCD0000 - 5DCDE000)
seclogon.dll (73D20000 - 73D28000)
sens.dll (722D0000 - 722DD000)
srsvc.dll (751A0000 - 751CE000)
POWRPROF.dll (74AD0000 - 74AD8000)
SXS.DLL (7E720000 - 7E7D0000)
tapisrv.dll (733E0000 - 73420000)
trkwks.dll (75070000 - 75089000)
w32time.dll (767C0000 - 767EC000)
wmisvc.dll (59490000 - 594B8000)
VSSAPI.DLL (753E0000 - 7544D000)
wuauserv.dll (50000000 - 50005000)
wuaueng.dll (50040000 - 50219000)
WINSPOOL.DRV (73000000 - 73026000)
WINHTTP.dll (4D4F0000 - 4D549000)
Cabinet.dll (75150000 - 75163000)
mspatcha.dll (600A0000 - 600AB000)
browser.dll (76DA0000 - 76DB6000)
ipnathlp.dll (66460000 - 664B5000)
AUTHZ.dll (776C0000 - 776D2000)
sfc.dll (76BB0000 - 76BB5000)
sfc_os.dll (76C60000 - 76C8A000)
wscsvc.dll (4C0A0000 - 4C0B7000)
msi.dll (7D1E0000 - 7D49C000)
wbemcomn.dll (75290000 - 752C7000)
wbemcore.dll (762C0000 - 76345000)
esscli.dll (75310000 - 7534F000)
FastProx.dll (75690000 - 75706000)
Apphelp.dll (77B40000 - 77B62000)
comsvcs.dll (76620000 - 7675C000)
colbact.DLL (75130000 - 75144000)
MTXCLU.DLL (750F0000 - 75103000)
WSOCK32.dll (71AD0000 - 71AD9000)
CLUSAPI.DLL (76D10000 - 76D22000)
RESUTILS.DLL (750B0000 - 750C2000)
wbemsvc.dll (74ED0000 - 74EDE000)
wmiutils.dll (75020000 - 7503B000)
repdrvfs.dll (75200000 - 7522F000)
wmiprvsd.dll (3F1E0000 - 3F252000)
NCObjAPI.DLL (5F770000 - 5F77C000)
wbemess.dll (75390000 - 753D6000)
ncprov.dll (5F740000 - 5F74E000)
wups2.dll (50F00000 - 50F0D000)
upnp.dll (76DE0000 - 76E04000)
SSDPAPI.dll (74F00000 - 74F0C000)
qmgr.dll (5B9F0000 - 5BA5B000)
MPR.dll (71B20000 - 71B32000)
SHFOLDER.dll (76780000 - 76789000)
qmgrprxy.dll (5DDC0000 - 5DDC9000)
rasmans.dll (7DF30000 - 7DF62000)
WINIPSEC.DLL (74370000 - 7437B000)
netcfgx.dll (755F0000 - 7568A000)
rastapi.dll (75880000 - 75891000)
unimdm.tsp (57CC0000 - 57CF6000)
uniplat.dll (72000000 - 72007000)
rasadhlp.dll (76FC0000 - 76FC6000)
unimdmat.dll (5B070000 - 5B084000)
modemui.dll (61650000 - 61678000)
kmddsp.tsp (57D40000 - 57D4B000)
ndptsp.tsp (57D20000 - 57D30000)
ipconf.tsp (57D50000 - 57D58000)
h323.tsp (57D70000 - 57DB6000)
hidphone.tsp (57D60000 - 57D6A000)
HID.DLL (688F0000 - 688F9000)
rasppp.dll (72240000 - 72277000)
ntlsapi.dll (724B0000 - 724B6000)
kerberos.dll (71CF0000 - 71D3C000)
RASQEC.DLL (72AE0000 - 72AF3000)
RASDLG.dll (768D0000 - 76974000)
winrnr.dll (76FB0000 - 76FB8000)
mdnsNSP.dll (16080000 - 160A5000)
mlang.dll (75CF0000 - 75D81000)
xmlprovi.dll (4CB90000 - 4CBA0000)