GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-02 14:46:10 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BPVT-75HXZT3 rev.03.01A03 465,76GB Running: b8gbgruq.exe; Driver: C:\Users\PC\AppData\Local\Temp\uglcraoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007737f760 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007737f7b0 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007737f910 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007737f960 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007737f970 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007737fa20 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007737fa50 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007737fa70 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007737fab0 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007737fb30 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007737fb50 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007737fb90 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007737fbe0 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007737fd40 5 bytes JMP 00000000774e0230 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007737ff00 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007737ff30 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077380010 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077380020 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077380080 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077380110 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077380130 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077380140 5 bytes JMP 00000000774e0330 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773801b0 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773801e0 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773804a0 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077380560 5 bytes JMP 00000000774e0250 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077380590 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773805a0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773805d0 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773805e0 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077380640 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077380690 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773806c0 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773806d0 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773809c0 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077380bc0 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077380bd0 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077380be0 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077380da0 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077380db0 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077380e20 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077380e80 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077380e90 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077380ea0 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077380f80 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\lsass.exe[632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caf25d 1 byte [62] .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007737f760 5 bytes JMP 00000000774e0460 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007737f7b0 5 bytes JMP 00000000774e0450 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007737f910 5 bytes JMP 00000000774e0370 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007737f960 5 bytes JMP 00000000774e0470 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007737f970 5 bytes JMP 00000000774e03e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007737fa20 5 bytes JMP 00000000774e0320 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007737fa50 5 bytes JMP 00000000774e03b0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007737fa70 5 bytes JMP 00000000774e0390 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007737fab0 5 bytes JMP 00000000774e02e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007737fb30 5 bytes JMP 00000000774e02d0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007737fb50 5 bytes JMP 00000000774e0310 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007737fb90 5 bytes JMP 00000000774e03c0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007737fbe0 5 bytes JMP 00000000774e03f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007737fd40 5 bytes JMP 00000000774e0230 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007737ff00 5 bytes JMP 00000000774e0480 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007737ff30 5 bytes JMP 00000000774e03a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077380010 5 bytes JMP 00000000774e02f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077380020 5 bytes JMP 00000000774e0350 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077380080 5 bytes JMP 00000000774e0290 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077380110 5 bytes JMP 00000000774e02b0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077380130 5 bytes JMP 00000000774e03d0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077380140 5 bytes JMP 00000000774e0330 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773801b0 5 bytes JMP 00000000774e0410 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773801e0 5 bytes JMP 00000000774e0240 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773804a0 5 bytes JMP 00000000774e01e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077380560 5 bytes JMP 00000000774e0250 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077380590 5 bytes JMP 00000000774e0490 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773805a0 5 bytes JMP 00000000774e04a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773805d0 5 bytes JMP 00000000774e0300 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773805e0 5 bytes JMP 00000000774e0360 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077380640 5 bytes JMP 00000000774e02a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077380690 5 bytes JMP 00000000774e02c0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773806c0 5 bytes JMP 00000000774e0380 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773806d0 5 bytes JMP 00000000774e0340 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773809c0 5 bytes JMP 00000000774e0440 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077380bc0 5 bytes JMP 00000000774e0260 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077380bd0 5 bytes JMP 00000000774e0270 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077380be0 5 bytes JMP 00000000774e0400 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077380da0 5 bytes JMP 00000000774e01f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077380db0 5 bytes JMP 00000000774e0210 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077380e20 5 bytes JMP 00000000774e0200 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077380e80 5 bytes JMP 00000000774e0420 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077380e90 5 bytes JMP 00000000774e0430 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077380ea0 5 bytes JMP 00000000774e0220 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077380f80 5 bytes JMP 00000000774e0280 .text C:\Windows\System32\svchost.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caf25d 1 byte [62] .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007737f760 5 bytes JMP 00000000774e0460 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007737f7b0 5 bytes JMP 00000000774e0450 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007737f910 5 bytes JMP 00000000774e0370 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007737f960 5 bytes JMP 00000000774e0470 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007737f970 5 bytes JMP 00000000774e03e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007737fa20 5 bytes JMP 00000000774e0320 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007737fa50 5 bytes JMP 00000000774e03b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007737fa70 5 bytes JMP 00000000774e0390 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007737fab0 5 bytes JMP 00000000774e02e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007737fb30 5 bytes JMP 00000000774e02d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007737fb50 5 bytes JMP 00000000774e0310 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007737fb90 5 bytes JMP 00000000774e03c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007737fbe0 5 bytes JMP 00000000774e03f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007737fd40 5 bytes JMP 00000000774e0230 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007737ff00 5 bytes JMP 00000000774e0480 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007737ff30 5 bytes JMP 00000000774e03a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077380010 5 bytes JMP 00000000774e02f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077380020 5 bytes JMP 00000000774e0350 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077380080 5 bytes JMP 00000000774e0290 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077380110 5 bytes JMP 00000000774e02b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077380130 5 bytes JMP 00000000774e03d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077380140 5 bytes JMP 00000000774e0330 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773801b0 5 bytes JMP 00000000774e0410 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773801e0 5 bytes JMP 00000000774e0240 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773804a0 5 bytes JMP 00000000774e01e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077380560 5 bytes JMP 00000000774e0250 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077380590 5 bytes JMP 00000000774e0490 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773805a0 5 bytes JMP 00000000774e04a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773805d0 5 bytes JMP 00000000774e0300 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773805e0 5 bytes JMP 00000000774e0360 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077380640 5 bytes JMP 00000000774e02a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077380690 5 bytes JMP 00000000774e02c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773806c0 5 bytes JMP 00000000774e0380 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773806d0 5 bytes JMP 00000000774e0340 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773809c0 5 bytes JMP 00000000774e0440 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077380bc0 5 bytes JMP 00000000774e0260 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077380bd0 5 bytes JMP 00000000774e0270 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077380be0 5 bytes JMP 00000000774e0400 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077380da0 5 bytes JMP 00000000774e01f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077380db0 5 bytes JMP 00000000774e0210 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077380e20 5 bytes JMP 00000000774e0200 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077380e80 5 bytes JMP 00000000774e0420 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077380e90 5 bytes JMP 00000000774e0430 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077380ea0 5 bytes JMP 00000000774e0220 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077380f80 5 bytes JMP 00000000774e0280 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caf25d 1 byte [62] .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007737f760 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007737f7b0 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007737f910 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007737f960 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007737f970 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007737fa20 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007737fa50 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007737fa70 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007737fab0 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007737fb30 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007737fb50 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007737fb90 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007737fbe0 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007737fd40 5 bytes JMP 00000000774e0230 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007737ff00 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007737ff30 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077380010 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077380020 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077380080 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077380110 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077380130 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077380140 5 bytes JMP 00000000774e0330 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773801b0 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773801e0 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773804a0 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077380560 5 bytes JMP 00000000774e0250 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077380590 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773805a0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773805d0 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773805e0 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077380640 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077380690 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773806c0 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773806d0 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773809c0 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077380bc0 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077380bd0 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077380be0 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077380da0 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077380db0 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077380e20 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077380e80 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077380e90 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077380ea0 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\svchost.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077380f80 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\svchost.exe[412] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caf25d 1 byte [62] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007737f760 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007737f7b0 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007737f910 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007737f960 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007737f970 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007737fa20 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007737fa50 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007737fa70 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007737fab0 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007737fb30 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007737fb50 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007737fb90 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007737fbe0 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007737fd40 5 bytes JMP 00000000774e0230 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007737ff00 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007737ff30 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077380010 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077380020 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077380080 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077380110 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077380130 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077380140 5 bytes JMP 00000000774e0330 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773801b0 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773801e0 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773804a0 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077380560 5 bytes JMP 00000000774e0250 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077380590 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773805a0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773805d0 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773805e0 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077380640 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077380690 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773806c0 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773806d0 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773809c0 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077380bc0 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077380bd0 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077380be0 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077380da0 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077380db0 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077380e20 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077380e80 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077380e90 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077380ea0 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077380f80 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caf25d 1 byte [62] .text C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe[1888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007521b0e5 1 byte [62] .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007737f760 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007737f7b0 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007737f910 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007737f960 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007737f970 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007737fa20 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007737fa50 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007737fa70 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007737fab0 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007737fb30 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007737fb50 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007737fb90 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007737fbe0 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007737fd40 5 bytes JMP 00000000774e0230 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007737ff00 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007737ff30 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077380010 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077380020 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077380080 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077380110 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077380130 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077380140 5 bytes JMP 00000000774e0330 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773801b0 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773801e0 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773804a0 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077380560 5 bytes JMP 00000000774e0250 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077380590 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773805a0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773805d0 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773805e0 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077380640 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077380690 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773806c0 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773806d0 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773809c0 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077380bc0 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077380bd0 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077380be0 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077380da0 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077380db0 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077380e20 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077380e80 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077380e90 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077380ea0 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077380f80 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdd24f61 5 bytes {JMP QWORD [RIP-0x7fef4f2e]} .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdd2b720 6 bytes {JMP QWORD [RIP-0x7fedb6b6]} .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdd4db70 6 bytes {JMP QWORD [RIP-0x7fefdb3e]} .text C:\Windows\system32\Dwm.exe[2856] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdd4ded0 6 bytes {JMP QWORD [RIP-0x7fefde2e]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007737f760 5 bytes JMP 00000000774e0460 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007737f7b0 5 bytes JMP 00000000774e0450 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007737f910 5 bytes JMP 00000000774e0370 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007737f960 5 bytes JMP 00000000774e0470 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007737f970 5 bytes JMP 00000000774e03e0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007737fa20 5 bytes JMP 00000000774e0320 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007737fa50 5 bytes JMP 00000000774e03b0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007737fa70 5 bytes JMP 00000000774e0390 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007737fab0 5 bytes JMP 00000000774e02e0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007737fb30 5 bytes JMP 00000000774e02d0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007737fb50 5 bytes JMP 00000000774e0310 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007737fb90 5 bytes JMP 00000000774e03c0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007737fbe0 5 bytes JMP 00000000774e03f0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007737fd40 5 bytes JMP 00000000774e0230 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007737ff00 5 bytes JMP 00000000774e0480 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007737ff30 5 bytes JMP 00000000774e03a0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077380010 5 bytes JMP 00000000774e02f0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077380020 5 bytes JMP 00000000774e0350 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077380080 5 bytes JMP 00000000774e0290 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077380110 5 bytes JMP 00000000774e02b0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077380130 5 bytes JMP 00000000774e03d0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077380140 5 bytes JMP 00000000774e0330 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773801b0 5 bytes JMP 00000000774e0410 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773801e0 5 bytes JMP 00000000774e0240 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773804a0 5 bytes JMP 00000000774e01e0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077380560 5 bytes JMP 00000000774e0250 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077380590 5 bytes JMP 00000000774e0490 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773805a0 5 bytes JMP 00000000774e04a0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773805d0 5 bytes JMP 00000000774e0300 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773805e0 5 bytes JMP 00000000774e0360 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077380640 5 bytes JMP 00000000774e02a0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077380690 5 bytes JMP 00000000774e02c0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773806c0 5 bytes JMP 00000000774e0380 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773806d0 5 bytes JMP 00000000774e0340 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773809c0 5 bytes JMP 00000000774e0440 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077380bc0 5 bytes JMP 00000000774e0260 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077380bd0 5 bytes JMP 00000000774e0270 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077380be0 5 bytes JMP 00000000774e0400 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077380da0 5 bytes JMP 00000000774e01f0 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077380db0 5 bytes JMP 00000000774e0210 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077380e20 5 bytes JMP 00000000774e0200 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077380e80 5 bytes JMP 00000000774e0420 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077380e90 5 bytes JMP 00000000774e0430 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077380ea0 5 bytes JMP 00000000774e0220 .text C:\Windows\Explorer.EXE[2884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077380f80 5 bytes JMP 00000000774e0280 .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caf25d 1 byte [62] .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefdd24f61 5 bytes {JMP QWORD [RIP-0x7fef4f2e]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\WS2_32.dll!getsockname 000007fefdd2b720 6 bytes {JMP QWORD [RIP-0x7fedb6b6]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefdd4db70 6 bytes {JMP QWORD [RIP-0x7fefdb3e]} .text C:\Windows\Explorer.EXE[2884] C:\Windows\system32\WS2_32.dll!getpeername 000007fefdd4ded0 6 bytes {JMP QWORD [RIP-0x7fefde2e]} .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007737f760 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007737f7b0 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007737f910 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007737f960 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007737f970 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007737fa20 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007737fa50 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007737fa70 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007737fab0 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007737fb30 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007737fb50 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007737fb90 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007737fbe0 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007737fd40 5 bytes JMP 00000000774e0230 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007737ff00 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007737ff30 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077380010 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077380020 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077380080 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077380110 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077380130 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077380140 5 bytes JMP 00000000774e0330 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773801b0 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773801e0 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773804a0 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077380560 5 bytes JMP 00000000774e0250 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077380590 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773805a0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773805d0 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773805e0 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077380640 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077380690 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773806c0 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773806d0 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773809c0 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077380bc0 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077380bd0 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077380be0 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077380da0 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077380db0 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077380e20 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077380e80 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077380e90 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077380ea0 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077380f80 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\SearchIndexer.exe[1260] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caf25d 1 byte [62] .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[1076] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007521b0e5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007737f760 5 bytes JMP 0000000100180460 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007737f7b0 5 bytes JMP 0000000100180450 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007737f910 5 bytes JMP 0000000100180370 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007737f960 5 bytes JMP 0000000100180470 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007737f970 5 bytes JMP 00000001001803e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007737fa20 5 bytes JMP 0000000100180320 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007737fa50 5 bytes JMP 00000001001803b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007737fa70 5 bytes JMP 0000000100180390 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007737fab0 5 bytes JMP 00000001001802e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007737fb30 5 bytes JMP 00000001001802d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007737fb50 5 bytes JMP 0000000100180310 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007737fb90 5 bytes JMP 00000001001803c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007737fbe0 5 bytes JMP 00000001001803f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007737fd40 5 bytes JMP 0000000100180230 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007737ff00 5 bytes JMP 0000000100180480 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007737ff30 5 bytes JMP 00000001001803a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077380010 5 bytes JMP 00000001001802f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077380020 5 bytes JMP 0000000100180350 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077380080 5 bytes JMP 0000000100180290 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077380110 5 bytes JMP 00000001001802b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077380130 5 bytes JMP 00000001001803d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077380140 5 bytes JMP 0000000100180330 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773801b0 5 bytes JMP 0000000100180410 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773801e0 5 bytes JMP 0000000100180240 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773804a0 5 bytes JMP 00000001001801e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077380560 5 bytes JMP 0000000100180250 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077380590 5 bytes JMP 0000000100180490 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773805a0 5 bytes JMP 00000001001804a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773805d0 5 bytes JMP 0000000100180300 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773805e0 5 bytes JMP 0000000100180360 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077380640 5 bytes JMP 00000001001802a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077380690 5 bytes JMP 00000001001802c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773806c0 5 bytes JMP 0000000100180380 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773806d0 5 bytes JMP 0000000100180340 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773809c0 5 bytes JMP 0000000100180440 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077380bc0 5 bytes JMP 0000000100180260 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077380bd0 5 bytes JMP 0000000100180270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077380be0 5 bytes JMP 0000000100180400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077380da0 5 bytes JMP 00000001001801f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077380db0 5 bytes JMP 0000000100180210 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077380e20 5 bytes JMP 0000000100180200 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077380e80 5 bytes JMP 0000000100180420 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077380e90 5 bytes JMP 0000000100180430 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077380ea0 5 bytes JMP 0000000100180220 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077380f80 5 bytes JMP 0000000100180280 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000751fd03c 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007521b0e5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075511465 2 bytes [51, 75] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755114bb 2 bytes [51, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3344] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007521b0e5 1 byte [62] .text C:\Program Files (x86)\Ad Muncher\AdMunch.exe[3440] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007521b0e5 1 byte [62] .text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[3576] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007521b0e5 1 byte [62] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3712] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007521b0e5 1 byte [62] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 1 000000007752fc11 3 bytes [BC, 3A, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007752fc15 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 1 000000007752fda5 3 bytes [65, 39, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 5 000000007752fda9 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 1 000000007752feb5 3 bytes [F8, 39, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 5 000000007752feb9 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 1 000000007752ff35 3 bytes [ED, 3A, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 000000007752ff39 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 1 000000007752ff95 3 bytes [96, 39, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 000000007752ff99 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 1 0000000077530835 3 bytes [C7, 39, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 0000000077530839 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077530e69 3 bytes [1E, 3B, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077530e6d 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 1 0000000077531565 3 bytes [29, 3A, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 5 0000000077531569 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 1 00000000775318b1 3 bytes [5A, 3A, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 5 00000000775318b5 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 1 0000000077531b75 3 bytes [80, 3B, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 5 0000000077531b79 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077531ba5 3 bytes [4F, 3B, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077531ba9 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007521b0e5 1 byte [62] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\syswow64\USER32.dll!GetClassNameW + 466 0000000075536cd6 3 bytes [B1, 3B, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\syswow64\USER32.dll!GetClassNameW + 470 0000000075536cda 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\syswow64\USER32.dll!GetPropW + 94 0000000075537227 3 bytes [13, 3C, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\syswow64\USER32.dll!GetPropW + 98 000000007553722b 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\syswow64\USER32.dll!RemovePropW + 237 0000000075538e4f 3 bytes [44, 3C, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\syswow64\USER32.dll!RemovePropW + 241 0000000075538e53 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\syswow64\USER32.dll!BeginPaint + 59 0000000075540ef5 3 bytes [E2, 3B, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\syswow64\USER32.dll!BeginPaint + 63 0000000075540ef9 2 bytes {JMP RAX} .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\syswow64\USER32.dll!SendInput + 1 000000007556195f 3 bytes [75, 3C, 19] .text C:\Users\PC\Downloads\b8gbgruq.exe[4948] C:\Windows\syswow64\USER32.dll!SendInput + 5 0000000075561963 2 bytes {JMP RAX} ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???z`???????????????????????????????4\???????????e??s???? ???????????????????U???????? ?????????????????C:\Users\PC\AppData\Local\Temp\C0E9C47D-F8544DAC-510C88E7-F3F58F20\hEdnPDpTl.exe????\\?\HID#VID_046D&PID_C05A#7&1c782363&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}??????????.s??????? ???????,???????????????????????????????????????6??4F88A87BD6000CF6???????????????????????????????????s????????????????????LegacyDriver??????N?????????????????{8ECC055D-047F-11D1-A537-0000F8753ED1}?\Pr??? "?????? ?????\Go??4F88A87BD6000CF6?p??????????????sv??@machine.inf,%gendev_mfg%;(Standardowe urz?dzenia systemowe)????????????? ??????????????????????????????CD/DVD File System Reader???????le??MTP??????????????&??? ??1????2?????-99??@machine.inf,%*pnp0103.devicedesc%;Czasomierz zdarzeniowy wysokiej precyzji?????@machine.inf,%*pnp0c02.devicedesc%;Zasoby p?yty g??wnej??????\?f?g?:?h?i?j?j?h?j?k?k?k???????????t??nf???/???@?W???W?b?d?@?e?@?\?d??? x??????r?????nie??????????????????? ??????????????????????????????N???????????{8E Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b10002aec Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b10002aec (not active ControlSet) ---- EOF - GMER 2.1 ----