GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-18 19:59:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JEDO 596,17GB Running: f12d36v3.exe; Driver: C:\Users\Grzela\AppData\Local\Temp\pwlorfow.sys ---- User code sections - GMER 2.0 ---- .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 0000000100120440 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 0000000100120430 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 0000000100120450 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0xffffffff88fcee90} .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000001001203b0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 0000000100120320 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 0000000100120380 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000001001202e0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 0000000100120410 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000001001202d0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 0000000100120310 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 0000000100120390 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000001001203c0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 0000000100120230 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0xffffffff88fce890} .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 0000000100120460 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 0000000100120370 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000001001202f0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 0000000100120350 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 0000000100120290 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000001001202b0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000001001203a0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 0000000100120330 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0xffffffff88fce590} .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000001001203e0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 0000000100120240 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000001001201e0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 0000000100120250 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0xffffffff88fce090} .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 0000000100120470 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 0000000100120480 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 0000000100120300 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 0000000100120360 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000001001202a0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000001001202c0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 0000000100120340 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 0000000100120420 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 0000000100120260 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 0000000100120270 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000001001203d0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0xffffffff88fcdb90} .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000001001201f0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 0000000100120210 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 0000000100120200 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000001001203f0 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 0000000100120400 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 0000000100120220 .text C:\windows\system32\csrss.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 0000000100120280 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\wininit.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\system32\wininit.exe[768] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 0000000100120440 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 0000000100120430 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 0000000100120450 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0xffffffff88fcee90} .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000001001203b0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 0000000100120320 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 0000000100120380 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000001001202e0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 0000000100120410 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000001001202d0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 0000000100120310 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 0000000100120390 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000001001203c0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 0000000100120230 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0xffffffff88fce890} .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 0000000100120460 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 0000000100120370 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000001001202f0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 0000000100120350 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 0000000100120290 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000001001202b0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000001001203a0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 0000000100120330 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0xffffffff88fce590} .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000001001203e0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 0000000100120240 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000001001201e0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 0000000100120250 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0xffffffff88fce090} .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 0000000100120470 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 0000000100120480 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 0000000100120300 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 0000000100120360 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000001001202a0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000001001202c0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 0000000100120340 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 0000000100120420 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 0000000100120260 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 0000000100120270 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000001001203d0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0xffffffff88fcdb90} .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000001001201f0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 0000000100120210 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 0000000100120200 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000001001203f0 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 0000000100120400 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 0000000100120220 .text C:\windows\system32\csrss.exe[804] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 0000000100120280 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\services.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\system32\services.exe[836] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 0000000100070440 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 0000000100070430 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 0000000100070450 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0xffffffff88f1ee90} .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000001000703b0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 0000000100070320 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 0000000100070380 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000001000702e0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 0000000100070410 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000001000702d0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 0000000100070310 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 0000000100070390 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000001000703c0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 0000000100070230 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0xffffffff88f1e890} .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 0000000100070460 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 0000000100070370 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000001000702f0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 0000000100070350 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 0000000100070290 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000001000702b0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000001000703a0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 0000000100070330 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0xffffffff88f1e590} .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000001000703e0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 0000000100070240 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000001000701e0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 0000000100070250 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0xffffffff88f1e090} .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 0000000100070470 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 0000000100070480 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 0000000100070300 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 0000000100070360 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000001000702a0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000001000702c0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 0000000100070340 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 0000000100070420 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 0000000100070260 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 0000000100070270 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000001000703d0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0xffffffff88f1db90} .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000001000701f0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 0000000100070210 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 0000000100070200 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000001000703f0 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 0000000100070400 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 0000000100070220 .text C:\windows\system32\lsass.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 0000000100070280 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\lsm.exe[860] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\winlogon.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\system32\winlogon.exe[920] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\svchost.exe[996] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\system32\svchost.exe[996] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\atiesrxx.exe[808] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\System32\svchost.exe[1084] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\System32\svchost.exe[1084] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\System32\svchost.exe[1116] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\System32\svchost.exe[1116] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\system32\svchost.exe[1156] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\svchost.exe[1292] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\system32\svchost.exe[1292] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\svchost.exe[1364] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\system32\svchost.exe[1364] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\atieclxx.exe[1592] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\System32\spoolsv.exe[1824] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\svchost.exe[1864] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\system32\svchost.exe[1864] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1048] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075201401 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075201419 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075201431 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007520144a 2 bytes [20, 75] .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752014dd 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752014f5 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007520150d 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075201525 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007520153d 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075201555 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007520156d 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075201585 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007520159d 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752015b5 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752015cd 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752016b2 2 bytes [20, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1312] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752016bd 2 bytes [20, 75] .text C:\windows\SysWOW64\srvany.exe[1408] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\windows\KMService.exe[2052] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\windows\system32\svchost.exe[2088] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\System32\svchost.exe[2188] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\taskhost.exe[2712] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\Dwm.exe[2780] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000000772b03b0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\Explorer.EXE[2872] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\Explorer.EXE[2872] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077123ae0 5 bytes JMP 00000001002e075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077127a90 5 bytes JMP 00000001002e03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077151490 5 bytes JMP 00000001002e0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000771514f0 5 bytes JMP 00000001002e0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000001002e163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077151810 5 bytes JMP 00000001002e1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2976] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077123ae0 5 bytes JMP 00000001001c075c .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077127a90 5 bytes JMP 00000001001c03a4 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077151490 5 bytes JMP 00000001001c0b14 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000771514f0 5 bytes JMP 00000001001c0ecc .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000001001c163c .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077151810 5 bytes JMP 00000001001c1284 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\windows\system32\SearchIndexer.exe[4140] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077123ae0 5 bytes JMP 000000010032075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077127a90 5 bytes JMP 00000001003203a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077151490 5 bytes JMP 0000000100320b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000771514f0 5 bytes JMP 0000000100320ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 000000010032163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077151810 5 bytes JMP 0000000100321284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4148] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077123ae0 5 bytes JMP 000000010017075c .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077127a90 5 bytes JMP 00000001001703a4 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077151490 5 bytes JMP 0000000100170b14 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000771514f0 5 bytes JMP 0000000100170ecc .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 000000010017163c .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077151810 5 bytes JMP 0000000100171284 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[4396] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4556] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4556] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4556] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4556] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4556] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4556] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4556] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4556] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000772ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000772ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007731c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077321217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000756fee09 5 bytes JMP 00000001003701f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000075703982 5 bytes JMP 00000001003703fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075707603 5 bytes JMP 0000000100370804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007570835c 5 bytes JMP 0000000100370600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007571f52b 5 bytes JMP 0000000100370a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000754d5181 5 bytes JMP 0000000100391014 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000754d5254 5 bytes JMP 0000000100390804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754d53d5 5 bytes JMP 0000000100390a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754d54c2 5 bytes JMP 0000000100390c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754d55e2 5 bytes JMP 0000000100390e10 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000754d567c 5 bytes JMP 00000001003901f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000754d589f 5 bytes JMP 00000001003903fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[4648] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000754d5a22 5 bytes JMP 0000000100390600 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000772ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000772ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007731c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077321217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000756fee09 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000075703982 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075707603 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007570835c 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007571f52b 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000754d5181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000754d5254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754d53d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754d54c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754d55e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000754d567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000754d589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[4680] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000754d5a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077123ae0 5 bytes JMP 00000001003d075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077127a90 5 bytes JMP 00000001003d03a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077151490 5 bytes JMP 00000001003d0b14 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000771514f0 5 bytes JMP 00000001003d0ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000001003d163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077151810 5 bytes JMP 00000001003d1284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[4716] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000772ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000772ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007731c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077321217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000754d5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000754d5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754d53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754d54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754d55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000754d567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000754d589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000754d5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000756fee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000075703982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075707603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007570835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007571f52b 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075201401 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075201419 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075201431 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007520144a 2 bytes [20, 75] .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752014dd 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752014f5 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007520150d 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075201525 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007520153d 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075201555 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007520156d 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075201585 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007520159d 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752015b5 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752015cd 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752016b2 2 bytes [20, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4748] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752016bd 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[4844] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[4844] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[4844] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[4844] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[4844] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[4844] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[4844] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[4844] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[4844] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077123ae0 5 bytes JMP 000000010023075c .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077127a90 5 bytes JMP 00000001002303a4 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 0000000100070440 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 0000000100070430 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077151490 5 bytes JMP 0000000100230b14 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000771514f0 5 bytes JMP 0000000100230ecc .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 0000000100070450 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0xffffffff88f1ee90} .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 000000010023163c .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 0000000100070320 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 0000000100070380 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000001000702e0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 0000000100070410 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000001000702d0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 0000000100070310 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 0000000100070390 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077151810 5 bytes JMP 0000000100231284 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000001000703c0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 0000000100070230 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0xffffffff88f1e890} .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 0000000100070460 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 0000000100070370 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000001000702f0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 0000000100070350 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 0000000100070290 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000001000702b0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000001000703a0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 0000000100070330 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0xffffffff88f1e590} .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000001000703e0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 0000000100070240 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000001000701e0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 0000000100070250 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0xffffffff88f1e090} .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 0000000100070470 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 0000000100070480 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 0000000100070300 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 0000000100070360 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000001000702a0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000001000702c0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 0000000100070340 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 0000000100070420 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 0000000100070260 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 0000000100070270 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000001000703d0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0xffffffff88f1db90} .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000001000701f0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 0000000100070210 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 0000000100070200 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000001000703f0 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 0000000100070400 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 0000000100070220 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 0000000100070280 .text C:\windows\system32\svchost.exe[3672] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\windows\system32\svchost.exe[3672] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077123ae0 5 bytes JMP 000000010015075c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077127a90 5 bytes JMP 00000001001503a4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077151490 5 bytes JMP 0000000100150b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000771514f0 5 bytes JMP 0000000100150ecc .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 000000010015163c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077151810 5 bytes JMP 0000000100151284 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4544] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000772ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000772ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007731c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077321217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000756fee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000075703982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075707603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007570835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007571f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000754d5181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000754d5254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754d53d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754d54c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754d55e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000754d567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000754d589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe[4124] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000754d5a22 5 bytes JMP 0000000100260600 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077123ae0 5 bytes JMP 00000001001e075c .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077127a90 5 bytes JMP 00000001001e03a4 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077151490 5 bytes JMP 00000001001e0b14 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000771514f0 5 bytes JMP 00000001001e0ecc .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000001001e163c .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077151810 5 bytes JMP 00000001001e1284 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\windows\System32\svchost.exe[1908] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000772ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000772ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007731c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077321217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000754d5181 5 bytes JMP 00000001002d1014 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000754d5254 5 bytes JMP 00000001002d0804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754d53d5 5 bytes JMP 00000001002d0a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754d54c2 5 bytes JMP 00000001002d0c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754d55e2 5 bytes JMP 00000001002d0e10 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000754d567c 5 bytes JMP 00000001002d01f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000754d589f 5 bytes JMP 00000001002d03fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000754d5a22 5 bytes JMP 00000001002d0600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000756fee09 5 bytes JMP 00000001002f01f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000075703982 5 bytes JMP 00000001002f03fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075707603 5 bytes JMP 00000001002f0804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007570835c 5 bytes JMP 00000001002f0600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe[5132] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007571f52b 5 bytes JMP 00000001002f0a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000772ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000772ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007731c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077321217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000756fee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000075703982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075707603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007570835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007571f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000754d5181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000754d5254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754d53d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754d54c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754d55e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000754d567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000754d589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe[5376] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000754d5a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000772ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000772ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007731c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077321217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000756fee09 5 bytes JMP 00000001003801f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000075703982 5 bytes JMP 00000001003803fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075707603 5 bytes JMP 0000000100380804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007570835c 5 bytes JMP 0000000100380600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007571f52b 5 bytes JMP 0000000100380a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000754d5181 5 bytes JMP 00000001003a1014 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000754d5254 5 bytes JMP 00000001003a0804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754d53d5 5 bytes JMP 00000001003a0a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754d54c2 5 bytes JMP 00000001003a0c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754d55e2 5 bytes JMP 00000001003a0e10 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000754d567c 5 bytes JMP 00000001003a01f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000754d589f 5 bytes JMP 00000001003a03fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000754d5a22 5 bytes JMP 00000001003a0600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075201401 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075201419 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075201431 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007520144a 2 bytes [20, 75] .text ... * 9 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752014dd 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752014f5 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007520150d 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075201525 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007520153d 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075201555 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007520156d 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075201585 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007520159d 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752015b5 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752015cd 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752016b2 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[5420] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752016bd 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000772ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000772ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007731c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077321217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000756fee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000075703982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075707603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007570835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007571f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000754d5181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000754d5254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754d53d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754d54c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754d55e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000754d567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000754d589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000754d5a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075201401 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075201419 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075201431 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007520144a 2 bytes [20, 75] .text ... * 9 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752014dd 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752014f5 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007520150d 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075201525 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007520153d 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075201555 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007520156d 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075201585 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007520159d 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752015b5 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752015cd 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752016b2 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[5480] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752016bd 2 bytes [20, 75] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000772ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000772ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007731c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077321217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000756fee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000075703982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075707603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007570835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007571f52b 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000754d5181 5 bytes JMP 00000001003f1014 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000754d5254 5 bytes JMP 00000001003f0804 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754d53d5 5 bytes JMP 00000001003f0a08 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754d54c2 5 bytes JMP 00000001003f0c0c .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754d55e2 5 bytes JMP 00000001003f0e10 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000754d567c 5 bytes JMP 00000001003f01f8 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000754d589f 5 bytes JMP 00000001003f03fc .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[5660] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000754d5a22 5 bytes JMP 00000001003f0600 .text C:\windows\system32\DllHost.exe[6036] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\windows\system32\DllHost.exe[6036] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\windows\system32\DllHost.exe[6036] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\windows\system32\DllHost.exe[6036] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\windows\system32\DllHost.exe[6036] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\windows\system32\DllHost.exe[6036] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\windows\system32\DllHost.exe[6036] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\windows\system32\DllHost.exe[6036] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077123ae0 5 bytes JMP 000000010038075c .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077127a90 5 bytes JMP 00000001003803a4 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 00000000772b0440 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 00000000772b0430 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077151490 5 bytes JMP 0000000100380b14 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000771514f0 5 bytes JMP 0000000100380ecc .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 00000000772b0450 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0x15ee90} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 000000010038163c .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 00000000772b0320 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 00000000772b0380 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000000772b02e0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 00000000772b0410 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000000772b02d0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 00000000772b0310 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 00000000772b0390 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077151810 5 bytes JMP 0000000100381284 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000000772b03c0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 00000000772b0230 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0x15e890} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 00000000772b0460 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 00000000772b0370 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000000772b02f0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 00000000772b0350 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 00000000772b0290 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000000772b02b0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000000772b03a0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 00000000772b0330 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0x15e590} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000000772b03e0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 00000000772b0240 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000000772b01e0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 00000000772b0250 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0x15e090} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 00000000772b0470 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 00000000772b0480 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 00000000772b0300 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 00000000772b0360 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000000772b02a0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000000772b02c0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 00000000772b0340 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 00000000772b0420 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 00000000772b0260 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 00000000772b0270 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000000772b03d0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0x15db90} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000000772b01f0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 00000000772b0210 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 00000000772b0200 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000000772b03f0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 00000000772b0400 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 00000000772b0220 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 00000000772b0280 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4256] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077123ae0 5 bytes JMP 00000001001c075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077127a90 5 bytes JMP 00000001001c03a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771513c0 5 bytes JMP 0000000100070440 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077151410 5 bytes JMP 0000000100070430 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077151490 5 bytes JMP 00000001001c0b14 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000771514f0 5 bytes JMP 00000001001c0ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771515c0 1 byte JMP 0000000100070450 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000771515c2 3 bytes {JMP 0xffffffff88f1ee90} .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771515d0 5 bytes JMP 00000001001c163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077151680 5 bytes JMP 0000000100070320 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771516b0 5 bytes JMP 0000000100070380 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077151710 5 bytes JMP 00000001000702e0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077151760 5 bytes JMP 0000000100070410 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077151790 5 bytes JMP 00000001000702d0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771517b0 5 bytes JMP 0000000100070310 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771517f0 5 bytes JMP 0000000100070390 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077151810 5 bytes JMP 00000001001c1284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077151840 5 bytes JMP 00000001000703c0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771519a0 1 byte JMP 0000000100070230 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000771519a2 3 bytes {JMP 0xffffffff88f1e890} .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077151b60 5 bytes JMP 0000000100070460 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077151b90 5 bytes JMP 0000000100070370 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077151c70 5 bytes JMP 00000001000702f0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077151c80 5 bytes JMP 0000000100070350 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077151ce0 5 bytes JMP 0000000100070290 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077151d70 5 bytes JMP 00000001000702b0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077151d90 5 bytes JMP 00000001000703a0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077151da0 1 byte JMP 0000000100070330 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077151da2 3 bytes {JMP 0xffffffff88f1e590} .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077151e10 5 bytes JMP 00000001000703e0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077151e40 5 bytes JMP 0000000100070240 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077152100 5 bytes JMP 00000001000701e0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771521c0 1 byte JMP 0000000100070250 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000771521c2 3 bytes {JMP 0xffffffff88f1e090} .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771521f0 5 bytes JMP 0000000100070470 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077152200 5 bytes JMP 0000000100070480 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077152230 5 bytes JMP 0000000100070300 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077152240 5 bytes JMP 0000000100070360 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771522a0 5 bytes JMP 00000001000702a0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771522f0 5 bytes JMP 00000001000702c0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077152330 5 bytes JMP 0000000100070340 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077152620 5 bytes JMP 0000000100070420 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077152820 5 bytes JMP 0000000100070260 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077152830 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077152840 1 byte JMP 00000001000703d0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077152842 3 bytes {JMP 0xffffffff88f1db90} .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077152a00 5 bytes JMP 00000001000701f0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077152a10 5 bytes JMP 0000000100070210 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077152a80 5 bytes JMP 0000000100070200 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077152ae0 5 bytes JMP 00000001000703f0 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077152af0 5 bytes JMP 0000000100070400 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077152b00 5 bytes JMP 0000000100070220 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077152be0 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076edeecd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec96e00 5 bytes JMP 000007ff7ecb1dac .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec96f2c 5 bytes JMP 000007ff7ecb0ecc .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec97220 5 bytes JMP 000007ff7ecb1284 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec9739c 5 bytes JMP 000007ff7ecb163c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec97538 5 bytes JMP 000007ff7ecb19f4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec975e8 5 bytes JMP 000007ff7ecb03a4 .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec9790c 5 bytes JMP 000007ff7ecb075c .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5116] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec97ab4 5 bytes JMP 000007ff7ecb0b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000772ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000772ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007731c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077321217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000754d5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000754d5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754d53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754d54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754d55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000754d567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000754d589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000754d5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000756fee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000075703982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075707603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007570835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5272] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007571f52b 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000772ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000772ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000772ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077300018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007731c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077321217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000754d5181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000754d5254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754d53d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754d54c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754d55e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\sechost.dll!CreateServiceA 00000000754d567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\sechost.dll!CreateServiceW 00000000754d589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\SysWOW64\sechost.dll!DeleteService 00000000754d5a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\syswow64\USER32.dll!SetWinEventHook 00000000756fee09 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000075703982 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075707603 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007570835c 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2956] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007571f52b 5 bytes JMP 00000001000b0a08 .text C:\Users\Grzela\Downloads\f12d36v3.exe[3744] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007599a30a 1 byte [62] ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef6792750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef6792b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef6797de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef6798130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef6791908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef6791c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef67981d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef6792878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef6797a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef6796c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef67977bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef6797064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef6796544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2324] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef6795e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.0 ---- Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:1656] 0000000077332e25 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:1660] 00000000743b345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:1672] 00000000754d7587 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:1732] 0000000072db8d60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:1736] 0000000072b56fe0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:1740] 0000000072b56900 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:1748] 00000000743b345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:1752] 00000000743b345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:1756] 00000000743b345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3316] 00000000743b345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3324] 0000000072b4c220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3328] 0000000072b4c220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3332] 0000000072b4c220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3336] 0000000072b4c220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3340] 0000000072b4c220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3344] 0000000072b4d470 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3348] 0000000072b4ca80 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3352] 0000000072b686a0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3356] 0000000072b67480 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3360] 0000000072b67850 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3364] 0000000072b4e780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3368] 0000000072b4e780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3372] 0000000072b4e780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3376] 0000000072b4e780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3380] 0000000072b4e780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3384] 0000000070b512f0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3388] 0000000070b52c10 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3392] 0000000070b52c10 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3396] 0000000070b21070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3400] 00000000743b345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3404] 00000000743b345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3408] 0000000070ae1010 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3412] 0000000070ac12f0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3416] 0000000070aa1000 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3420] 0000000072b57b60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3424] 0000000072b4e280 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3428] 00000000743b345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3432] 0000000072c65400 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3436] 0000000070b216a0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3440] 0000000070986120 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3464] 0000000072db4290 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3468] 00000000743b345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3476] 0000000072db8650 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3480] 0000000072dc28c0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3484] 0000000072dc6680 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3488] 0000000072db9280 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3496] 0000000072dbb070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3500] 0000000072dbb070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3504] 0000000072dbb070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3508] 0000000072dbb070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3512] 0000000072dbb070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3516] 0000000072dc0a60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3520] 00000000743b345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3952] 0000000077333e45 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:5300] 0000000077333e45 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:3228] 0000000077333e45 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1456:2928] 0000000077333e45 Thread C:\windows\System32\svchost.exe [2188:3696] 000007fef40d9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4576:4384] 000007fefd9c0168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4576:4288] 000007fefba62a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4576:4292] 000007fee9f0d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4576:5764] 000007fef67e5124 Thread C:\Program Files\AVAST Software\Avast\AvastUI.exe [4860:4916] 0000000073b213b0 Thread C:\Program Files\AVAST Software\Avast\AvastUI.exe [4860:4920] 0000000072b604d0 Thread C:\Program Files\AVAST Software\Avast\AvastUI.exe [4860:5912] 0000000071d3a3e0 Thread C:\Program Files\AVAST Software\Avast\AvastUI.exe [4860:5952] 00000000741b32fb Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:4516] 000007fef768cc10 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:4480] 000007fef754b564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:1564] 000007fef754b564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:3200] 000007fef754b564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:3876] 000007fef754b564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:1488] 000007fef754b564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:1384] 000007fef765f718 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:1944] 000007fef754b564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:2404] 000007fef754b564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:4712] 000007fef754143c Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:5196] 000007fef7b86050 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:4252] 000007fef754b564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496:3312] 000007fef754b564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [4544:5296] 000007fefba62a7c Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [4544:5256] 000000006f226c88 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3604] 00000000666f628d Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3588] 00000000666f52c2 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3612] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3576] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3584] 00000000722e62ee Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3608] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3580] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3600] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3460] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3616] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:4736] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:4296] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:4356] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:4732] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:2640] 0000000077332e25 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:4284] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:2672] 00000000704f27e1 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:4136] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:5976] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:1476] 00000000741b32fb Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:5680] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:4508] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:4472] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:6104] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:1548] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:5208] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:5728] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:5608] 0000000071d327c1 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:5784] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:5788] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:4328] 0000000077333e45 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3048] 0000000077333e45 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:1276] 0000000077333e45 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:4236] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:2364] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:3856] 000000007153c724 Thread C:\Program Files (x86)\Mozilla Firefox\firefox.exe [3824:5228] 0000000077333e45 ---- Processes - GMER 2.0 ---- Library ? (*** suspicious ***) @ C:\windows\System32\svchost.exe [2188] 000007feff3f0000 Library ? (*** suspicious ***) @ C:\Program Files\Windows Media Player\wmpnetwk.exe [4576] 000007fefde10000 Library ? (*** suspicious ***) @ C:\Program Files\AVAST Software\Avast\AvastUI.exe [4860] 0000000072ca0000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [4496] 000007feff370000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [4544] 000007feeee10000 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\446d57001e71 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\446d57001e71 (not active ControlSet) ---- EOF - GMER 2.0 ----