GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-15 14:23:21 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d ST1000LM024_HN-M101MBB rev.2AR10001 931,51GB Running: 48mdsg7i.exe; Driver: C:\Users\Leszek\AppData\Local\Temp\kxldrpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff960000b2700 15 bytes [00, EA, 0F, 02, 00, 7F, 6F, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff960000b2710 11 bytes [00, 1F, FC, FF, 80, 52, DE, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\winlogon.exe[652] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff9504b6620 5 bytes JMP 00007ff9d05e0460 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff9504b6670 5 bytes JMP 00007ff9d05e0450 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff9504b67d0 5 bytes JMP 00007ff9d05e0370 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff9504b6820 5 bytes JMP 00007ff9d05e0470 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff9504b6830 5 bytes JMP 00007ff9d05e03e0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff9504b68e0 5 bytes JMP 00007ff9d05e0320 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff9504b6910 5 bytes JMP 00007ff9d05e03b0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff9504b6930 5 bytes JMP 00007ff9d05e0390 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff9504b6970 5 bytes JMP 00007ff9d05e02e0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff9504b69f0 5 bytes JMP 00007ff9d05e02d0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff9504b6a10 5 bytes JMP 00007ff9d05e0310 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff9504b6a50 5 bytes JMP 00007ff9d05e03c0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff9504b6aa0 5 bytes JMP 00007ff9d05e03f0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff9504b6c00 5 bytes JMP 00007ff9d05e0230 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff9504b6df0 1 byte JMP 00007ff9d05e0480 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ff9504b6df2 3 bytes {JMP 0xffffffff80129690} .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff9504b6e20 5 bytes JMP 00007ff9d05e03a0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff9504b6f40 5 bytes JMP 00007ff9d05e02f0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff9504b6f60 5 bytes JMP 00007ff9d05e0350 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff9504b6fd0 5 bytes JMP 00007ff9d05e0290 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff9504b7060 5 bytes JMP 00007ff9d05e02b0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff9504b7080 5 bytes JMP 00007ff9d05e03d0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff9504b7090 5 bytes JMP 00007ff9d05e0330 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff9504b7140 5 bytes JMP 00007ff9d05e0410 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff9504b7170 5 bytes JMP 00007ff9d05e0240 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff9504b7490 5 bytes JMP 00007ff9d05e01e0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff9504b7550 5 bytes JMP 00007ff9d05e0250 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff9504b7580 5 bytes JMP 00007ff9d05e0490 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff9504b7590 5 bytes JMP 00007ff9d05e04a0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff9504b75c0 5 bytes JMP 00007ff9d05e0300 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff9504b75d0 1 byte JMP 00007ff9d05e0360 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ff9504b75d2 3 bytes {JMP 0xffffffff80128d90} .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff9504b7630 5 bytes JMP 00007ff9d05e02a0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff9504b7680 5 bytes JMP 00007ff9d05e02c0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff9504b76b0 5 bytes JMP 00007ff9d05e0380 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff9504b76c0 5 bytes JMP 00007ff9d05e0340 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff9504b79d0 5 bytes JMP 00007ff9d05e0440 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff9504b7bd0 1 byte JMP 00007ff9d05e0260 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ff9504b7bd2 3 bytes {JMP 0xffffffff80128690} .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff9504b7be0 1 byte JMP 00007ff9d05e0270 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ff9504b7be2 3 bytes {JMP 0xffffffff80128690} .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff9504b7c00 5 bytes JMP 00007ff9d05e0400 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff9504b7de0 5 bytes JMP 00007ff9d05e01f0 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff9504b7df0 5 bytes JMP 00007ff9d05e0210 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff9504b7e80 5 bytes JMP 00007ff9d05e0200 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff9504b7ef0 5 bytes JMP 00007ff9d05e0420 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff9504b7f00 5 bytes JMP 00007ff9d05e0430 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff9504b7f10 5 bytes JMP 00007ff9d05e0220 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff9504b8020 5 bytes JMP 00007ff9d05e0280 .text C:\WINDOWS\system32\lsass.exe[724] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ff94e7930e0 7 bytes JMP 00007ffa4d8602d0 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ff94e794478 7 bytes JMP 00007ffa4d860308 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ff94e8411a8 7 bytes JMP 00007ffa4d860340 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ff94e84121c 7 bytes JMP 00007ffa4d8603b0 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ff94e841668 7 bytes JMP 00007ffa4d860378 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ff94e8472d0 7 bytes JMP 00007ffa4d860260 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ff94e86d5a4 7 bytes JMP 00007ffa4d860228 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ff94e86d614 7 bytes JMP 00007ffa4d860298 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ff94d872124 7 bytes JMP 00007ffa4d8600d8 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ff94d8750e8 5 bytes JMP 00007ffa4d860180 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ff94d8752a0 5 bytes JMP 00007ffa4d860148 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ff94d87a9b0 5 bytes JMP 00007ffa4d860110 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ff94dcc7b64 10 bytes JMP 00007ffa4d860490 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ff94dce2910 5 bytes JMP 00007ffa4d860420 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ff94dce4578 5 bytes JMP 00007ffa4d860458 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ff94dce4980 9 bytes JMP 00007ffa4d8603e8 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ff94e641500 8 bytes JMP 00007ffa4d8601b8 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ff94e641750 8 bytes JMP 00007ffa4d8601f0 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ff94b7b705c 5 bytes JMP 00007ffa4b6000d8 .text C:\WINDOWS\system32\dwm.exe[940] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ff94b7b7678 5 bytes JMP 00007ffa4b600110 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff9504b6620 5 bytes JMP 00007ff9d05e0460 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff9504b6670 5 bytes JMP 00007ff9d05e0450 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff9504b67d0 5 bytes JMP 00007ff9d05e0370 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff9504b6820 5 bytes JMP 00007ff9d05e0470 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff9504b6830 5 bytes JMP 00007ff9d05e03e0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff9504b68e0 5 bytes JMP 00007ff9d05e0320 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff9504b6910 5 bytes JMP 00007ff9d05e03b0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff9504b6930 5 bytes JMP 00007ff9d05e0390 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff9504b6970 5 bytes JMP 00007ff9d05e02e0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff9504b69f0 5 bytes JMP 00007ff9d05e02d0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff9504b6a10 5 bytes JMP 00007ff9d05e0310 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff9504b6a50 5 bytes JMP 00007ff9d05e03c0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff9504b6aa0 5 bytes JMP 00007ff9d05e03f0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff9504b6c00 5 bytes JMP 00007ff9d05e0230 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff9504b6df0 1 byte JMP 00007ff9d05e0480 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ff9504b6df2 3 bytes {JMP 0xffffffff80129690} .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff9504b6e20 5 bytes JMP 00007ff9d05e03a0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff9504b6f40 5 bytes JMP 00007ff9d05e02f0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff9504b6f60 5 bytes JMP 00007ff9d05e0350 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff9504b6fd0 5 bytes JMP 00007ff9d05e0290 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff9504b7060 5 bytes JMP 00007ff9d05e02b0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff9504b7080 5 bytes JMP 00007ff9d05e03d0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff9504b7090 5 bytes JMP 00007ff9d05e0330 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff9504b7140 5 bytes JMP 00007ff9d05e0410 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff9504b7170 5 bytes JMP 00007ff9d05e0240 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff9504b7490 5 bytes JMP 00007ff9d05e01e0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff9504b7550 5 bytes JMP 00007ff9d05e0250 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff9504b7580 5 bytes JMP 00007ff9d05e0490 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff9504b7590 5 bytes JMP 00007ff9d05e04a0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff9504b75c0 5 bytes JMP 00007ff9d05e0300 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff9504b75d0 1 byte JMP 00007ff9d05e0360 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ff9504b75d2 3 bytes {JMP 0xffffffff80128d90} .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff9504b7630 5 bytes JMP 00007ff9d05e02a0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff9504b7680 5 bytes JMP 00007ff9d05e02c0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff9504b76b0 5 bytes JMP 00007ff9d05e0380 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff9504b76c0 5 bytes JMP 00007ff9d05e0340 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff9504b79d0 5 bytes JMP 00007ff9d05e0440 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff9504b7bd0 1 byte JMP 00007ff9d05e0260 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ff9504b7bd2 3 bytes {JMP 0xffffffff80128690} .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff9504b7be0 1 byte JMP 00007ff9d05e0270 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ff9504b7be2 3 bytes {JMP 0xffffffff80128690} .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff9504b7c00 5 bytes JMP 00007ff9d05e0400 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff9504b7de0 5 bytes JMP 00007ff9d05e01f0 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff9504b7df0 5 bytes JMP 00007ff9d05e0210 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff9504b7e80 5 bytes JMP 00007ff9d05e0200 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff9504b7ef0 5 bytes JMP 00007ff9d05e0420 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff9504b7f00 5 bytes JMP 00007ff9d05e0430 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff9504b7f10 5 bytes JMP 00007ff9d05e0220 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff9504b8020 5 bytes JMP 00007ff9d05e0280 .text C:\WINDOWS\system32\svchost.exe[524] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[852] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff9504b6620 5 bytes JMP 00007ff9d05e0460 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff9504b6670 5 bytes JMP 00007ff9d05e0450 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff9504b67d0 5 bytes JMP 00007ff9d05e0370 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff9504b6820 5 bytes JMP 00007ff9d05e0470 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff9504b6830 5 bytes JMP 00007ff9d05e03e0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff9504b68e0 5 bytes JMP 00007ff9d05e0320 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff9504b6910 5 bytes JMP 00007ff9d05e03b0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff9504b6930 5 bytes JMP 00007ff9d05e0390 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff9504b6970 5 bytes JMP 00007ff9d05e02e0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff9504b69f0 5 bytes JMP 00007ff9d05e02d0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff9504b6a10 5 bytes JMP 00007ff9d05e0310 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff9504b6a50 5 bytes JMP 00007ff9d05e03c0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff9504b6aa0 5 bytes JMP 00007ff9d05e03f0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff9504b6c00 5 bytes JMP 00007ff9d05e0230 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff9504b6df0 1 byte JMP 00007ff9d05e0480 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ff9504b6df2 3 bytes {JMP 0xffffffff80129690} .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff9504b6e20 5 bytes JMP 00007ff9d05e03a0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff9504b6f40 5 bytes JMP 00007ff9d05e02f0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff9504b6f60 5 bytes JMP 00007ff9d05e0350 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff9504b6fd0 5 bytes JMP 00007ff9d05e0290 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff9504b7060 5 bytes JMP 00007ff9d05e02b0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff9504b7080 5 bytes JMP 00007ff9d05e03d0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff9504b7090 5 bytes JMP 00007ff9d05e0330 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff9504b7140 5 bytes JMP 00007ff9d05e0410 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff9504b7170 5 bytes JMP 00007ff9d05e0240 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff9504b7490 5 bytes JMP 00007ff9d05e01e0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff9504b7550 5 bytes JMP 00007ff9d05e0250 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff9504b7580 5 bytes JMP 00007ff9d05e0490 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff9504b7590 5 bytes JMP 00007ff9d05e04a0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff9504b75c0 5 bytes JMP 00007ff9d05e0300 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff9504b75d0 1 byte JMP 00007ff9d05e0360 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ff9504b75d2 3 bytes {JMP 0xffffffff80128d90} .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff9504b7630 5 bytes JMP 00007ff9d05e02a0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff9504b7680 5 bytes JMP 00007ff9d05e02c0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff9504b76b0 5 bytes JMP 00007ff9d05e0380 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff9504b76c0 5 bytes JMP 00007ff9d05e0340 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff9504b79d0 5 bytes JMP 00007ff9d05e0440 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff9504b7bd0 1 byte JMP 00007ff9d05e0260 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ff9504b7bd2 3 bytes {JMP 0xffffffff80128690} .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff9504b7be0 1 byte JMP 00007ff9d05e0270 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ff9504b7be2 3 bytes {JMP 0xffffffff80128690} .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff9504b7c00 5 bytes JMP 00007ff9d05e0400 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff9504b7de0 5 bytes JMP 00007ff9d05e01f0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff9504b7df0 5 bytes JMP 00007ff9d05e0210 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff9504b7e80 5 bytes JMP 00007ff9d05e0200 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff9504b7ef0 5 bytes JMP 00007ff9d05e0420 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff9504b7f00 5 bytes JMP 00007ff9d05e0430 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff9504b7f10 5 bytes JMP 00007ff9d05e0220 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff9504b8020 5 bytes JMP 00007ff9d05e0280 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff9504b6620 5 bytes JMP 00007ff9d05e0460 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff9504b6670 5 bytes JMP 00007ff9d05e0450 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff9504b67d0 5 bytes JMP 00007ff9d05e0370 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff9504b6820 5 bytes JMP 00007ff9d05e0470 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff9504b6830 5 bytes JMP 00007ff9d05e03e0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff9504b68e0 5 bytes JMP 00007ff9d05e0320 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff9504b6910 5 bytes JMP 00007ff9d05e03b0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff9504b6930 5 bytes JMP 00007ff9d05e0390 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff9504b6970 5 bytes JMP 00007ff9d05e02e0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff9504b69f0 5 bytes JMP 00007ff9d05e02d0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff9504b6a10 5 bytes JMP 00007ff9d05e0310 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff9504b6a50 5 bytes JMP 00007ff9d05e03c0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff9504b6aa0 5 bytes JMP 00007ff9d05e03f0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff9504b6c00 5 bytes JMP 00007ff9d05e0230 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff9504b6df0 1 byte JMP 00007ff9d05e0480 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ff9504b6df2 3 bytes {JMP 0xffffffff80129690} .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff9504b6e20 5 bytes JMP 00007ff9d05e03a0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff9504b6f40 5 bytes JMP 00007ff9d05e02f0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff9504b6f60 5 bytes JMP 00007ff9d05e0350 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff9504b6fd0 5 bytes JMP 00007ff9d05e0290 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff9504b7060 5 bytes JMP 00007ff9d05e02b0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff9504b7080 5 bytes JMP 00007ff9d05e03d0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff9504b7090 5 bytes JMP 00007ff9d05e0330 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff9504b7140 5 bytes JMP 00007ff9d05e0410 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff9504b7170 5 bytes JMP 00007ff9d05e0240 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff9504b7490 5 bytes JMP 00007ff9d05e01e0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff9504b7550 5 bytes JMP 00007ff9d05e0250 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff9504b7580 5 bytes JMP 00007ff9d05e0490 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff9504b7590 5 bytes JMP 00007ff9d05e04a0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff9504b75c0 5 bytes JMP 00007ff9d05e0300 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff9504b75d0 1 byte JMP 00007ff9d05e0360 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ff9504b75d2 3 bytes {JMP 0xffffffff80128d90} .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff9504b7630 5 bytes JMP 00007ff9d05e02a0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff9504b7680 5 bytes JMP 00007ff9d05e02c0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff9504b76b0 5 bytes JMP 00007ff9d05e0380 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff9504b76c0 5 bytes JMP 00007ff9d05e0340 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff9504b79d0 5 bytes JMP 00007ff9d05e0440 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff9504b7bd0 1 byte JMP 00007ff9d05e0260 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ff9504b7bd2 3 bytes {JMP 0xffffffff80128690} .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff9504b7be0 1 byte JMP 00007ff9d05e0270 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ff9504b7be2 3 bytes {JMP 0xffffffff80128690} .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff9504b7c00 5 bytes JMP 00007ff9d05e0400 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff9504b7de0 5 bytes JMP 00007ff9d05e01f0 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff9504b7df0 5 bytes JMP 00007ff9d05e0210 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff9504b7e80 5 bytes JMP 00007ff9d05e0200 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff9504b7ef0 5 bytes JMP 00007ff9d05e0420 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff9504b7f00 5 bytes JMP 00007ff9d05e0430 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff9504b7f10 5 bytes JMP 00007ff9d05e0220 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff9504b8020 5 bytes JMP 00007ff9d05e0280 .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff94dcb169a 4 bytes [CB, 4D, F9, 7F] .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff94dcb16a2 4 bytes [CB, 4D, F9, 7F] .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff94dcb181a 4 bytes [CB, 4D, F9, 7F] .text C:\WINDOWS\Explorer.EXE[1564] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff94dcb1832 4 bytes [CB, 4D, F9, 7F] .text C:\WINDOWS\system32\svchost.exe[1536] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff9504b6620 5 bytes JMP 00007ff9d05e0460 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff9504b6670 5 bytes JMP 00007ff9d05e0450 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff9504b67d0 5 bytes JMP 00007ff9d05e0370 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff9504b6820 5 bytes JMP 00007ff9d05e0470 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff9504b6830 5 bytes JMP 00007ff9d05e03e0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff9504b68e0 5 bytes JMP 00007ff9d05e0320 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff9504b6910 5 bytes JMP 00007ff9d05e03b0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff9504b6930 5 bytes JMP 00007ff9d05e0390 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff9504b6970 5 bytes JMP 00007ff9d05e02e0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff9504b69f0 5 bytes JMP 00007ff9d05e02d0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff9504b6a10 5 bytes JMP 00007ff9d05e0310 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff9504b6a50 5 bytes JMP 00007ff9d05e03c0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff9504b6aa0 5 bytes JMP 00007ff9d05e03f0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff9504b6c00 5 bytes JMP 00007ff9d05e0230 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff9504b6df0 1 byte JMP 00007ff9d05e0480 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ff9504b6df2 3 bytes {JMP 0xffffffff80129690} .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff9504b6e20 5 bytes JMP 00007ff9d05e03a0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff9504b6f40 5 bytes JMP 00007ff9d05e02f0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff9504b6f60 5 bytes JMP 00007ff9d05e0350 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff9504b6fd0 5 bytes JMP 00007ff9d05e0290 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff9504b7060 5 bytes JMP 00007ff9d05e02b0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff9504b7080 5 bytes JMP 00007ff9d05e03d0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff9504b7090 5 bytes JMP 00007ff9d05e0330 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff9504b7140 5 bytes JMP 00007ff9d05e0410 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff9504b7170 5 bytes JMP 00007ff9d05e0240 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff9504b7490 5 bytes JMP 00007ff9d05e01e0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff9504b7550 5 bytes JMP 00007ff9d05e0250 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff9504b7580 5 bytes JMP 00007ff9d05e0490 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff9504b7590 5 bytes JMP 00007ff9d05e04a0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff9504b75c0 5 bytes JMP 00007ff9d05e0300 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff9504b75d0 1 byte JMP 00007ff9d05e0360 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ff9504b75d2 3 bytes {JMP 0xffffffff80128d90} .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff9504b7630 5 bytes JMP 00007ff9d05e02a0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff9504b7680 5 bytes JMP 00007ff9d05e02c0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff9504b76b0 5 bytes JMP 00007ff9d05e0380 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff9504b76c0 5 bytes JMP 00007ff9d05e0340 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff9504b79d0 5 bytes JMP 00007ff9d05e0440 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff9504b7bd0 1 byte JMP 00007ff9d05e0260 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ff9504b7bd2 3 bytes {JMP 0xffffffff80128690} .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff9504b7be0 1 byte JMP 00007ff9d05e0270 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ff9504b7be2 3 bytes {JMP 0xffffffff80128690} .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff9504b7c00 5 bytes JMP 00007ff9d05e0400 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff9504b7de0 5 bytes JMP 00007ff9d05e01f0 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff9504b7df0 5 bytes JMP 00007ff9d05e0210 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff9504b7e80 5 bytes JMP 00007ff9d05e0200 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff9504b7ef0 5 bytes JMP 00007ff9d05e0420 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff9504b7f00 5 bytes JMP 00007ff9d05e0430 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff9504b7f10 5 bytes JMP 00007ff9d05e0220 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff9504b8020 5 bytes JMP 00007ff9d05e0280 .text C:\WINDOWS\system32\taskhostex.exe[2004] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff9504b6620 5 bytes JMP 00007ff9d05e0460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff9504b6670 5 bytes JMP 00007ff9d05e0450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff9504b67d0 5 bytes JMP 00007ff9d05e0370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff9504b6820 5 bytes JMP 00007ff9d05e0470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff9504b6830 5 bytes JMP 00007ff9d05e03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff9504b68e0 5 bytes JMP 00007ff9d05e0320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff9504b6910 5 bytes JMP 00007ff9d05e03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff9504b6930 5 bytes JMP 00007ff9d05e0390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff9504b6970 5 bytes JMP 00007ff9d05e02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff9504b69f0 5 bytes JMP 00007ff9d05e02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff9504b6a10 5 bytes JMP 00007ff9d05e0310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff9504b6a50 5 bytes JMP 00007ff9d05e03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff9504b6aa0 5 bytes JMP 00007ff9d05e03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff9504b6c00 5 bytes JMP 00007ff9d05e0230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff9504b6df0 1 byte JMP 00007ff9d05e0480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ff9504b6df2 3 bytes {JMP 0xffffffff80129690} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff9504b6e20 5 bytes JMP 00007ff9d05e03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff9504b6f40 5 bytes JMP 00007ff9d05e02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff9504b6f60 5 bytes JMP 00007ff9d05e0350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff9504b6fd0 5 bytes JMP 00007ff9d05e0290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff9504b7060 5 bytes JMP 00007ff9d05e02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff9504b7080 5 bytes JMP 00007ff9d05e03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff9504b7090 5 bytes JMP 00007ff9d05e0330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff9504b7140 5 bytes JMP 00007ff9d05e0410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff9504b7170 5 bytes JMP 00007ff9d05e0240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff9504b7490 5 bytes JMP 00007ff9d05e01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff9504b7550 5 bytes JMP 00007ff9d05e0250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff9504b7580 5 bytes JMP 00007ff9d05e0490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff9504b7590 5 bytes JMP 00007ff9d05e04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff9504b75c0 5 bytes JMP 00007ff9d05e0300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff9504b75d0 1 byte JMP 00007ff9d05e0360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ff9504b75d2 3 bytes {JMP 0xffffffff80128d90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff9504b7630 5 bytes JMP 00007ff9d05e02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff9504b7680 5 bytes JMP 00007ff9d05e02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff9504b76b0 5 bytes JMP 00007ff9d05e0380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff9504b76c0 5 bytes JMP 00007ff9d05e0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff9504b79d0 5 bytes JMP 00007ff9d05e0440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff9504b7bd0 1 byte JMP 00007ff9d05e0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ff9504b7bd2 3 bytes {JMP 0xffffffff80128690} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff9504b7be0 1 byte JMP 00007ff9d05e0270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ff9504b7be2 3 bytes {JMP 0xffffffff80128690} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff9504b7c00 5 bytes JMP 00007ff9d05e0400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff9504b7de0 5 bytes JMP 00007ff9d05e01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff9504b7df0 5 bytes JMP 00007ff9d05e0210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff9504b7e80 5 bytes JMP 00007ff9d05e0200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff9504b7ef0 5 bytes JMP 00007ff9d05e0420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff9504b7f00 5 bytes JMP 00007ff9d05e0430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff9504b7f10 5 bytes JMP 00007ff9d05e0220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff9504b8020 5 bytes JMP 00007ff9d05e0280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2108] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[2132] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\WINDOWS\system32\SearchIndexer.exe[3316] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[2952] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\Windows\System32\igfxpers.exe[3916] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2516] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] .text C:\WINDOWS\system32\AUDIODG.EXE[1776] C:\WINDOWS\SYSTEM32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff94e7a977d 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [616:4916] fffff960009604d0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----