GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-18 05:59:41 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b Crucial_CT256MX100SSD1 rev.MU01 238,47GB Running: l15zhpk1.exe; Driver: C:\Users\alfa1\AppData\Local\Temp\uwldiuoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, 2D, 7F, 00, 00, 00, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, 2D, 7F, 00, 00, 00, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, 2D, 7F, 00, 00, 00, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, 2D, 7F, 00, 00, 00, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, 2D, 7F, 00, 00, 00, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4860] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, 32, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, 32, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, 32, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, 32, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, 32, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[5068] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3524] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, DC, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, DC, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, DC, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, DC, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, DC, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[1216] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, 35, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, 35, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, 35, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, 35, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, 35, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4744] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, 8D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, 8D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, 8D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, 8D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, 8D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[4636] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5024] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, 45, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, 45, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, 45, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, 45, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, 45, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[3808] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, A1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, A1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, A1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, A1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, A1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5132] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes {PUSH RAX; OUTS DX, BYTE [RSI]; JMP 0x85} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes {OUTS DX, BYTE [RSI]; JMP 0x85} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, E9, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, E9, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, E9, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {LOOPNZ 0x6f; JMP 0x85} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5376] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, 31, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, 31, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, 31, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, 31, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, 31, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5496] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, 9F, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, 9F, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, 9F, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, 9F, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, 9F, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5540] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, A2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, A2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, A2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, A2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, A2, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5864] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, 5D, 7F, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, 5D, 7F, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, 5D, 7F, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, 5D, 7F, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, 5D, 7F, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4752] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, C3, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, C3, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, C3, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, C3, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, C3, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[4792] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff8a4164ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff8a4164fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff8a41652a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff8a416549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff8a416583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff8a4165895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff8a4165a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff8a4165fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8a41e0780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8a41e0900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8a41e0930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8a41e0a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8a41e0b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8a41e11c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8a41e14c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8a41e1d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\l15zhpk1.exe[3328] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [608:4032] fffff9600092f2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x21 0xFF 0x3A 0x08 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xE7 0x3A 0xCE 0x3F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x21 0xFF 0x3A 0x08 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xA6 0x75 0x15 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 183 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SEC39450_00_07D7_DE^99F3F194F94A898AD987FBDFFAAFDDA1@Timestamp 0xF1 0x12 0x5E 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{1515853E-80D8-4F42-9B4E-278E5B89A2A4}\Connection@Name Reusable ISATAP Interface {1515853E-80D8-4F42-9B4E-278E5B89A2A4} Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\alfa1\AppData\Local\Temp\nsr94BF.tmp\p\syschk.dll??\??\C:\Users\alfa1\AppData\Local\Temp\nsr94BF.tmp\p\??\??\C:\Users\alfa1\AppData\Local\Temp\nsr94BF.tmp\ui\pfUI.dll??\??\C:\Users\alfa1\AppData\Local\Temp\nsr94BF.tmp\ui\res\lang-1045.dll??\??\C:\Users\alfa1\AppData\Local\Temp\nsr94BF.tmp\ui\res\Montserrat-Regular.otf??\??\C:\Users\alfa1\AppData\Local\Temp\nsr94BF.tmp\ui\res\??\??\C:\Users\alfa1\AppData\Local\Temp\nsr94BF.tmp\ui\??\??\C:\Users\alfa1\AppData\Local\Temp\nsr94BF.tmp\??\??\C:\Users\alfa1\AppData\Local\Temp\nsh708D.tmp\p\syschk.dll??\??\C:\Users\alfa1\AppData\Local\Temp\nsh708D.tmp\p\??\??\C:\Users\alfa1\AppData\Local\Temp\nsh708D.tmp\ui\pfUI.dll??\??\C:\Users\alfa1\AppData\Local\Temp\nsh708D.tmp\ui\res\lang-1045.dll??\??\C:\Users\alfa1\AppData\Local\Temp\nsh708D.tmp\ui\res\Montserrat-Regular.otf??\??\C:\Users\alfa1\AppData\Local\Temp\nsh708D.tmp\ui\res\??\??\C:\Users\alfa1\AppData\Local\Temp\nsh708D.tmp\ui\??\??\C:\Users\alfa1\AppData\Local\Temp\nsh708D.tmp\?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900180 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1361364038 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 203 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 507245384 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 8027 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 62b55fe0-6999-4406-94e1-2a550b0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswbidsh\Parameters@Reboot 47 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{ef9561e5-9d28-4131-b1fa-a15076c62885}@LastProbeTime 1497733690 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{1515853E-80D8-4F42-9B4E-278E5B89A2A4}@InterfaceName Reusable ISATAP Interface {1515853E-80D8-4F42-9B4E-278E5B89A2A4} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{1515853E-80D8-4F42-9B4E-278E5B89A2A4}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\KLIF\Parameters@CheckVersion 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3944 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2108 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 184 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1044 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D0E9F6E-FBBD-4E20-A8F3-F3EDAA8165A9}@LeaseObtainedTime 1497726482 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D0E9F6E-FBBD-4E20-A8F3-F3EDAA8165A9}@T1 1497730082 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D0E9F6E-FBBD-4E20-A8F3-F3EDAA8165A9}@T2 1497732782 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D0E9F6E-FBBD-4E20-A8F3-F3EDAA8165A9}@LeaseTerminatesTime 1497733682 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpdUpFltr\Parameters\Wdf@TimeOfLastSqmLog 0x84 0x8D 0x18 0xA3 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 114 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\iexplore@Count 2 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_7.9.9600.18696_38fa45d17d021e71a9370bd2fb6c2734b435af_00000000_03c25f81 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----