GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-26 13:11:34 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b Crucial_CT256MX100SSD1 rev.MU01 238,47GB Running: ex5xoikj.exe; Driver: C:\Users\alfa1\AppData\Local\Temp\uwldiuoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, 2A, 7F, 00, 00, 00, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, 2A, 7F, 00, 00, 00, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, 2A, 7F, 00, 00, 00, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, 2A, 7F, 00, 00, 00, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, 2A, 7F, 00, 00, 00, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4748] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5088] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\CCleaner\CCleaner64.exe[3812] C:\Windows\system32\USER32.dll!ShowScrollBar 00007ffbd8291150 5 bytes JMP 00007ffb58300018 .text C:\Program Files\CCleaner\CCleaner64.exe[3812] C:\Windows\system32\USER32.dll!SetScrollInfo 00007ffbd829c760 5 bytes JMP 00007ffb582b0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3812] C:\Windows\system32\USER32.dll!GetScrollInfo 00007ffbd82a4810 5 bytes JMP 00007ffb582c0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3812] C:\Windows\system32\USER32.dll!SetScrollRange 00007ffbd82b5ea0 5 bytes JMP 00007ffb582d0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3812] C:\Windows\system32\USER32.dll!SetScrollPos 00007ffbd82c5080 5 bytes JMP 00007ffb58340018 .text C:\Program Files\CCleaner\CCleaner64.exe[3812] C:\Windows\system32\USER32.dll!EnableScrollBar 00007ffbd82c72f0 5 bytes JMP 00007ffb582e0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3812] C:\Windows\system32\USER32.dll!GetScrollPos 00007ffbd82cfc70 5 bytes JMP 00007ffb582f0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3812] C:\Windows\system32\USER32.dll!GetScrollRange 00007ffbd831edb0 5 bytes JMP 00007ffb58330018 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, DE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, DE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, DE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, DE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, DE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[3480] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, DE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, DE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, DE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, DE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, DE, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[4276] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, 67, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, 67, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, 67, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, 67, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, 67, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5036] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe[5164] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, 6D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, 6D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, 6D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, 6D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, 6D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5184] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, B0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, B0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, B0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, B0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, B0, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CheckNDISPort_df.exe[5284] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, 6E, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, 6E, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, 6E, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, 6E, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, 6E, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mobilt Bredband\CancelAutoPlay_df.exe[5408] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\TwinCAT\TcSysUI.exe[5492] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, 5E, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, 5E, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, 5E, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, 5E, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, 5E, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\NOL3Starter\NOL3Starter.exe[5616] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, F1, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5796] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, 0C, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, 0C, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, 0C, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, 0C, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, 0C, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Software Updater\kl_platf.exe[5900] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, 3D, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, 3D, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, 3D, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, 3D, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, 3D, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6276] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, 44, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, 44, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, 44, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, 44, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, 44, 7E, 00, 00, 00, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[844] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbd9f14ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbd9f14fcc 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbd9f152a6 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbd9f1549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbd9f1583f 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffbd9f15895 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbd9f15a44 8 bytes [00, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbd9f15fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbd9f90780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbd9f90900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbd9f90930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbd9f90a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbd9f90b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbd9f911c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbd9f914c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbd9f91d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077aa13f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077aa1583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077aa1621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077aa1674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077aa16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077aa16e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\alfa1\Downloads\ex5xoikj.exe[5888] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077aa1727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [612:3668] fffff960009b62d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -685674005 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4069 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D0E9F6E-FBBD-4E20-A8F3-F3EDAA8165A9}@LeaseObtainedTime 1498471944 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D0E9F6E-FBBD-4E20-A8F3-F3EDAA8165A9}@T1 1498515144 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D0E9F6E-FBBD-4E20-A8F3-F3EDAA8165A9}@T2 1498547544 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D0E9F6E-FBBD-4E20-A8F3-F3EDAA8165A9}@LeaseTerminatesTime 1498558344 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Windows\System32\sru\SRU00575.log 65536 bytes ---- EOF - GMER 2.2 ----