GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-05 13:25:44 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 HGST_HTS541010A9E680 rev.JA0OA560 931,51GB Running: oc92ph0y.exe; Driver: C:\Users\Misiek\AppData\Local\Temp\ufldypod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff9600018fd00 15 bytes [00, A9, F3, 01, 80, 64, 6D, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff9600018fd10 11 bytes [00, 91, FC, FF, 00, BF, CA, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbebfb4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbebfb4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbebfb5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbebfb53ff 8 bytes {JMP 0xffffffffffffffee} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbebfb579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbebfb5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbebfb5ef1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78 00007ffbebfb5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399 00007ffbebfb60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977 00007ffbebfb64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310 00007ffbebfb6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491 00007ffbebfb66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359 00007ffbebfb8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67 00007ffbebfb8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864 00007ffbebfb8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143 00007ffbebfb8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510 00007ffbebfb90ae 8 bytes {JMP 0xffffffffffffff96} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715 00007ffbebfb917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772 00007ffbebfb9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685 00007ffbebfb9fcd 8 bytes {JMP 0xffffffffffffffaf} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352 00007ffbebfbaae0 8 bytes {JMP 0xffffffffffffffcd} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488 00007ffbebfbab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565 00007ffbebfbb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78 00007ffbebfbb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311 00007ffbebfbc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528 00007ffbebfbc5b0 8 bytes {JMP 0xffffffffffffffc7} .text ... * 2 .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579 00007ffbebfbd0d3 8 bytes {JMP 0xffffffffffffffef} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47 00007ffbebfbd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495 00007ffbebfbd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43 00007ffbebfbd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456 00007ffbebfbd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180 00007ffbebfbd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596 00007ffbebfbdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424 00007ffbebfbdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771 00007ffbebfbe073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948 00007ffbebfbe124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48 00007ffbebfbe160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756 00007ffbebfbeb74 8 bytes {JMP 0xffffffffffffffd0} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371 00007ffbebfbfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556 00007ffbebfc009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171 00007ffbebfc015b 8 bytes [70, 6C, 3D, 7E, 00, 00, 00, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744 00007ffbebfc1438 8 bytes [40, 6C, 3D, 7E, 00, 00, 00, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214 00007ffbebfc15e6 8 bytes [30, 6C, 3D, 7E, 00, 00, 00, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567 00007ffbebfc1877 8 bytes [20, 6C, 3D, 7E, 00, 00, 00, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429 00007ffbebfc1a2d 8 bytes [10, 6C, 3D, 7E, 00, 00, 00, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213 00007ffbebfc1c35 8 bytes [00, 6C, 3D, 7E, 00, 00, 00, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbec031290 8 bytes {JMP QWORD [RIP-0x6fe5e]} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbec031410 8 bytes {JMP QWORD [RIP-0x6fe30]} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbec031440 8 bytes {JMP QWORD [RIP-0x712eb]} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbec031560 8 bytes {JMP QWORD [RIP-0x70c1e]} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbec031610 8 bytes {JMP QWORD [RIP-0x71122]} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbec031cd0 8 bytes {JMP QWORD [RIP-0x700a1]} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbec031fd0 8 bytes {JMP QWORD [RIP-0x705a9]} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbec032850 8 bytes {JMP QWORD [RIP-0x70fdf]} .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077b813f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077b81583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077b81621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077b81674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077b816d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077b816e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077b81727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 7 .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16 0000000077b825d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308 0000000077b82714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529 0000000077b82961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\TEMP\DPTF\esif_assist.exe[3428] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595 0000000077b82bd3 8 bytes [DC, 6A, 3D, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbebfb4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbebfb4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbebfb5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbebfb53ff 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbebfb579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbebfb5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbebfb5ef1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78 00007ffbebfb5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399 00007ffbebfb60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977 00007ffbebfb64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310 00007ffbebfb6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491 00007ffbebfb66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359 00007ffbebfb8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67 00007ffbebfb8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864 00007ffbebfb8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143 00007ffbebfb8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510 00007ffbebfb90ae 8 bytes {JMP 0xffffffffffffff96} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715 00007ffbebfb917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772 00007ffbebfb9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685 00007ffbebfb9fcd 8 bytes {JMP 0xffffffffffffffaf} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352 00007ffbebfbaae0 8 bytes {JMP 0xffffffffffffffcd} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488 00007ffbebfbab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565 00007ffbebfbb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78 00007ffbebfbb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311 00007ffbebfbc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528 00007ffbebfbc5b0 8 bytes {JMP 0xffffffffffffffc7} .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579 00007ffbebfbd0d3 8 bytes {JMP 0xffffffffffffffef} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47 00007ffbebfbd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495 00007ffbebfbd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43 00007ffbebfbd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456 00007ffbebfbd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180 00007ffbebfbd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596 00007ffbebfbdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424 00007ffbebfbdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771 00007ffbebfbe073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948 00007ffbebfbe124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48 00007ffbebfbe160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756 00007ffbebfbeb74 8 bytes {JMP 0xffffffffffffffd0} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371 00007ffbebfbfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556 00007ffbebfc009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171 00007ffbebfc015b 8 bytes [70, 6C, 2C, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744 00007ffbebfc1438 8 bytes [40, 6C, 2C, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214 00007ffbebfc15e6 8 bytes [30, 6C, 2C, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567 00007ffbebfc1877 8 bytes [20, 6C, 2C, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429 00007ffbebfc1a2d 8 bytes [10, 6C, 2C, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213 00007ffbebfc1c35 8 bytes [00, 6C, 2C, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbec031290 8 bytes {JMP QWORD [RIP-0x6fe5e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbec031410 8 bytes {JMP QWORD [RIP-0x6fe30]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbec031440 8 bytes {JMP QWORD [RIP-0x712eb]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbec031560 8 bytes {JMP QWORD [RIP-0x70c1e]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbec031610 8 bytes {JMP QWORD [RIP-0x71122]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbec031cd0 8 bytes {JMP QWORD [RIP-0x700a1]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbec031fd0 8 bytes {JMP QWORD [RIP-0x705a9]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbec032850 8 bytes {JMP QWORD [RIP-0x70fdf]} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077b813f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077b81583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077b81621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077b81674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077b816d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077b816e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077b81727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 7 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16 0000000077b825d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308 0000000077b82714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529 0000000077b82961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4808] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595 0000000077b82bd3 8 bytes [DC, 6A, 2C, 7E, 00, 00, 00, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbebfb4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbebfb4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbebfb5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbebfb53ff 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbebfb579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbebfb5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbebfb5ef1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78 00007ffbebfb5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399 00007ffbebfb60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977 00007ffbebfb64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310 00007ffbebfb6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491 00007ffbebfb66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359 00007ffbebfb8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67 00007ffbebfb8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864 00007ffbebfb8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143 00007ffbebfb8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510 00007ffbebfb90ae 8 bytes {JMP 0xffffffffffffff96} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715 00007ffbebfb917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772 00007ffbebfb9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685 00007ffbebfb9fcd 8 bytes {JMP 0xffffffffffffffaf} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352 00007ffbebfbaae0 8 bytes {JMP 0xffffffffffffffcd} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488 00007ffbebfbab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565 00007ffbebfbb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78 00007ffbebfbb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311 00007ffbebfbc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528 00007ffbebfbc5b0 8 bytes {JMP 0xffffffffffffffc7} .text ... * 2 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579 00007ffbebfbd0d3 8 bytes {JMP 0xffffffffffffffef} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47 00007ffbebfbd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495 00007ffbebfbd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43 00007ffbebfbd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456 00007ffbebfbd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180 00007ffbebfbd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596 00007ffbebfbdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424 00007ffbebfbdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771 00007ffbebfbe073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948 00007ffbebfbe124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48 00007ffbebfbe160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756 00007ffbebfbeb74 8 bytes {JMP 0xffffffffffffffd0} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371 00007ffbebfbfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556 00007ffbebfc009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171 00007ffbebfc015b 8 bytes [70, 6C, B7, 7E, 00, 00, 00, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744 00007ffbebfc1438 8 bytes [40, 6C, B7, 7E, 00, 00, 00, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214 00007ffbebfc15e6 8 bytes [30, 6C, B7, 7E, 00, 00, 00, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567 00007ffbebfc1877 8 bytes [20, 6C, B7, 7E, 00, 00, 00, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429 00007ffbebfc1a2d 8 bytes [10, 6C, B7, 7E, 00, 00, 00, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213 00007ffbebfc1c35 8 bytes [00, 6C, B7, 7E, 00, 00, 00, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbec031290 8 bytes {JMP QWORD [RIP-0x6fe5e]} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbec031410 8 bytes {JMP QWORD [RIP-0x6fe30]} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbec031440 8 bytes {JMP QWORD [RIP-0x712eb]} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbec031560 8 bytes {JMP QWORD [RIP-0x70c1e]} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbec031610 8 bytes {JMP QWORD [RIP-0x71122]} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbec031cd0 8 bytes {JMP QWORD [RIP-0x700a1]} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbec031fd0 8 bytes {JMP QWORD [RIP-0x705a9]} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbec032850 8 bytes {JMP QWORD [RIP-0x70fdf]} .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077b813f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077b81583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077b81621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077b81674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077b816d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077b816e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077b81727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 7 .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16 0000000077b825d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308 0000000077b82714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529 0000000077b82961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5460] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595 0000000077b82bd3 8 bytes [DC, 6A, B7, 7E, 00, 00, 00, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffbebfb4b04 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffbebfb4f2c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffbebfb5206 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffbebfb53ff 8 bytes {JMP 0xffffffffffffffee} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffbebfb579f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffbebfb5954 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffbebfb5ef1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion + 78 00007ffbebfb5f4e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlWakeAddressAll + 399 00007ffbebfb60ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlUnsubscribeWnfStateChangeNotification + 977 00007ffbebfb64d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 310 00007ffbebfb6616 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!TpSimpleTryPost + 491 00007ffbebfb66cb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlReportSilentProcessExit + 359 00007ffbebfb8397 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 67 00007ffbebfb8a13 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!LdrFindEntryForAddress + 864 00007ffbebfb8d30 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!LdrGetDllHandleByName + 143 00007ffbebfb8e9f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 510 00007ffbebfb90ae 8 bytes {JMP 0xffffffffffffff96} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!LdrInitializeThunk + 715 00007ffbebfb917b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlQueueWorkItem + 772 00007ffbebfb9d14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!LdrAddRefDll + 685 00007ffbebfb9fcd 8 bytes {JMP 0xffffffffffffffaf} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 352 00007ffbebfbaae0 8 bytes {JMP 0xffffffffffffffcd} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!SbSelectProcedure + 488 00007ffbebfbab68 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlGetVersion + 565 00007ffbebfbb2e5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlGetNtProductType + 78 00007ffbebfbb33e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 311 00007ffbebfbc4d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll + 528 00007ffbebfbc5b0 8 bytes {JMP 0xffffffffffffffc7} .text ... * 2 .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlAllocateActivationContextStack + 579 00007ffbebfbd0d3 8 bytes {JMP 0xffffffffffffffef} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeThreadActivationContextStack + 47 00007ffbebfbd10f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlProcessFlsData + 495 00007ffbebfbd57f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 43 00007ffbebfbd6eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlDetectHeapLeaks + 456 00007ffbebfbd888 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 180 00007ffbebfbd944 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlRegisterWait + 596 00007ffbebfbdba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWait + 424 00007ffbebfbdd58 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 771 00007ffbebfbe073 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!TpSetWaitEx + 948 00007ffbebfbe124 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsA + 48 00007ffbebfbe160 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlRandomEx + 756 00007ffbebfbeb74 8 bytes {JMP 0xffffffffffffffd0} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteFunctionTable + 371 00007ffbebfbfe63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlAddFunctionTable + 556 00007ffbebfc009c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlProtectHeap + 171 00007ffbebfc015b 8 bytes [70, 6C, F8, 7F, 00, 00, 00, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlInitializeCriticalSectionEx + 744 00007ffbebfc1438 8 bytes [40, 6C, F8, 7F, 00, 00, 00, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!EtwRegisterTraceGuidsW + 214 00007ffbebfc15e6 8 bytes [30, 6C, F8, 7F, 00, 00, 00, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!EtwNotificationRegister + 567 00007ffbebfc1877 8 bytes [20, 6C, F8, 7F, 00, 00, 00, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlDllShutdownInProgress + 429 00007ffbebfc1a2d 8 bytes [10, 6C, F8, 7F, 00, 00, 00, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 213 00007ffbebfc1c35 8 bytes [00, 6C, F8, 7F, 00, 00, 00, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbec031290 8 bytes {JMP QWORD [RIP-0x6fe5e]} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbec031410 8 bytes {JMP QWORD [RIP-0x6fe30]} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbec031440 8 bytes {JMP QWORD [RIP-0x712eb]} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbec031560 8 bytes {JMP QWORD [RIP-0x70c1e]} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbec031610 8 bytes {JMP QWORD [RIP-0x71122]} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbec031cd0 8 bytes {JMP QWORD [RIP-0x700a1]} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbec031fd0 8 bytes {JMP QWORD [RIP-0x705a9]} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbec032850 8 bytes {JMP QWORD [RIP-0x70fdf]} .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 0000000077b813f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077b81583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077b81621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077b81674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 0000000077b816d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 0000000077b816e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077b81727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 7 .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\system32\wow64cpu.dll!CpuFlushInstructionCache + 16 0000000077b825d0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\system32\wow64cpu.dll!CpuInitializeStartupContext + 308 0000000077b82714 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\system32\wow64cpu.dll!CpuResetToConsistentState + 529 0000000077b82961 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Misiek\Downloads\oc92ph0y.exe[5840] C:\Windows\system32\wow64cpu.dll!CpuProcessTerm + 595 0000000077b82bd3 8 bytes [DC, 6A, F8, 7F, 00, 00, 00, ...] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1316] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcConnectPortEx] [52534d70] C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x64\prremote.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [768:784] fffff960009642d0 Thread C:\Windows\System32\SettingSyncHost.exe [3444:5760] 00007ffbd0c27090 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [5460] 000000006a880000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [5460] 0000000063740000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [5460] 000000006e680000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5560] 000000006a880000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5560] 0000000062c50000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5560] 0000000062b30000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5560] 0000000063740000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5560] 000000006e680000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACECORE.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5560] 0000000063440000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\1045\ACEWSTR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5560] 0000000063c80000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACEES.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5560] 00000000633a0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\VBAJET32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5560] 000000006e670000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\expsrv.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5560] 0000000063340000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACEERR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [5560] 00000000628e0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----