GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-19 22:12:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000065 SanDisk_ rev.U210 111,79GB Running: qql51wvp.exe; Driver: A:\TEMP\awdiipob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074c21401 2 bytes JMP 7666b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074c21419 2 bytes JMP 7666b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074c21431 2 bytes JMP 766e9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074c2144a 2 bytes CALL 76644885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074c214dd 2 bytes JMP 766e8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074c214f5 2 bytes JMP 766e8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074c2150d 2 bytes JMP 766e8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074c21525 2 bytes JMP 766e8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074c2153d 2 bytes JMP 7665fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074c21555 2 bytes JMP 76666907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074c2156d 2 bytes JMP 766e9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074c21585 2 bytes JMP 766e8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074c2159d 2 bytes JMP 766e88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074c215b5 2 bytes JMP 7665fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074c215cd 2 bytes JMP 7666b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074c216b2 2 bytes JMP 766e90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe[1336] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074c216bd 2 bytes JMP 766e8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1232] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000769b2bdc 5 bytes JMP 00000000013c1179 .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074c21401 2 bytes JMP 7666b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074c21419 2 bytes JMP 7666b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074c21431 2 bytes JMP 766e9149 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074c2144a 2 bytes CALL 76644885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074c214dd 2 bytes JMP 766e8a42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074c214f5 2 bytes JMP 766e8c18 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074c2150d 2 bytes JMP 766e8938 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074c21525 2 bytes JMP 766e8d02 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074c2153d 2 bytes JMP 7665fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074c21555 2 bytes JMP 76666907 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074c2156d 2 bytes JMP 766e9201 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074c21585 2 bytes JMP 766e8d62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074c2159d 2 bytes JMP 766e88fc C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074c215b5 2 bytes JMP 7665fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074c215cd 2 bytes JMP 7666b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074c216b2 2 bytes JMP 766e90c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074c216bd 2 bytes JMP 766e8891 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074c21401 2 bytes JMP 7666b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074c21419 2 bytes JMP 7666b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074c21431 2 bytes JMP 766e9149 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074c2144a 2 bytes CALL 76644885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074c214dd 2 bytes JMP 766e8a42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074c214f5 2 bytes JMP 766e8c18 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074c2150d 2 bytes JMP 766e8938 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074c21525 2 bytes JMP 766e8d02 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074c2153d 2 bytes JMP 7665fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074c21555 2 bytes JMP 76666907 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074c2156d 2 bytes JMP 766e9201 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074c21585 2 bytes JMP 766e8d62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074c2159d 2 bytes JMP 766e88fc C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074c215b5 2 bytes JMP 7665fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074c215cd 2 bytes JMP 7666b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074c216b2 2 bytes JMP 766e90c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\FluxSoftware\Flux\flux.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074c216bd 2 bytes JMP 766e8891 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074c21401 2 bytes JMP 7666b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074c21419 2 bytes JMP 7666b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074c21431 2 bytes JMP 766e9149 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074c2144a 2 bytes CALL 76644885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074c214dd 2 bytes JMP 766e8a42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074c214f5 2 bytes JMP 766e8c18 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074c2150d 2 bytes JMP 766e8938 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074c21525 2 bytes JMP 766e8d02 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074c2153d 2 bytes JMP 7665fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074c21555 2 bytes JMP 76666907 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074c2156d 2 bytes JMP 766e9201 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074c21585 2 bytes JMP 766e8d62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074c2159d 2 bytes JMP 766e88fc C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074c215b5 2 bytes JMP 7665fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074c215cd 2 bytes JMP 7666b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074c216b2 2 bytes JMP 766e90c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Przemek\AppData\Local\Akamai\netsession_win.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074c216bd 2 bytes JMP 766e8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000076d71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076d712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076d71434 8 bytes [50, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076d717be 8 bytes [40, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076d71a94 8 bytes [30, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076d71c15 8 bytes [20, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076d71d7f 8 bytes [10, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076d71e65 8 bytes [00, 4E, F2, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000076d720c8 8 bytes [F0, 4D, F2, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dbbe00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076dbbf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dbbfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dbc180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 8 bytes {JMP QWORD [RIP-0x4b401]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000747713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007477146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000747716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000747719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000747719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074771a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000076d71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076d712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076d71434 8 bytes [50, BE, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076d717be 8 bytes [40, BE, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076d71a94 8 bytes [30, BE, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076d71c15 8 bytes [20, BE, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076d71d7f 8 bytes [10, BE, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076d71e65 8 bytes [00, BE, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000076d720c8 8 bytes [F0, BD, E8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dbbe00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076dbbf80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dbbfb0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dbc180 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000747713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007477146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000747716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000747719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000747719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[4884] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074771a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000076d71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076d712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076d71434 8 bytes [50, 1E, F0, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076d717be 8 bytes [40, 1E, F0, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076d71a94 8 bytes [30, 1E, F0, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076d71c15 8 bytes [20, 1E, F0, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076d71d7f 8 bytes [10, 1E, F0, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076d71e65 8 bytes [00, 1E, F0, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000076d720c8 8 bytes [F0, 1D, F0, 7E, 00, 00, 00, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dbbe00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076dbbf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dbbfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dbc180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 8 bytes {JMP QWORD [RIP-0x4b401]} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000747713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007477146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000747716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000747719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000747719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[892] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074771a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000076d71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076d712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076d71434 8 bytes [50, 9E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076d717be 8 bytes [40, 9E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076d71a94 8 bytes [30, 9E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076d71c15 8 bytes [20, 9E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076d71d7f 8 bytes [10, 9E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076d71e65 8 bytes [00, 9E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000076d720c8 8 bytes [F0, 9D, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dbbe00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076dbbf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dbbfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dbc180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 8 bytes {JMP QWORD [RIP-0x4b401]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000747713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007477146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000747716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000747719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000747719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[156] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074771a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000076d71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076d712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076d71434 8 bytes [50, 2E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076d717be 8 bytes [40, 2E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076d71a94 8 bytes [30, 2E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076d71c15 8 bytes [20, 2E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076d71d7f 8 bytes [10, 2E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076d71e65 8 bytes [00, 2E, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000076d720c8 8 bytes [F0, 2D, F5, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dbbe00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076dbbf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dbbfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dbc180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 8 bytes {JMP QWORD [RIP-0x4b401]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000747713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007477146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000747716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000747719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000747719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2360] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074771a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 388 0000000076d71234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076d712df 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000076d71434 8 bytes [50, CE, E9, 7E, 00, 00, 00, ...] .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076d717be 8 bytes [40, CE, E9, 7E, 00, 00, 00, ...] .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000076d71a94 8 bytes {XOR DH, CL; JMP 0x85} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076d71c15 8 bytes {AND DH, CL; JMP 0x85} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076d71d7f 8 bytes {ADC DH, CL; JMP 0x85} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000076d71e65 8 bytes {ADD DH, CL; JMP 0x85} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 584 0000000076d720c8 8 bytes [F0, CD, E9, 7E, 00, 00, 00, ...] .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076dbbe00 8 bytes {JMP QWORD [RIP-0x4a1f1]} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076dbbf80 8 bytes {JMP QWORD [RIP-0x4a207]} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076dbbfb0 8 bytes {JMP QWORD [RIP-0x4ab82]} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 8 bytes {JMP QWORD [RIP-0x4a642]} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076dbc180 8 bytes {JMP QWORD [RIP-0x4a9c8]} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 8 bytes {JMP QWORD [RIP-0x4a512]} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 8 bytes {JMP QWORD [RIP-0x4a93e]} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 8 bytes {JMP QWORD [RIP-0x4b401]} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000747713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007477146b 8 bytes {JMP 0xffffffffffffffb0} .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000747716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000747719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000747719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text A:\Pobrane\qql51wvp.exe[4368] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074771a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff880036c58f4] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- EOF - GMER 2.2 ----