GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-29 14:13:35 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST1000LM rev.2AR1 931,51GB Running: xxq8lbmk.exe; Driver: C:\Users\Emilia\AppData\Local\Temp\awrdqpog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002db6000 45 bytes [00, 00, 10, 02, 4D, 6D, 43, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002db602f 16 bytes [00, 01, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[1656] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff2189e0 8 bytes JMP 000007fffd8d01f0 .text C:\Windows\system32\Dwm.exe[1656] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff21be40 8 bytes JMP 000007fffd8d01b8 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1252] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077b6faa8 5 bytes JMP 000000016ffc18dd .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1252] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b70038 5 bytes JMP 000000016ffc1ed6 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1252] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize + 779 000000007637b9f8 4 bytes [0B, 26, FC, 6F] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000779711f5 8 bytes {JMP 0xd} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077971390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007797143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007797158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007797191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077971b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077971bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077971d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077971eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077971edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077971f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077971fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077971fd7 8 bytes {JMP 0xb} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077972272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077972301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077972792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000779727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000779727d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007797282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077972890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077972d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077972d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077973023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007797323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000779733c0 16 bytes {JMP 0x4e} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077973a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077973ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077973b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077973d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077974190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 8 bytes {JMP QWORD [RIP-0x4d4cf]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000779c1500 8 bytes {JMP QWORD [RIP-0x4d498]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779c1530 8 bytes {JMP QWORD [RIP-0x4d9b1]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 8 bytes {JMP QWORD [RIP-0x4d7a7]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 8 bytes {JMP QWORD [RIP-0x4d9e3]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 8 bytes {JMP QWORD [RIP-0x4dba6]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779c1f80 8 bytes {JMP QWORD [RIP-0x4de55]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 8 bytes {JMP QWORD [RIP-0x4e770]} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000733013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007330146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000733016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000733016e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000733019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000733019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073301a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073301a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073301a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000779711f5 8 bytes {JMP 0xd} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077971390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007797143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007797158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007797191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077971b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077971bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077971d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077971eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077971edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077971f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077971fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077971fd7 8 bytes {JMP 0xb} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077972272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077972301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077972792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000779727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000779727d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007797282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077972890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077972d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077972d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077973023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007797323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000779733c0 16 bytes {JMP 0x4e} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077973a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077973ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077973b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077973d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077974190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 8 bytes {JMP QWORD [RIP-0x4d4cf]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000779c1500 8 bytes {JMP QWORD [RIP-0x4d498]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779c1530 8 bytes {JMP QWORD [RIP-0x4d9b1]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 8 bytes {JMP QWORD [RIP-0x4d7a7]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 8 bytes {JMP QWORD [RIP-0x4d9e3]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 8 bytes {JMP QWORD [RIP-0x4dba6]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779c1f80 8 bytes {JMP QWORD [RIP-0x4de55]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 8 bytes {JMP QWORD [RIP-0x4e770]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000733013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007330146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000733016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000733016e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000733019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000733019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073301a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073301a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5028] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073301a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000779711f5 8 bytes {JMP 0xd} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077971390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007797143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007797158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007797191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077971b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077971bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077971d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077971eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077971edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077971f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077971fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077971fd7 8 bytes {JMP 0xb} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077972272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077972301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077972792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000779727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000779727d2 8 bytes {JMP 0x10} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007797282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077972890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077972d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077972d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077973023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007797323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000779733c0 16 bytes {JMP 0x4e} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077973a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077973ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077973b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077973d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077974190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 8 bytes {JMP QWORD [RIP-0x4d4cf]} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000779c1500 8 bytes {JMP QWORD [RIP-0x4d498]} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779c1530 8 bytes {JMP QWORD [RIP-0x4d9b1]} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 8 bytes {JMP QWORD [RIP-0x4d7a7]} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 8 bytes {JMP QWORD [RIP-0x4d9e3]} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 8 bytes {JMP QWORD [RIP-0x4dba6]} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779c1f80 8 bytes {JMP QWORD [RIP-0x4de55]} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 8 bytes {JMP QWORD [RIP-0x4e770]} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000733013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007330146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000733016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000733016e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000733019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000733019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073301a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073301a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\gghub.exe[3652] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073301a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000779711f5 8 bytes {JMP 0xd} .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077971390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007797143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007797158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007797191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077971b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077971bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077971d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077971eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077971edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077971f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077971fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077971fd7 8 bytes {JMP 0xb} .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077972272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077972301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077972792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000779727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000779727d2 8 bytes {JMP 0x10} .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007797282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077972890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077972d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077972d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077973023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007797323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000779733c0 16 bytes {JMP 0x4e} .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077973a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077973ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077973b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077973d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077974190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 8 bytes JMP 3f3f3f3f .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000779c1500 8 bytes JMP 3f3f3f3f .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779c1530 8 bytes JMP 3f3f3f3f .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 8 bytes JMP a23f3f3f .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 8 bytes JMP 3f3f3f3f .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 8 bytes JMP 3f3f3f3f .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779c1f80 8 bytes JMP 3f3f3f3f .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 8 bytes JMP 3f3f3f3f .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000733013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007330146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000733016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000733016e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000733019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000733019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073301a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073301a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggapp.exe[3764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073301a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000779711f5 8 bytes {JMP 0xd} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077971390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007797143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007797158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007797191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077971b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077971bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077971d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077971eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077971edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077971f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077971fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077971fd7 8 bytes {JMP 0xb} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077972272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077972301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077972792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000779727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000779727d2 8 bytes {JMP 0x10} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007797282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077972890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077972d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077972d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077973023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007797323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000779733c0 16 bytes {JMP 0x4e} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077973a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077973ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077973b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077973d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077974190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 8 bytes {JMP QWORD [RIP-0x4d4cf]} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000779c1500 8 bytes {JMP QWORD [RIP-0x4d498]} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779c1530 8 bytes {JMP QWORD [RIP-0x4d9b1]} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 8 bytes {JMP QWORD [RIP-0x4d7a7]} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 8 bytes {JMP QWORD [RIP-0x4d9e3]} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 8 bytes {JMP QWORD [RIP-0x4dba6]} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779c1f80 8 bytes {JMP QWORD [RIP-0x4de55]} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 8 bytes {JMP QWORD [RIP-0x4e770]} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000733013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007330146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000733016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000733016e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000733019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000733019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073301a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073301a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2440] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073301a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000779711f5 8 bytes {JMP 0xd} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077971390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007797143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007797158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007797191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077971b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077971bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077971d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077971eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077971edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077971f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077971fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077971fd7 8 bytes {JMP 0xb} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077972272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077972301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077972792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000779727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000779727d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007797282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077972890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077972d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077972d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077973023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007797323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000779733c0 16 bytes {JMP 0x4e} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077973a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077973ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077973b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077973d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077974190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000779c1500 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779c1530 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 8 bytes JMP a23f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779c1f80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000733013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007330146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000733016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000733016e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000733019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000733019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073301a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073301a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5404] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073301a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000779711f5 8 bytes {JMP 0xd} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077971390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007797143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007797158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007797191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077971b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077971bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077971d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077971eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077971edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077971f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077971fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077971fd7 8 bytes {JMP 0xb} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077972272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077972301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077972792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000779727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000779727d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007797282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077972890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077972d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077972d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077973023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007797323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000779733c0 16 bytes {JMP 0x4e} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077973a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077973ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077973b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077973d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077974190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 8 bytes {JMP QWORD [RIP-0x4d4cf]} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000779c1500 8 bytes {JMP QWORD [RIP-0x4d498]} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779c1530 8 bytes {JMP QWORD [RIP-0x4d9b1]} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 8 bytes {JMP QWORD [RIP-0x4d7a7]} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 8 bytes {JMP QWORD [RIP-0x4d9e3]} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 8 bytes {JMP QWORD [RIP-0x4dba6]} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779c1f80 8 bytes {JMP QWORD [RIP-0x4de55]} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 8 bytes {JMP QWORD [RIP-0x4e770]} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000733013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007330146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000733016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000733016e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000733019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000733019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073301a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073301a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073301a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076558791 5 bytes JMP 0000000138527e6f .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076656143 5 bytes JMP 0000000138a94244 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076a93e59 5 bytes JMP 0000000138558f9e .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076a93eae 5 bytes JMP 00000001385697ad .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076a94731 5 bytes JMP 0000000138568ee7 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076a95dee 5 bytes JMP 000000013858c9e1 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077051465 2 bytes [05, 77] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770514bb 2 bytes [05, 77] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [5504] entry point in ".rdata" section 00000000631971e6 .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000779711f5 8 bytes {JMP 0xd} .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077971390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007797143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007797158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007797191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077971b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077971bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077971d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077971eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077971edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077971f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077971fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077971fd7 8 bytes {JMP 0xb} .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077972272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077972301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077972792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000779727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000779727d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007797282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077972890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077972d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077972d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077973023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007797323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000779733c0 16 bytes {JMP 0x4e} .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077973a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077973ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077973b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077973d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077974190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000779c1500 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779c1530 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 8 bytes JMP a23f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779c1f80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000733013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007330146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000733016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000733016e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000733019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000733019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073301a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073301a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[3624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073301a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000779711f5 8 bytes {JMP 0xd} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077971390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007797143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007797158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007797191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077971b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077971bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077971d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077971eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077971edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077971f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077971fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077971fd7 8 bytes {JMP 0xb} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077972272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077972301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077972792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000779727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000779727d2 8 bytes {JMP 0x10} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007797282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077972890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077972d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077972d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077973023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007797323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000779733c0 16 bytes {JMP 0x4e} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077973a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077973ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077973b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077973d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077974190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000779c1500 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779c1530 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 8 bytes JMP a23f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779c1f80 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000733013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007330146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000733016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000733016e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000733019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000733019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073301a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073301a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[2564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073301a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000779711f5 8 bytes {JMP 0xd} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077971390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007797143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007797158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007797191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077971b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077971bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077971d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077971eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077971edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077971f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077971fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077971fd7 8 bytes {JMP 0xb} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077972272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077972301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077972792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000779727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000779727d2 8 bytes {JMP 0x10} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007797282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077972890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077972d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077972d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077973023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007797323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000779733c0 16 bytes {JMP 0x4e} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077973a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077973ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077973b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077973d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077974190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000779c1500 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779c1530 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 8 bytes JMP a23f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779c1f80 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 8 bytes JMP 3f3f3f3f .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000733013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007330146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000733016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000733016e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000733019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000733019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073301a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073301a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_206.exe[5564] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073301a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000779711f5 8 bytes {JMP 0xd} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077971390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007797143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007797158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007797191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077971b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077971bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077971d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077971eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077971edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077971f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077971fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077971fd7 8 bytes {JMP 0xb} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077972272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077972301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077972792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000779727b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000779727d2 8 bytes {JMP 0x10} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007797282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077972890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077972d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077972d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077973023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007797323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000779733c0 16 bytes {JMP 0x4e} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077973a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077973ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077973b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077973d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077974190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 8 bytes {JMP QWORD [RIP-0x4d4cf]} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000779c1500 8 bytes {JMP QWORD [RIP-0x4d498]} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779c1530 8 bytes {JMP QWORD [RIP-0x4d9b1]} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 8 bytes {JMP QWORD [RIP-0x4d7a7]} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 8 bytes {JMP QWORD [RIP-0x4d9e3]} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 8 bytes {JMP QWORD [RIP-0x4dba6]} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779c1f80 8 bytes {JMP QWORD [RIP-0x4de55]} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 8 bytes {JMP QWORD [RIP-0x4e770]} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000733013cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007330146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000733016d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000733016e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000733019db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000733019fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000073301a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000073301a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000073301a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Emilia\Downloads\xxq8lbmk.exe[2044] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000073301a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88002597fb0] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f4b7e2ed0022 Reg HKLM\SYSTEM\CurrentControlSet\services\KLIF\Parameters@LastProcessedRevision 28042039 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f4b7e2ed0022 (not active ControlSet) ---- EOF - GMER 2.1 ----