GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-06 22:48:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS727550A9E364 rev.JF3OA0E0 465,76GB Running: g54lddlc.exe; Driver: C:\Users\Bozena\AppData\Local\Temp\fwrdipob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\avp.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007750faa8 5 bytes JMP 00000001734c18dd .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\avp.exe[1832] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077510038 5 bytes JMP 00000001734c1ed6 .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000774c1401 2 bytes JMP 759ab21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000774c1419 2 bytes JMP 759ab346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000774c1431 2 bytes JMP 75a28ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000774c144a 2 bytes CALL 759848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774c14dd 2 bytes JMP 75a287a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774c14f5 2 bytes JMP 75a28978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000774c150d 2 bytes JMP 75a28698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000774c1525 2 bytes JMP 75a28a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000774c153d 2 bytes JMP 7599fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000774c1555 2 bytes JMP 759a68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000774c156d 2 bytes JMP 75a28f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000774c1585 2 bytes JMP 75a28ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000774c159d 2 bytes JMP 75a2865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774c15b5 2 bytes JMP 7599fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774c15cd 2 bytes JMP 759ab2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774c16b2 2 bytes JMP 75a28e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IGS\BasementDuster.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774c16bd 2 bytes JMP 75a285f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\YourFileDownloaderUpdater\YourFileDownloaderUpdater.exe[1188] C:\Windows\SysWOW64\ntdll.dll!LdrAccessResource 0000000077531fc0 5 bytes JMP 00000001004227a0 .text C:\Program Files (x86)\YourFileDownloaderUpdater\YourFileDownloaderUpdater.exe[1188] C:\Windows\SysWOW64\ntdll.dll!LdrFindResource_U 0000000077531fdd 5 bytes JMP 0000000100422710 .text C:\Program Files (x86)\YourFileDownloaderUpdater\YourFileDownloaderUpdater.exe[1188] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000759fb2fe 5 bytes JMP 0000000100638f20 .text C:\TWin\Bin\TWinServer.exe[4992] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000759fb2fe 5 bytes JMP 0000000100518f20 .text C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[5020] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000759fb2fe 5 bytes JMP 00000001064c8f20 .text C:\Users\Bozena\AppData\Local\SmartWeb\SmartWebHelper.exe[5112] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000759fb2fe 5 bytes JMP 0000000103258f20 .text C:\Program Files (x86)\gmsd_pl_59\gmsd_pl_59.exe[4140] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000759fb2fe 5 bytes JMP 00000001007e8f20 .text C:\Users\Bozena\AppData\Local\SmartWeb\SmartWebApp.exe[5196] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000759fb2fe 5 bytes JMP 0000000100a08f20 .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000077311398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007731143f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077311594 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007731191e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077311bf8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077311d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077311edf 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077311fc5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000773127b0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000773127d2 8 bytes {JMP 0x10} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007731282f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000077312898 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077312d1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077312d67 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007731323b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 00000000773133c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077313a5e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077313ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077313b85 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077314190 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077314241 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000773142b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000773143f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077314434 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 408 00000000773145d8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 657 00000000773146d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 0000000077314a9c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077314b63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077314c57 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077314d76 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077314ea0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077314ef3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 00000000773150f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 00000000773152f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 00000000773153f7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 484 00000000773155e4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 00000000773164d6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 000000007731668e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 000000007731687c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 00000000773168bd 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 00000000773168d4 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007731692c 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077317166 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077317dd1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077317e57 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077361380 8 bytes {JMP QWORD [RIP-0x4a220]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077361500 8 bytes {JMP QWORD [RIP-0x49cef]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077361530 8 bytes {JMP QWORD [RIP-0x4ac62]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077361650 8 bytes {JMP QWORD [RIP-0x4a80f]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077361700 8 bytes {JMP QWORD [RIP-0x4adda]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077361d30 8 bytes {JMP QWORD [RIP-0x49edf]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077361f80 8 bytes {JMP QWORD [RIP-0x4a1b5]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773627e0 8 bytes {JMP QWORD [RIP-0x4ab13]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000749c13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 00000000749c146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000749c16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000749c19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000749c19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 00000000749c1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000759fb2fe 5 bytes JMP 0000000100ae8f20 .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000774c1401 2 bytes JMP 759ab21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000774c1419 2 bytes JMP 759ab346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000774c1431 2 bytes JMP 75a28ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000774c144a 2 bytes CALL 759848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774c14dd 2 bytes JMP 75a287a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774c14f5 2 bytes JMP 75a28978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000774c150d 2 bytes JMP 75a28698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000774c1525 2 bytes JMP 75a28a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000774c153d 2 bytes JMP 7599fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000774c1555 2 bytes JMP 759a68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000774c156d 2 bytes JMP 75a28f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000774c1585 2 bytes JMP 75a28ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000774c159d 2 bytes JMP 75a2865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774c15b5 2 bytes JMP 7599fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774c15cd 2 bytes JMP 759ab2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774c16b2 2 bytes JMP 75a28e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\upgmsd_pl_59.exe[7656] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774c16bd 2 bytes JMP 75a285f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000077311398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007731143f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077311594 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007731191e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077311bf8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077311d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077311edf 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077311fc5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000773127b0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000773127d2 8 bytes {JMP 0x10} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007731282f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000077312898 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077312d1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077312d67 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007731323b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 00000000773133c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077313a5e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077313ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077313b85 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077314190 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077314241 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000773142b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000773143f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077314434 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 408 00000000773145d8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 657 00000000773146d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 0000000077314a9c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077314b63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077314c57 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077314d76 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077314ea0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077314ef3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 00000000773150f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 00000000773152f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 00000000773153f7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 484 00000000773155e4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 00000000773164d6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 000000007731668e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 000000007731687c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 00000000773168bd 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 00000000773168d4 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007731692c 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077317166 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077317dd1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077317e57 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077361380 8 bytes {JMP QWORD [RIP-0x4a220]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077361500 8 bytes {JMP QWORD [RIP-0x49cef]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077361530 8 bytes {JMP QWORD [RIP-0x4ac62]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077361650 8 bytes {JMP QWORD [RIP-0x4a80f]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077361700 8 bytes {JMP QWORD [RIP-0x4adda]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077361d30 8 bytes {JMP QWORD [RIP-0x49edf]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077361f80 8 bytes {JMP QWORD [RIP-0x4a1b5]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773627e0 8 bytes {JMP QWORD [RIP-0x4ab13]} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000749c13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 00000000749c146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000749c16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000749c19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000749c19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\gmsd_pl_59\Download\majmp_gentleeu.exe[8064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 00000000749c1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000077311398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007731143f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077311594 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007731191e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077311bf8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077311d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077311edf 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077311fc5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000773127b0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000773127d2 8 bytes {JMP 0x10} .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007731282f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000077312898 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077312d1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077312d67 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007731323b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 00000000773133c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077313a5e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077313ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077313b85 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077314190 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077314241 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000773142b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000773143f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077314434 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 408 00000000773145d8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 657 00000000773146d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 0000000077314a9c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077314b63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077314c57 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077314d76 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077314ea0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077314ef3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 00000000773150f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 00000000773152f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 00000000773153f7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 484 00000000773155e4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 00000000773164d6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 000000007731668e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 000000007731687c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 00000000773168bd 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 00000000773168d4 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007731692c 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077317166 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077317dd1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077317e57 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077361380 8 bytes {JMP QWORD [RIP-0x4a220]} .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077361500 8 bytes {JMP QWORD [RIP-0x49cef]} .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077361530 8 bytes {JMP QWORD [RIP-0x4ac62]} .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077361650 8 bytes {JMP QWORD [RIP-0x4a80f]} .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077361700 8 bytes {JMP QWORD [RIP-0x4adda]} .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077361d30 8 bytes {JMP QWORD [RIP-0x49edf]} .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077361f80 8 bytes {JMP QWORD [RIP-0x4a1b5]} .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773627e0 8 bytes {JMP QWORD [RIP-0x4ab13]} .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000749c13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 00000000749c146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000749c16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000749c19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000749c19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 00000000749c1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp[8104] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000759fb2fe 5 bytes JMP 0000000102308f20 .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000077311398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007731143f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077311594 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007731191e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077311bf8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077311d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077311edf 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077311fc5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000773127b0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000773127d2 8 bytes {JMP 0x10} .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007731282f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000077312898 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077312d1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077312d67 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007731323b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 00000000773133c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077313a5e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077313ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077313b85 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077314190 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077314241 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000773142b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000773143f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077314434 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 408 00000000773145d8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 657 00000000773146d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 0000000077314a9c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077314b63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077314c57 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077314d76 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077314ea0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077314ef3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 00000000773150f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 00000000773152f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 00000000773153f7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 484 00000000773155e4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 00000000773164d6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 000000007731668e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 000000007731687c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 00000000773168bd 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 00000000773168d4 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007731692c 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077317166 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077317dd1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077317e57 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077361380 8 bytes {JMP QWORD [RIP-0x4a220]} .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077361500 8 bytes {JMP QWORD [RIP-0x49cef]} .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077361530 8 bytes {JMP QWORD [RIP-0x4ac62]} .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077361650 8 bytes {JMP QWORD [RIP-0x4a80f]} .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077361700 8 bytes {JMP QWORD [RIP-0x4adda]} .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077361d30 8 bytes {JMP QWORD [RIP-0x49edf]} .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077361f80 8 bytes {JMP QWORD [RIP-0x4a1b5]} .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773627e0 8 bytes {JMP QWORD [RIP-0x4ab13]} .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000749c13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 00000000749c146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000749c16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000749c19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000749c19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\gentlemjmp_ieu.exe[6764] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 00000000749c1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000077311398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007731143f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077311594 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007731191e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077311bf8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077311d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077311edf 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077311fc5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000773127b0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000773127d2 8 bytes {JMP 0x10} .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007731282f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000077312898 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077312d1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077312d67 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007731323b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 00000000773133c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077313a5e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077313ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077313b85 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077314190 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077314241 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000773142b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000773143f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077314434 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 408 00000000773145d8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 657 00000000773146d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 0000000077314a9c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077314b63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077314c57 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077314d76 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077314ea0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077314ef3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 00000000773150f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 00000000773152f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 00000000773153f7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 484 00000000773155e4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 00000000773164d6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 000000007731668e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 000000007731687c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 00000000773168bd 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 00000000773168d4 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007731692c 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077317166 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077317dd1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077317e57 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077361380 8 bytes {JMP QWORD [RIP-0x4a220]} .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077361500 8 bytes {JMP QWORD [RIP-0x49cef]} .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077361530 8 bytes {JMP QWORD [RIP-0x4ac62]} .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077361650 8 bytes {JMP QWORD [RIP-0x4a80f]} .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077361700 8 bytes {JMP QWORD [RIP-0x4adda]} .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077361d30 8 bytes {JMP QWORD [RIP-0x49edf]} .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077361f80 8 bytes {JMP QWORD [RIP-0x4a1b5]} .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773627e0 8 bytes {JMP QWORD [RIP-0x4ab13]} .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000749c13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 00000000749c146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000749c16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000749c19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000749c19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 00000000749c1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000759fb2fe 5 bytes JMP 0000000102088f20 .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000774c1401 2 bytes JMP 759ab21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000774c1419 2 bytes JMP 759ab346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000774c1431 2 bytes JMP 75a28ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000774c144a 2 bytes CALL 759848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774c14dd 2 bytes JMP 75a287a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774c14f5 2 bytes JMP 75a28978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000774c150d 2 bytes JMP 75a28698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000774c1525 2 bytes JMP 75a28a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000774c153d 2 bytes JMP 7599fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000774c1555 2 bytes JMP 759a68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000774c156d 2 bytes JMP 75a28f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000774c1585 2 bytes JMP 75a28ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000774c159d 2 bytes JMP 75a2865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774c15b5 2 bytes JMP 7599fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774c15cd 2 bytes JMP 759ab2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774c16b2 2 bytes JMP 75a28e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp[6276] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774c16bd 2 bytes JMP 75a285f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000077311398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007731143f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077311594 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007731191e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077311bf8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077311d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077311edf 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077311fc5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000773127b0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000773127d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007731282f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000077312898 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077312d1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077312d67 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007731323b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 00000000773133c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077313a5e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077313ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077313b85 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077314190 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077314241 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000773142b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000773143f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077314434 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 408 00000000773145d8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 657 00000000773146d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 0000000077314a9c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077314b63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077314c57 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077314d76 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077314ea0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077314ef3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 00000000773150f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 00000000773152f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 00000000773153f7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 484 00000000773155e4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 00000000773164d6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 000000007731668e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 000000007731687c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 00000000773168bd 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 00000000773168d4 8 bytes [70, 6C, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007731692c 8 bytes [60, 6C, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077317166 8 bytes [40, 6C, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077317dd1 8 bytes [10, 6C, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077317e57 8 bytes [00, 6C, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077361380 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077361500 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077361530 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077361650 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077361700 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077361d30 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077361f80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773627e0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000749c13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 00000000749c146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000749c16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000749c19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000749c19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2624] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 00000000749c1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000077311398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007731143f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077311594 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007731191e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077311bf8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077311d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077311edf 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077311fc5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000773127b0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000773127d2 8 bytes {JMP 0x10} .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007731282f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000077312898 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077312d1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077312d67 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007731323b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 00000000773133c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077313a5e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077313ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077313b85 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077314190 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077314241 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000773142b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000773143f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077314434 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 408 00000000773145d8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 657 00000000773146d1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 0000000077314a9c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077314b63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077314c57 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077314d76 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077314ea0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077314ef3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 00000000773150f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 00000000773152f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 00000000773153f7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 484 00000000773155e4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 00000000773164d6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 000000007731668e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 000000007731687c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 00000000773168bd 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 00000000773168d4 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007731692c 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077317166 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077317dd1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077317e57 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077361380 8 bytes {JMP QWORD [RIP-0x4a220]} .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077361500 8 bytes {JMP QWORD [RIP-0x49cef]} .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077361530 8 bytes {JMP QWORD [RIP-0x4ac62]} .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077361650 8 bytes {JMP QWORD [RIP-0x4a80f]} .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077361700 8 bytes {JMP QWORD [RIP-0x4adda]} .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077361d30 8 bytes {JMP QWORD [RIP-0x49edf]} .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077361f80 8 bytes {JMP QWORD [RIP-0x4a1b5]} .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773627e0 8 bytes {JMP QWORD [RIP-0x4ab13]} .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000749c13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 00000000749c146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000749c16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000749c19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000749c19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 00000000749c1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Bozena\Downloads\g54lddlc.exe[6012] C:\Windows\syswow64\kernel32.dll!SetFileCompletionNotificationModes 00000000759fb2fe 5 bytes JMP 0000000102d28f20 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff8801050bfb0] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [752:4440] 000007fef5df4f84 Thread C:\Windows\system32\svchost.exe [752:4716] 000007fef488d3c8 Thread C:\Windows\system32\svchost.exe [752:4704] 000007fef488d3c8 Thread C:\Windows\system32\svchost.exe [752:4720] 000007fef488d3c8 Thread C:\Windows\system32\svchost.exe [752:4728] 000007fef488d3c8 Thread C:\Program Files (x86)\eMPendium\GabonetBackupService.exe [1328:2788] 000000000375c2a0 Thread C:\Program Files (x86)\eMPendium\GabonetBackupService.exe [1328:2792] 000000000375c2a0 Thread C:\Program Files (x86)\eMPendium\GabonetBackupService.exe [1328:2796] 000000000375c2a0 Thread C:\Program Files (x86)\eMPendium\GabonetBackupService.exe [1328:2800] 000000000375c2a0 Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3044:2192] 000000000049c2a0 Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3044:2260] 000000000049c2a0 Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3044:2248] 000000000049c2a0 Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3044:2284] 000000000049c2a0 ---- Processes - GMER 2.1 ---- Process C:\Users\Bozena\AppData\Roaming\E3AFE132-1425247273-11E2-BC31-41E22C00003D\jnso86DB.tmp (*** suspicious ***) @ C:\Users\Bozena\AppData\Roaming\E3AFE132-1425247273-11E2-BC31-41E22C00003D\jnso86DB.tmp [2408](2015-03-01 21:01:37) 0000000000ec0000 Process C:\Users\Bozena\AppData\Local\E3AFE132-1425247926-11E2-BC31-41E22C00003D\insx3AC2.tmp (*** suspicious ***) @ C:\Users\Bozena\AppData\Local\E3AFE132-1425247926-11E2-BC31-41E22C00003D\insx3AC2.tmp [2988](2015-03-01 21:12:08) 0000000000870000 Process C:\Users\Bozena\AppData\Local\E3AFE132-1425247334-11E2-BC31-41E22C00003D\snso3BCA.tmp (*** suspicious ***) @ C:\Users\Bozena\AppData\Local\E3AFE132-1425247334-11E2-BC31-41E22C00003D\snso3BCA.tmp [3268](2015-03-01 21:02:20) 0000000000840000 Process C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp (*** suspicious ***) @ C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp [8104](2015-03-06 20:59:17) 0000000000400000 Library C:\Users\Bozena\AppData\Local\Temp\is-8ALCB.tmp\itdownload.dll (*** suspicious ***) @ C:\Users\Bozena\AppData\Local\Temp\is-V3920.tmp\majmp_gentleeu.tmp [8104](2015-03-06 20:59:18) 0000000001e60000 Process C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp (*** suspicious ***) @ C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp [6276](2015-03-06 20:59:28) 0000000000400000 Library C:\Users\Bozena\AppData\Local\Temp\is-PKPIN.tmp\itdownload.dll (*** suspicious ***) @ C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp [6276](2015-03-06 20:59:29) 0000000000660000 Library C:\Users\Bozena\AppData\Local\Temp\is-PKPIN.tmp\innocallback.dll (*** suspicious ***) @ C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp [6276] (Sherlock Software)(2015-03-06 20:59:30) 0000000000540000 Library C:\Users\Bozena\AppData\Local\Temp\is-PKPIN.tmp\w8white.cjstyles (*** suspicious ***) @ C:\Users\Bozena\AppData\Local\Temp\is-VFD44.tmp\gentlemjmp_ieu.tmp [6276](2015-03-06 20:59:31) 0000000005a60000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{6D0516AC-EB09-4042-AD4A-8DB8EA74A190}\Connection@Name isatap.{A3BABDB3-407B-4218-AD6D-05DB881B85D1} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{21BA9BAF-50F5-4857-9102-E910AD078F9D}?\Device\{6D0516AC-EB09-4042-AD4A-8DB8EA74A190}?\Device\{3B0FCEFD-27F8-4F5A-A045-2CDE476A2446}?\Device\{658A2BDD-3766-4610-BF0A-4F404252F9D4}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{21BA9BAF-50F5-4857-9102-E910AD078F9D}"?"{6D0516AC-EB09-4042-AD4A-8DB8EA74A190}"?"{3B0FCEFD-27F8-4F5A-A045-2CDE476A2446}"?"{658A2BDD-3766-4610-BF0A-4F404252F9D4}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{21BA9BAF-50F5-4857-9102-E910AD078F9D}?\Device\TCPIP6TUNNEL_{6D0516AC-EB09-4042-AD4A-8DB8EA74A190}?\Device\TCPIP6TUNNEL_{3B0FCEFD-27F8-4F5A-A045-2CDE476A2446}?\Device\TCPIP6TUNNEL_{658A2BDD-3766-4610-BF0A-4F404252F9D4}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689d1ab62c Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689db41f6b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689dc1bef3 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{6D0516AC-EB09-4042-AD4A-8DB8EA74A190}@InterfaceName isatap.{A3BABDB3-407B-4218-AD6D-05DB881B85D1} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{6D0516AC-EB09-4042-AD4A-8DB8EA74A190}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\KLIF\Parameters@LastProcessedRevision 165047871 Reg HKLM\SYSTEM\CurrentControlSet\services\KLIF\Parameters@CheckVersion 23 Reg HKLM\SYSTEM\CurrentControlSet\services\kuberote@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\services\kuberote@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\kuberote@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\kuberote@ImagePath C:\Users\Bozena\AppData\Roaming\E3AFE132-1425247273-11E2-BC31-41E22C00003D\jnso86DB.tmp Reg HKLM\SYSTEM\CurrentControlSet\services\kuberote@DisplayName Enable Flight Reg HKLM\SYSTEM\CurrentControlSet\services\kuberote@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\kuberote@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\kuberote@Description Ongoing updates responsible service. Reg HKLM\SYSTEM\CurrentControlSet\services\kuberote Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689d1ab62c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689db41f6b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689dc1bef3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\kuberote (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\kuberote@Type 16 Reg HKLM\SYSTEM\ControlSet002\services\kuberote@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\kuberote@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\kuberote@ImagePath C:\Users\Bozena\AppData\Roaming\E3AFE132-1425247273-11E2-BC31-41E22C00003D\jnso86DB.tmp Reg HKLM\SYSTEM\ControlSet002\services\kuberote@DisplayName Enable Flight Reg HKLM\SYSTEM\ControlSet002\services\kuberote@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\kuberote@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\kuberote@Description Ongoing updates responsible service. ---- Files - GMER 2.1 ---- File C:\Users\Bozena\AppData\Local\Mozilla\Firefox\Profiles\p8ibqt6u.default\cache2\entries\C78B183AC6E47A8D057FE51DDF9CBCDCCCB4E580 599 bytes File C:\Users\Bozena\AppData\Local\Mozilla\Firefox\Profiles\p8ibqt6u.default\cache2\entries\F75369DC021DE82F4CB6043BEC5659FB3C6E886C 12504 bytes File C:\Users\Bozena\AppData\Local\Mozilla\Firefox\Profiles\p8ibqt6u.default\cache2\entries\8A1008B168C32A20D5746ADF4A8C5DBFA87228EB 1444 bytes ---- EOF - GMER 2.1 ----