GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-17 17:51:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-3 SAMSUNG_HD103SJ rev.1AJ100E4 931,51GB Running: x49r1s8s.exe; Driver: C:\Users\Kariek\AppData\Local\Temp\kwrdapog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000724d17fa 2 bytes CALL 76bc11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000724d1860 2 bytes CALL 76bc11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000724d1942 2 bytes JMP 754b7089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000724d194d 2 bytes JMP 754bcba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075bb1401 2 bytes JMP 76beb20b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075bb1419 2 bytes JMP 76beb336 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075bb1431 2 bytes JMP 76c68f39 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075bb144a 2 bytes CALL 76bc4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075bb14dd 2 bytes JMP 76c68832 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075bb14f5 2 bytes JMP 76c68a08 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075bb150d 2 bytes JMP 76c68728 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075bb1525 2 bytes JMP 76c68af2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075bb153d 2 bytes JMP 76bdfc98 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075bb1555 2 bytes JMP 76be68df C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075bb156d 2 bytes JMP 76c68ff1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075bb1585 2 bytes JMP 76c68b52 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075bb159d 2 bytes JMP 76c686ec C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075bb15b5 2 bytes JMP 76bdfd31 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075bb15cd 2 bytes JMP 76beb2cc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075bb16b2 2 bytes JMP 76c68eb4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075bb16bd 2 bytes JMP 76c68681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000771113ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077111544 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000771118ce 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077111ba8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077111d25 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077111e8f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077111f75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 0000000077112238 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000771126e0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000077112702 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007711275f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 00000000771127c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077112b8b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077112bd7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 00000000771130ab 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 0000000077113238 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 00000000771138ce 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077113923 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 00000000771139f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077113f90 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077114041 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000771140b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000771141f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077114234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 609 00000000771144a1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 000000007711468c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077114753 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077114847 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077114966 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077114a90 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077114ae3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 0000000077114ce5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 0000000077114ee0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 0000000077114fe7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 483 00000000771151d3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 0000000077116016 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!EtwEventProviderEnabled + 198 00000000771160e6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 00000000771161de 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 00000000771163cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 000000007711640d 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 0000000077116424 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007711647c 8 bytes [50, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077116c46 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077117be1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077117c67 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007715da80 8 bytes {JMP QWORD [RIP-0x46e40]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007715dc00 8 bytes {JMP QWORD [RIP-0x465e2]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007715dc30 8 bytes {JMP QWORD [RIP-0x47829]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007715dd50 8 bytes {JMP QWORD [RIP-0x478da]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007715de00 8 bytes {JMP QWORD [RIP-0x479e2]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007715e430 8 bytes {JMP QWORD [RIP-0x467cf]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007715e680 8 bytes {JMP QWORD [RIP-0x46aa5]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007715eee0 8 bytes {JMP QWORD [RIP-0x47403]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000723713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007237146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000723716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000723719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000723719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3668] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072371a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000771113ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077111544 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000771118ce 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077111ba8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077111d25 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077111e8f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077111f75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 0000000077112238 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000771126e0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000077112702 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007711275f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 00000000771127c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077112b8b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077112bd7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 00000000771130ab 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 0000000077113238 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 00000000771138ce 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077113923 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 00000000771139f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077113f90 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077114041 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000771140b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000771141f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077114234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 609 00000000771144a1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 000000007711468c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077114753 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077114847 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077114966 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077114a90 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077114ae3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 0000000077114ce5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 0000000077114ee0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 0000000077114fe7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 483 00000000771151d3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 0000000077116016 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!EtwEventProviderEnabled + 198 00000000771160e6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 00000000771161de 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 00000000771163cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 000000007711640d 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 0000000077116424 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007711647c 8 bytes [50, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077116c46 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077117be1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077117c67 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007715da80 8 bytes {JMP QWORD [RIP-0x46e40]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007715dc00 8 bytes {JMP QWORD [RIP-0x465e2]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007715dc30 8 bytes {JMP QWORD [RIP-0x47829]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007715dd50 8 bytes {JMP QWORD [RIP-0x478da]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007715de00 8 bytes {JMP QWORD [RIP-0x479e2]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007715e430 8 bytes {JMP QWORD [RIP-0x467cf]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007715e680 8 bytes {JMP QWORD [RIP-0x46aa5]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007715eee0 8 bytes {JMP QWORD [RIP-0x47403]} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000723713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007237146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000723716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000723719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000723719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3872] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072371a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000771113ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077111544 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000771118ce 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077111ba8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077111d25 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077111e8f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077111f75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 0000000077112238 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000771126e0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000077112702 8 bytes {JMP 0x10} .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007711275f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 00000000771127c8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077112b8b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077112bd7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 00000000771130ab 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 0000000077113238 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 00000000771138ce 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077113923 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 00000000771139f5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077113f90 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077114041 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 00000000771140b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000771141f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 0000000077114234 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 609 00000000771144a1 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 000000007711468c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077114753 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077114847 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077114966 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077114a90 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077114ae3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 0000000077114ce5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 0000000077114ee0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 0000000077114fe7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 483 00000000771151d3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 0000000077116016 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!EtwEventProviderEnabled + 198 00000000771160e6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 00000000771161de 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 00000000771163cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 000000007711640d 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 0000000077116424 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 000000007711647c 8 bytes [50, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077116c46 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 241 0000000077117be1 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119 0000000077117c67 8 bytes [00, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007715da80 8 bytes {JMP QWORD [RIP-0x46e40]} .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 000000007715dc00 8 bytes {JMP QWORD [RIP-0x465e2]} .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007715dc30 8 bytes {JMP QWORD [RIP-0x47829]} .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007715dd50 8 bytes {JMP QWORD [RIP-0x478da]} .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007715de00 8 bytes {JMP QWORD [RIP-0x479e2]} .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007715e430 8 bytes {JMP QWORD [RIP-0x467cf]} .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007715e680 8 bytes {JMP QWORD [RIP-0x46aa5]} .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007715eee0 8 bytes {JMP QWORD [RIP-0x47403]} .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000723713cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007237146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000723716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000723719db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000723719fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kariek\Downloads\x49r1s8s.exe[4536] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072371a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004743f58] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3464:2584] 000007fefb292ae8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3464:3980] 000007feef695648 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3464:4072] 000007feef695648 ---- EOF - GMER 2.1 ----