sabine7961 | 15.09.2014 08:41 | Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-09-15 08:19:15
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006a WDC_WD50 rev.06.0 465,76GB
Running: Gmer-19357.exe; Driver: C:\Users\Sabine\AppData\Local\Temp\fglirkob.sys
---- Kernel code sections - GMER 2.1 ----
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003db2000 16 bytes [00, 00, 00, F6, 41, 38, 08, ...]
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 545 fffff80003db2011 2 bytes [83, C1]
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75]
.text C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75]
.text ... * 2
.text C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75]
.text C:\Program Files (x86)\Nero\Nero MediaHome 4\NMMediaServerService.exe[3288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75]
.text ... * 2
.text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75]
.text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75]
.text ... * 2
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75]
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[4784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75]
.text ... * 2
.text C:\Users\Sabine\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe[5444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75]
.text C:\Users\Sabine\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe[5444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75]
.text ... * 2
.text C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe[5600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75]
.text C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe[5600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75]
.text ... * 2
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\kernel32.dll!CreateFileW 0000000076343f1c 2 bytes JMP 0000000165c89490
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\kernel32.dll!CreateFileW + 3 0000000076343f1f 2 bytes [94, EF]
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000075478e4e 5 bytes JMP 0000000165c88c40
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075480dfb 5 bytes JMP 0000000165c88bd0
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\USER32.dll!SetFocus 0000000075482175 5 bytes JMP 0000000165c88c20
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\USER32.dll!SetActiveWindow 0000000075483208 5 bytes JMP 0000000165c88c90
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000075487b3b 5 bytes JMP 0000000165c88b30
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 000000007549f170 5 bytes JMP 0000000165c88b00
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow 00000000754b90fc 5 bytes JMP 0000000165c88b60
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\USER32.dll!ShowWindowAsync 00000000754d7d97 5 bytes JMP 0000000165c88b80
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\ole32.dll!DoDragDrop 0000000076d8a827 5 bytes JMP 0000000165c88ae0
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75]
.text C:\Program Files (x86)\Origin\Origin.exe[5816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75]
.text ... * 2
.text C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe[6532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75]
.text C:\Program Files (x86)\Nero\Nero MediaHome 4\NeroMediaHome.exe[6532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000777111f5 8 bytes {JMP 0xd}
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077711390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007771143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007771158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007771191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077711b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077711bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077711d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077711eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077711edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077711f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077711fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077711fd7 8 bytes {JMP 0xb}
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077712272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077712301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077712792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000777127b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000777127d2 8 bytes {JMP 0x10}
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007771282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077712890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077712d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077712d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 3
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077713023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007771323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000777133c0 16 bytes {JMP 0x4e}
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077713a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077713ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077713b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077713d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077714190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077761380 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077761500 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077761530 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077761700 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077761d30 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077761f80 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777627e0 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000752213cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007522146b 8 bytes {JMP 0xffffffffffffffb0}
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000752216d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000752216e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000752219db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000752219fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000075221a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000075221a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075221a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe[6936] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000075221a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000777111f5 8 bytes {JMP 0xd}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077711390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007771143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007771158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007771191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077711b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077711bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077711d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077711eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077711edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077711f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077711fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077711fd7 8 bytes {JMP 0xb}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077712272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077712301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077712792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000777127b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000777127d2 8 bytes {JMP 0x10}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007771282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077712890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 2
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077712d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077712d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 3
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077713023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007771323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000777133c0 16 bytes {JMP 0x4e}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077713a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077713ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077713b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077713d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077714190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077761380 8 bytes {JMP QWORD [RIP-0x4d4cf]}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077761500 8 bytes {JMP QWORD [RIP-0x4d498]}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077761530 8 bytes {JMP QWORD [RIP-0x4d9b1]}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 8 bytes {JMP QWORD [RIP-0x4d7a7]}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077761700 8 bytes {JMP QWORD [RIP-0x4d9e3]}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077761d30 8 bytes {JMP QWORD [RIP-0x4dba6]}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077761f80 8 bytes {JMP QWORD [RIP-0x4de55]}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777627e0 8 bytes {JMP QWORD [RIP-0x4e770]}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000752213cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007522146b 8 bytes {JMP 0xffffffffffffffb0}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000752216d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000752216e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000752219db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000752219fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000075221a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000075221a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075221a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000075221a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007790f9e0 5 bytes JMP 0000000159def270
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 000000007790fa28 5 bytes JMP 0000000159def8d2
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007790fa40 5 bytes JMP 0000000159dee00d
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 000000007790fa90 5 bytes JMP 0000000159dedb69
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007790faa8 5 bytes JMP 0000000159dede5a
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 000000007790fb40 5 bytes JMP 0000000159defb12
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007790fc38 5 bytes JMP 0000000159dfaccc
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007790fd4c 5 bytes JMP 0000000159ded9b1
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007790fd64 5 bytes JMP 0000000159dfa2ee
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007790fd98 5 bytes JMP 0000000159dfa5e9
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007790fe44 5 bytes JMP 0000000159deee45
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007790fe5c 5 bytes JMP 0000000159dfa417
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779100b4 5 bytes JMP 0000000159dfa133
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779101c4 5 bytes JMP 0000000159dee1b5
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 0000000077910754 5 bytes JMP 0000000159defbb4
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000779109e4 5 bytes JMP 0000000159dfa32b
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000779109fc 5 bytes JMP 0000000159ded785
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077910a44 5 bytes JMP 0000000159dee36b
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077910b80 5 bytes JMP 0000000159ded89b
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077910f70 5 bytes JMP 0000000159dee7f8
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077910f88 5 bytes JMP 0000000159dee994
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077911018 5 bytes JMP 0000000159def95f
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 0000000077911030 5 bytes JMP 0000000159defa82
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 0000000077911048 5 bytes JMP 0000000159def9ef
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 000000007791133c 5 bytes JMP 0000000159dfa500
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007791147c 5 bytes JMP 0000000159dee66b
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077911528 5 bytes JMP 0000000159deeb58
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077911718 5 bytes JMP 0000000159dee4e3
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077911a58 5 bytes JMP 0000000159dedd12
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077911b9c 5 bytes JMP 0000000159deecda
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007634103d 5 bytes JMP 0000000159dd35da
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076341072 5 bytes JMP 0000000159dd3a3e
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007636c9b5 5 bytes JMP 0000000159dd36f4
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\kernel32.dll!WinExec 00000000763c2ff1 5 bytes JMP 0000000159dd3938
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000773d2642 5 bytes JMP 0000000159dd3c4b
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000075479ebd 5 bytes JMP 00000001564761bd
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000075480afa 5 bytes JMP 000000015647ac1d
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000075481361 3 bytes JMP 0000000156489197
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\USER32.dll!BeginPaint + 4 0000000075481365 1 byte [E1]
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\USER32.dll!ValidateRect 0000000075487849 5 bytes JMP 00000001565e72cf
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\SHELL32.dll!SHParseDisplayName 0000000075737edb 5 bytes JMP 00000001565406a2
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076c86143 5 bytes JMP 0000000156bbec5c
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 0000000076c8ea09 7 bytes JMP 0000000159e0e7f9
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!OleRun 0000000076c907de 5 bytes JMP 0000000159e0e338
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 0000000076c921e1 5 bytes JMP 0000000159e11c0c
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!OleUninitialize 0000000076c9eba1 6 bytes JMP 0000000159e0e2af
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!OleInitialize 0000000076c9efd7 5 bytes JMP 0000000159e0e267
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!CoGetClassObject 0000000076cb54ad 5 bytes JMP 0000000159e10282
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!CoInitializeEx 0000000076cc09ad 5 bytes JMP 0000000159e0e207
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!CoUninitialize 0000000076cc86d3 5 bytes JMP 0000000159e10c96
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076cc9d0b 5 bytes JMP 0000000159e119b3
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076cc9d4e 5 bytes JMP 0000000159e0f891
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 0000000076cebb09 7 bytes JMP 0000000159e0e380
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000076d0eacf 5 bytes JMP 0000000159e0ff46
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 0000000076d4340b 5 bytes JMP 0000000159e10d96
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 0000000076d8cfd9 5 bytes JMP 0000000159e0e2f0
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 00000000768c3e59 5 bytes JMP 00000001564b3c00
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 00000000768c3eae 5 bytes JMP 00000001564c9071
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000768c4731 5 bytes JMP 00000001564d2760
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000768c5dee 5 bytes JMP 000000015654abb1
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\OLEAUT32.dll!RegisterActiveObject 00000000768f279e 1 byte JMP 0000000159e108a2
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\OLEAUT32.dll!RegisterActiveObject + 2 00000000768f27a0 3 bytes {JMP RAX}
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\OLEAUT32.dll!RevokeActiveObject 00000000768f3294 5 bytes JMP 0000000159e0e1bf
.text C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE[5040] C:\Windows\syswow64\OLEAUT32.dll!GetActiveObject 0000000076908f40 5 bytes JMP 0000000159e10a36
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000777111f5 8 bytes {JMP 0xd}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077711390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007771143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007771158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007771191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077711b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077711bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077711d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077711eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077711edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077711f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077711fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077711fd7 8 bytes {JMP 0xb}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077712272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077712301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077712792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000777127b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000777127d2 8 bytes {JMP 0x10}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007771282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077712890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 2
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077712d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077712d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 3
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077713023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007771323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000777133c0 16 bytes {JMP 0x4e}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077713a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077713ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077713b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077713d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077714190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077761380 8 bytes {JMP QWORD [RIP-0x4d4cf]}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077761500 8 bytes {JMP QWORD [RIP-0x4d498]}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077761530 8 bytes {JMP QWORD [RIP-0x4d9b1]}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 8 bytes {JMP QWORD [RIP-0x4d7a7]}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077761700 8 bytes {JMP QWORD [RIP-0x4d9e3]}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077761d30 8 bytes {JMP QWORD [RIP-0x4dba6]}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077761f80 8 bytes {JMP QWORD [RIP-0x4de55]}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777627e0 8 bytes {JMP QWORD [RIP-0x4e770]}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000752213cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007522146b 8 bytes {JMP 0xffffffffffffffb0}
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000752216d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000752216e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000752219db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000752219fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000075221a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000075221a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075221a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclRSSrv.exe[4340] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000075221a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000777111f5 8 bytes {JMP 0xd}
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077711390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007771143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007771158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007771191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077711b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077711bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077711d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077711eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077711edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077711f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077711fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077711fd7 8 bytes {JMP 0xb}
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077712272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077712301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077712792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000777127b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000777127d2 8 bytes {JMP 0x10}
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007771282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077712890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 2
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077712d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077712d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 3
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077713023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007771323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000777133c0 16 bytes {JMP 0x4e}
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077713a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077713ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077713b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077713d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077714190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077761380 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077761500 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077761530 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077761700 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077761d30 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077761f80 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777627e0 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000752213cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007522146b 8 bytes {JMP 0xffffffffffffffb0}
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000752216d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000752216e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000752219db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000752219fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000075221a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000075221a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075221a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8416] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000075221a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000777111f5 8 bytes {JMP 0xd}
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077711390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007771143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007771158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007771191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077711b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077711bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077711d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077711eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077711edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077711f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077711fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077711fd7 8 bytes {JMP 0xb}
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077712272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077712301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077712792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000777127b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000777127d2 8 bytes {JMP 0x10}
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007771282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077712890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 2
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077712d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000077712d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 3
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000077713023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007771323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 00000000777133c0 16 bytes {JMP 0x4e}
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000077713a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000077713ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000077713b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000077713d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077714190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077761380 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077761500 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077761530 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077761700 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077761d30 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077761f80 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777627e0 8 bytes JMP 3f3f3f3f
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000752213cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 000000007522146b 8 bytes {JMP 0xffffffffffffffb0}
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000752216d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000752216e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000752219db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000752219fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000075221a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000075221a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000075221a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[7304] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000075221a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 00000000777111f5 8 bytes {JMP 0xd}
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000077711390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 000000007771143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 000000007771158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 000000007771191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000077711b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000077711bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077711d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000077711eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077711edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000077711f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000077711fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000077711fd7 8 bytes {JMP 0xb}
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000077712272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000077712301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000077712792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000777127b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000777127d2 8 bytes {JMP 0x10}
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007771282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe[6416] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000077712890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... |