GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-01 20:43:01 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b ST500DM002-1BD142 rev.HP74 465,76GB Running: gywpy6v7.exe; Driver: C:\Users\Robert\AppData\Local\Temp\uxroqpoc.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [2228] entry point in ".rdata" section 0000000071523570 ? C:\WINDOWS\SYSTEM32\DSREG.DLL [2228] entry point in ".rdata" section 00000000711ef900 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [2228] entry point in ".rdata" section 00000000737ec940 ? C:\WINDOWS\system32\apphelp.dll [2228] entry point in ".rdata" section 000000007395f7c0 ? C:\WINDOWS\system32\dbgcore.DLL [2244] entry point in ".rdata" section 00000000737ec940 ? C:\WINDOWS\system32\apphelp.dll [2300] entry point in ".rdata" section 000000007395f7c0 ? C:\WINDOWS\system32\apphelp.dll [2596] entry point in ".rdata" section 000000007395f7c0 ? C:\WINDOWS\SYSTEM32\wship6.dll [3004] entry point in ".rdata" section 0000000072dd2470 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [3004] entry point in ".rdata" section 000000006fac8fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7000] entry point in ".rdata" section 0000000071523570 ? C:\Windows\System32\ActXPrxy.dll [7000] entry point in ".rdata" section 00000000681a9c50 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [5508] entry point in ".rdata" section 000000006fac8fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6492] entry point in ".rdata" section 0000000071523570 ? C:\WINDOWS\SYSTEM32\d3d10_1.dll [9104] entry point in ".rdata" section 0000000063082810 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [9104] entry point in ".rdata" section 000000006238a020 ? C:\WINDOWS\SYSTEM32\DSREG.DLL [9104] entry point in ".rdata" section 00000000711ef900 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9104] entry point in ".rdata" section 0000000071523570 ? C:\WINDOWS\system32\ncryptsslp.dll [9104] entry point in ".rdata" section 000000005ef404f0 ? C:\WINDOWS\system32\mssprxy.dll [9104] entry point in ".rdata" section 000000005ed1a650 ? C:\Windows\System32\ActXPrxy.dll [9104] entry point in ".rdata" section 00000000681a9c50 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007fff5a2565c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007fff5a2b63c0 5 bytes [FF, 25, 3A, AC, 1D] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff5a2b65c0 16 bytes {MOV RAX, 0x7fff4ae862b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007fff5a2b6ac0 5 bytes [FF, 25, 3A, A5, 1F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007fff59ccddc0 6 bytes {JMP QWORD [RIP+0xb323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007fff59cd1740 6 bytes {JMP QWORD [RIP+0x78f8ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007fff59cd4973 2 bytes [C6, 0E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007fff59d0c150 6 bytes {JMP QWORD [RIP+0x714eaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007fff59d0d5b0 6 bytes {JMP QWORD [RIP+0x93a4a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007fff59d107f0 6 bytes {JMP QWORD [RIP+0x73080a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007fff57f16550 6 bytes {JMP QWORD [RIP+0x15daaaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007fff57fa2a30 6 bytes {JMP QWORD [RIP+0x152e5ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007fff57af2630 6 bytes {JMP QWORD [RIP+0x1be9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007fff3caed360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007fff3caf8a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007fff3cb43370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007fff3cb43c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007fff3cb4c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007fff3cb4c7f4 2 bytes [32, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007fff3cb7e370 6 bytes {JMP QWORD [RIP+0x352c8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007fff3cb852a0 6 bytes {JMP QWORD [RIP+0x32bd5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007fff3cbecdc0 6 bytes {JMP QWORD [RIP+0x24423a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007fff3cbed6e0 6 bytes {JMP QWORD [RIP+0x22391a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007fff3cc15c10 6 bytes {JMP QWORD [RIP+0x1db3ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007fff48172250 6 bytes {JMP QWORD [RIP+0x18edaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007fff481722e0 6 bytes {JMP QWORD [RIP+0x1ded1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007fff481ff6d0 6 bytes {JMP QWORD [RIP+0x17192a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007fff481ff850 6 bytes {JMP QWORD [RIP+0x1217aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007fff481ff9a0 6 bytes {JMP QWORD [RIP+0x23165a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007fff481ffa80 6 bytes {JMP QWORD [RIP+0x20157a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007fff481ffd10 6 bytes {JMP QWORD [RIP+0x1d12ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9076] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007fff481ffde0 6 bytes {JMP QWORD [RIP+0x1a121a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007fff59ccddc0 6 bytes {JMP QWORD [RIP+0xb323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007fff59cd1740 6 bytes {JMP QWORD [RIP+0x78f8ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007fff59cd4973 2 bytes [C6, 0E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007fff59d0c150 6 bytes {JMP QWORD [RIP+0x714eaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007fff59d0d5b0 6 bytes {JMP QWORD [RIP+0x93a4a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007fff59d107f0 6 bytes {JMP QWORD [RIP+0x73080a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007fff57f16550 6 bytes {JMP QWORD [RIP+0x15daaaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007fff57fa2a30 6 bytes {JMP QWORD [RIP+0x152e5ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007fff57af2630 6 bytes {JMP QWORD [RIP+0x1be9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007fff3caed360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007fff3caf8a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007fff3cb43370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007fff3cb43c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007fff3cb4c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007fff3cb4c7f4 2 bytes [32, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007fff3cb7e370 6 bytes {JMP QWORD [RIP+0x352c8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007fff3cb852a0 6 bytes {JMP QWORD [RIP+0x32bd5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007fff3cbecdc0 6 bytes {JMP QWORD [RIP+0x24423a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007fff3cbed6e0 6 bytes {JMP QWORD [RIP+0x22391a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007fff3cc15c10 6 bytes {JMP QWORD [RIP+0x1db3ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007fff48172250 6 bytes {JMP QWORD [RIP+0x18edaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007fff481722e0 6 bytes {JMP QWORD [RIP+0x1ded1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007fff481ff6d0 6 bytes {JMP QWORD [RIP+0x17192a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007fff481ff850 6 bytes {JMP QWORD [RIP+0x1217aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007fff481ff9a0 6 bytes {JMP QWORD [RIP+0x23165a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007fff481ffa80 6 bytes {JMP QWORD [RIP+0x20157a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007fff481ffd10 6 bytes {JMP QWORD [RIP+0x1d12ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10016] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007fff481ffde0 6 bytes {JMP QWORD [RIP+0x1a121a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007fff57f16550 6 bytes {JMP QWORD [RIP+0x15daaaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007fff57fa2a30 6 bytes {JMP QWORD [RIP+0x152e5ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007fff57af2630 6 bytes {JMP QWORD [RIP+0x1be9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007fff3caed360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007fff3caf8a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007fff3cb43370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007fff3cb43c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007fff3cb4c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007fff3cb4c7f4 2 bytes [32, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007fff3cb7e370 6 bytes {JMP QWORD [RIP+0x352c8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007fff3cb852a0 6 bytes {JMP QWORD [RIP+0x32bd5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007fff3cbecdc0 6 bytes {JMP QWORD [RIP+0x24423a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007fff3cbed6e0 6 bytes {JMP QWORD [RIP+0x22391a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007fff3cc15c10 6 bytes {JMP QWORD [RIP+0x1db3ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007fff48172250 6 bytes {JMP QWORD [RIP+0x18edaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007fff481722e0 6 bytes {JMP QWORD [RIP+0x1ded1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007fff481ff6d0 6 bytes {JMP QWORD [RIP+0x17192a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007fff481ff850 6 bytes {JMP QWORD [RIP+0x1217aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007fff481ff9a0 6 bytes {JMP QWORD [RIP+0x23165a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007fff481ffa80 6 bytes {JMP QWORD [RIP+0x20157a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007fff481ffd10 6 bytes {JMP QWORD [RIP+0x1d12ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5740] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007fff481ffde0 6 bytes {JMP QWORD [RIP+0x1a121a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007fff57f16550 6 bytes {JMP QWORD [RIP+0x15daaaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007fff57fa2a30 6 bytes {JMP QWORD [RIP+0x152e5ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007fff57af2630 6 bytes {JMP QWORD [RIP+0x1be9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007fff3caed360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007fff3caf8a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007fff3cb43370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007fff3cb43c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007fff3cb4c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007fff3cb4c7f4 2 bytes [32, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007fff3cb7e370 6 bytes {JMP QWORD [RIP+0x352c8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007fff3cb852a0 6 bytes {JMP QWORD [RIP+0x32bd5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007fff3cbecdc0 6 bytes {JMP QWORD [RIP+0x24423a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007fff3cbed6e0 6 bytes {JMP QWORD [RIP+0x22391a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007fff3cc15c10 6 bytes {JMP QWORD [RIP+0x1db3ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007fff48172250 6 bytes {JMP QWORD [RIP+0x18edaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007fff481722e0 6 bytes {JMP QWORD [RIP+0x1ded1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007fff481ff6d0 6 bytes {JMP QWORD [RIP+0x17192a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007fff481ff850 6 bytes {JMP QWORD [RIP+0x1217aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007fff481ff9a0 6 bytes {JMP QWORD [RIP+0x23165a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007fff481ffa80 6 bytes {JMP QWORD [RIP+0x20157a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007fff481ffd10 6 bytes {JMP QWORD [RIP+0x1d12ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9812] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007fff481ffde0 6 bytes {JMP QWORD [RIP+0x1a121a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007fff5a2565c0 6 bytes {JMP QWORD [RIP+0x1caa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff5a2b6260 16 bytes {MOV RAX, 0x7ff62526f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007fff5a2b63c0 5 bytes [FF, 25, 3A, AC, 1F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff5a2b6540 16 bytes {MOV RAX, 0x7ff62526f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff5a2b6580 4 bytes [48, B8, D0, FD] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess + 5 00007fff5a2b6585 11 bytes {AND EAX, 0x7ff6; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff5a2b65a0 16 bytes {MOV RAX, 0x7ff62526fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff5a2b65c0 16 bytes {MOV RAX, 0x7ff62526f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff5a2b6600 16 bytes {MOV RAX, 0x7ff62526f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff5a2b66a0 16 bytes {MOV RAX, 0x7ff62526fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff5a2b66c0 16 bytes {MOV RAX, 0x7ff62526fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff5a2b6720 16 bytes {MOV RAX, 0x7ff62526fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff5a2b6860 16 bytes {MOV RAX, 0x7ff62526fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007fff5a2b6ac0 5 bytes [FF, 25, 3A, A5, 21] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff5a2b6b60 16 bytes {MOV RAX, 0x7ff62526fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff5a2b83d0 16 bytes {MOV RAX, 0x7ff62526fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff5a2b8490 16 bytes {MOV RAX, 0x7ff62526fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff5a2b8730 16 bytes {MOV RAX, 0x7ff62526fba0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007fff59ccddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007fff59cd1740 6 bytes {JMP QWORD [RIP+0x7af8ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007fff59cd4973 2 bytes [C6, 72] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007fff59d0c150 6 bytes {JMP QWORD [RIP+0x734eaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007fff59d0d5b0 6 bytes {JMP QWORD [RIP+0xa3a4a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007fff59d107f0 6 bytes {JMP QWORD [RIP+0x75080a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007fff57f16550 6 bytes {JMP QWORD [RIP+0x15daaaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007fff57fa2a30 6 bytes {JMP QWORD [RIP+0x152e5ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007fff57af2630 6 bytes {JMP QWORD [RIP+0x1be9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007fff3caed360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007fff3caf8a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007fff3cb43370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007fff3cb43c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007fff3cb4c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007fff3cb4c7f4 2 bytes [32, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007fff3cb7e370 6 bytes {JMP QWORD [RIP+0x352c8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007fff3cb852a0 6 bytes {JMP QWORD [RIP+0x32bd5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007fff3cbecdc0 6 bytes {JMP QWORD [RIP+0x24423a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007fff3cbed6e0 6 bytes {JMP QWORD [RIP+0x22391a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007fff3cc15c10 6 bytes {JMP QWORD [RIP+0x1db3ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007fff48172250 6 bytes {JMP QWORD [RIP+0x18edaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007fff481722e0 6 bytes {JMP QWORD [RIP+0x1ded1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007fff481ff6d0 6 bytes {JMP QWORD [RIP+0x17192a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007fff481ff850 6 bytes {JMP QWORD [RIP+0x1217aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007fff481ff9a0 6 bytes {JMP QWORD [RIP+0x23165a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007fff481ffa80 6 bytes {JMP QWORD [RIP+0x20157a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007fff481ffd10 6 bytes {JMP QWORD [RIP+0x1d12ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8744] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007fff481ffde0 6 bytes {JMP QWORD [RIP+0x1a121a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007fff5a2565c0 6 bytes {JMP QWORD [RIP+0x1caa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff5a2b6260 16 bytes {MOV RAX, 0x7ff62526f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007fff5a2b63c0 5 bytes [FF, 25, 3A, AC, 1F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff5a2b6540 16 bytes {MOV RAX, 0x7ff62526f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff5a2b6580 4 bytes [48, B8, D0, FD] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess + 5 00007fff5a2b6585 11 bytes {AND EAX, 0x7ff6; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff5a2b65a0 16 bytes {MOV RAX, 0x7ff62526fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff5a2b65c0 16 bytes {MOV RAX, 0x7ff62526f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff5a2b6600 16 bytes {MOV RAX, 0x7ff62526f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff5a2b66a0 16 bytes {MOV RAX, 0x7ff62526fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff5a2b66c0 16 bytes {MOV RAX, 0x7ff62526fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff5a2b6720 16 bytes {MOV RAX, 0x7ff62526fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff5a2b6860 16 bytes {MOV RAX, 0x7ff62526fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007fff5a2b6ac0 5 bytes [FF, 25, 3A, A5, 21] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff5a2b6b60 16 bytes {MOV RAX, 0x7ff62526fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff5a2b83d0 16 bytes {MOV RAX, 0x7ff62526fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff5a2b8490 16 bytes {MOV RAX, 0x7ff62526fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff5a2b8730 16 bytes {MOV RAX, 0x7ff62526fba0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007fff59ccddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007fff59cd1740 6 bytes {JMP QWORD [RIP+0x7af8ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007fff59cd4973 2 bytes [C6, 72] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007fff59d0c150 6 bytes {JMP QWORD [RIP+0x734eaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007fff59d0d5b0 6 bytes {JMP QWORD [RIP+0xa3a4a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007fff59d107f0 6 bytes {JMP QWORD [RIP+0x75080a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007fff57f16550 6 bytes {JMP QWORD [RIP+0x15daaaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007fff57fa2a30 6 bytes {JMP QWORD [RIP+0x152e5ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007fff57af2630 6 bytes {JMP QWORD [RIP+0x1be9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007fff3caed360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007fff3caf8a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007fff3cb43370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007fff3cb43c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007fff3cb4c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007fff3cb4c7f4 2 bytes [32, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007fff3cb7e370 6 bytes {JMP QWORD [RIP+0x352c8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007fff3cb852a0 6 bytes {JMP QWORD [RIP+0x32bd5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007fff3cbecdc0 6 bytes {JMP QWORD [RIP+0x24423a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007fff3cbed6e0 6 bytes {JMP QWORD [RIP+0x22391a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007fff3cc15c10 6 bytes {JMP QWORD [RIP+0x1db3ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007fff48172250 6 bytes {JMP QWORD [RIP+0x18edaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007fff481722e0 6 bytes {JMP QWORD [RIP+0x1ded1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007fff481ff6d0 6 bytes {JMP QWORD [RIP+0x17192a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007fff481ff850 6 bytes {JMP QWORD [RIP+0x1217aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007fff481ff9a0 6 bytes {JMP QWORD [RIP+0x23165a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007fff481ffa80 6 bytes {JMP QWORD [RIP+0x20157a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007fff481ffd10 6 bytes {JMP QWORD [RIP+0x1d12ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007fff481ffde0 6 bytes {JMP QWORD [RIP+0x1a121a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007fff5a2565c0 6 bytes {JMP QWORD [RIP+0x1caa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fff5a2b6260 16 bytes {MOV RAX, 0x7ff62526f960; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007fff5a2b63c0 5 bytes [FF, 25, 3A, AC, 1F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fff5a2b6540 16 bytes {MOV RAX, 0x7ff62526f9e0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007fff5a2b6580 4 bytes [48, B8, D0, FD] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess + 5 00007fff5a2b6585 11 bytes {AND EAX, 0x7ff6; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fff5a2b65a0 16 bytes {MOV RAX, 0x7ff62526fbc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fff5a2b65c0 16 bytes {MOV RAX, 0x7ff62526f840; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fff5a2b6600 16 bytes {MOV RAX, 0x7ff62526f8b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fff5a2b66a0 16 bytes {MOV RAX, 0x7ff62526fa50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fff5a2b66c0 16 bytes {MOV RAX, 0x7ff62526fe20; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007fff5a2b6720 16 bytes {MOV RAX, 0x7ff62526fb40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fff5a2b6860 16 bytes {MOV RAX, 0x7ff62526fb80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007fff5a2b6ac0 5 bytes [FF, 25, 3A, A5, 21] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007fff5a2b6b60 16 bytes {MOV RAX, 0x7ff62526fac0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fff5a2b83d0 16 bytes {MOV RAX, 0x7ff62526fe00; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007fff5a2b8490 16 bytes {MOV RAX, 0x7ff62526fda0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fff5a2b8730 16 bytes {MOV RAX, 0x7ff62526fba0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007fff59ccddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007fff59cd1740 6 bytes {JMP QWORD [RIP+0x7af8ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007fff59cd4973 2 bytes [C6, 72] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007fff59d0c150 6 bytes {JMP QWORD [RIP+0x734eaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007fff59d0d5b0 6 bytes {JMP QWORD [RIP+0xa3a4a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007fff59d107f0 6 bytes {JMP QWORD [RIP+0x75080a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007fff57f16550 6 bytes {JMP QWORD [RIP+0x15daaaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007fff57fa2a30 6 bytes {JMP QWORD [RIP+0x152e5ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007fff57af2630 6 bytes {JMP QWORD [RIP+0x1be9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007fff3caed360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007fff3caf8a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007fff3cb43370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007fff3cb43c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007fff3cb4c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007fff3cb4c7f4 2 bytes [32, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007fff3cb7e370 6 bytes {JMP QWORD [RIP+0x352c8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007fff3cb852a0 6 bytes {JMP QWORD [RIP+0x32bd5a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007fff3cbecdc0 6 bytes {JMP QWORD [RIP+0x24423a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007fff3cbed6e0 6 bytes {JMP QWORD [RIP+0x22391a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007fff3cc15c10 6 bytes {JMP QWORD [RIP+0x1db3ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007fff48172250 6 bytes {JMP QWORD [RIP+0x18edaa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007fff481722e0 6 bytes {JMP QWORD [RIP+0x1ded1a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007fff481ff6d0 6 bytes {JMP QWORD [RIP+0x17192a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007fff481ff850 6 bytes {JMP QWORD [RIP+0x1217aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007fff481ff9a0 6 bytes {JMP QWORD [RIP+0x23165a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007fff481ffa80 6 bytes {JMP QWORD [RIP+0x20157a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007fff481ffd10 6 bytes {JMP QWORD [RIP+0x1d12ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007fff481ffde0 6 bytes {JMP QWORD [RIP+0x1a121a]} ? C:\WINDOWS\system32\apphelp.dll [7944] entry point in ".rdata" section 000000007395f7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7960] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff1a352730] C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [636:684] ffff806600336c20 Thread C:\WINDOWS\system32\csrss.exe [636:692] ffff806600336c20 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso20win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9104] 0000000065ac0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9104] 0000000065680000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9104] 0000000064f30000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso50win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9104] 0000000064ed0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9104] 00000000649e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9104] 00000000644e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9104] 0000000063570000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\riched20.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9104] 0000000061550000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ADAL.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9104] 0000000061480000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9104] 000000005ea20000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\PROOF\MSLID.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [9104] 000000005b930000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x3F 0xF9 0x78 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x65 0x6D 0xC6 0x40 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x3F 0xF9 0x78 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x65 0x6D 0xC6 0x40 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 223 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\PHLC0C5AU01622005215_16_07E0_55+SAM0B320_2C_07DD_1D^E48D7F4C908A8F67FE1452A9479303C5@Timestamp 0x16 0x18 0xEB 0x4D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 712 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\Robert\AppData\Local\Temp\~nsuA.tmp\Au_.exe??\??\C:\Users\Robert\AppData\Local\Temp\~nsuA.tmp??\??\C:\Users\Robert\AppData\Local\Temp\~nsuA.tmp\Bu_.exe??\??\C:\Users\Robert\AppData\Local\Temp\~nsuA.tmp??\??\C:\Users\Robert\AppData\Local\Temp\_iu14D2N.tmp??\??\C:\Users\Robert\AppData\Local\Temp\~nsuA.tmp\Un_A.exe??\??\C:\Users\Robert\AppData\Local\Temp\~nsuA.tmp??\??\C:\Users\Robert\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\Robert\AppData\Local\Temp\~nsu.tmp??\??\C:\Users\Robert\AppData\Local\Temp\~nsuA.tmp\Au_.exe??\??\C:\Users\Robert\AppData\Local\Temp\~nsuA.tmp??\??\C:\Users\Robert\AppData\Local\Temp\nsn3AAD.tmp\md5dll.dll??\??\C:\Users\Robert\AppData\Local\Temp\nsn3AAD.tmp\??\??\C:\WINDOWS\system32\spool\DRIVERS\x64\3\VNCPrint.SER?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 1381523 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1430292035 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 223 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 505871048 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 10900 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 10253 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 9d2a7afb-f13a-4efb-8aed-e2feafa Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{4020ff79-ec70-43f0-8011-bb36b7292028} Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Aksfridge@FileCounter 15 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\akshhl@CookieCounter 355 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITSb8c18d44-eb6d-4432-aacd-352794b73c59 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_42872@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_42872@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_42872@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_42872@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_42872@DisplayName CDPUserSvc_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_42872@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_42872@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_42872\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_42872\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{4629b068-2b85-468d-baf5-0fc0e7283680}@LastProbeTime 1496326387 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\6c-19-8f-36-c6-04@AddressCreationTimestamp 0x4B 0xB7 0x40 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872@DisplayName Us?uga wiadomo?ci_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_42872@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_42872@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_42872@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_42872@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_42872@DisplayName Synchronizuj hosta_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_42872@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_42872@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_42872\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_42872\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_42872@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_42872@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_42872@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_42872@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_42872@DisplayName Dane kontaktowe_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_42872@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_42872@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_42872\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_42872\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 29 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?czw.?, ?cze ?01 ?17, 04:09:18????????????????????????B???????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 509 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 24719 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 3360 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 222 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dce7d381-10a9-4560-8dd5-8b7e5b14416d}@LeaseObtainedTime 1496327753 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dce7d381-10a9-4560-8dd5-8b7e5b14416d}@T1 1496932553 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dce7d381-10a9-4560-8dd5-8b7e5b14416d}@T2 1497386153 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dce7d381-10a9-4560-8dd5-8b7e5b14416d}@LeaseTerminatesTime 1497537353 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_42872@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_42872@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_42872@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_42872@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_42872@DisplayName Magazyn danych u?ytkownika_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_42872@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_42872@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_42872\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_42872\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_42872@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_42872@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_42872@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_42872@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_42872@DisplayName Dost?p do danych u?ytkownika_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_42872@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_42872@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_42872\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_42872\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x7A 0x5D 0x8D 0x4B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x7A 0xC5 0x51 0xAD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x7A 0xF5 0xC8 0xE9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 29026 29032 29042 29052 29072 29116 29126 29164 29170 29186 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 29192 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 29193 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 29026 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 29027 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_42872@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_42872@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_42872@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_42872@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_42872@DisplayName Us?uga u?ytkownika powiadomie? WNS_42872 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_42872@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_42872@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_42872\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_42872\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_42872 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome.UserData.Profile1 0xA7 0x20 0xED 0x54 ... ---- Files - GMER 2.2 ---- File C:\Users\Robert\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-explorer-notification--f9347e15-c843-5744-d919-e4a0593f77af-_12189_0.png 2626 bytes ---- EOF - GMER 2.2 ----