GMER 2.1.19115 - http://www.gmer.net Rootkit scan 2013-03-02 13:43:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000LM024_HN-M101MBB rev.2AR10001 931,51GB Running: nijtpcqj.exe; Driver: C:\Users\Art\AppData\Local\Temp\uxriapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 000000010015091c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 0000000100150048 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 00000001001502ee .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 00000001001504b2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 00000001001509fe .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 0000000100150ae0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 000000010015012a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 0000000100150758 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 0000000100150676 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 00000001001503d0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 0000000100150594 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 000000010015083a .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 000000010015020c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 000000010016059e .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 0000000100150f52 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 0000000100160210 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 0000000100160048 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8aaca9d1} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 0000000100150ca6 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 00000001001603d8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 000000010016012c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 00000001001602f4 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 0000000100150e6e .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2012] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077c31465 2 bytes [C3, 77] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2012] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000077c314bb 2 bytes [C3, 77] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 000000010020091c .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 0000000100200048 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 00000001002002ee .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 00000001002004b2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 00000001002009fe .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 0000000100200ae0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 000000010002004c .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 000000010020012a .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 0000000100200758 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 0000000100200676 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 00000001002003d0 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 0000000100200594 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 000000010020083a .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 000000010020020c .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 000000010021059e .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 0000000100200f52 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 0000000100210210 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 0000000100210048 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8ab7a9d1} .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 0000000100200ca6 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 00000001002103d8 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 000000010021012c .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 00000001002102f4 .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 0000000100200e6e .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 000000006dfd1a22 2 bytes [FD, 6D] .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 000000006dfd1ad0 2 bytes [FD, 6D] .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 000000006dfd1b08 2 bytes [FD, 6D] .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 000000006dfd1bba 2 bytes [FD, 6D] .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 000000006dfd1bda 2 bytes [FD, 6D] .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c31465 2 bytes [C3, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c314bb 2 bytes [C3, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 00000001000d091c .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 00000001000d0048 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 00000001000d02ee .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 00000001000d04b2 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 00000001000d09fe .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 00000001000d0ae0 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 00000001000d012a .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 00000001000d0758 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 00000001000d0676 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 00000001000d03d0 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 00000001000d0594 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 00000001000d083a .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 00000001000d020c .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 00000001000e059e .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 00000001000d0f52 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 00000001000e0210 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 00000001000e0048 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8aa4a9d1} .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 00000001000d0ca6 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 00000001000e03d8 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 00000001000e012c .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 00000001000e02f4 .text C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe[1108] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 00000001000d0e6e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 000000010009091c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 0000000100090048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 00000001000902ee .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 00000001000904b2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 00000001000909fe .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 0000000100090ae0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 000000010009012a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 0000000100090758 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 0000000100090676 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 00000001000903d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 0000000100090594 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 000000010009083a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 000000010009020c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 00000001000a04bc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 0000000100090f52 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 00000001000a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 00000001000a0048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8aa0a9d1} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 0000000100090ca6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 00000001000a03d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 00000001000a012c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 00000001000a02f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 0000000100090e6e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c31465 2 bytes [C3, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c314bb 2 bytes [C3, 77] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [4760] entry point in ".rdata" section 00000000752271e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077c7f991 7 bytes {MOV EDX, 0x18ba28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077c7fbd5 7 bytes {MOV EDX, 0x18ba68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077c7fc05 7 bytes {MOV EDX, 0x18b9a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077c7fc1d 7 bytes {MOV EDX, 0x18b928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077c7fc35 7 bytes {MOV EDX, 0x18bb28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077c7fc65 7 bytes {MOV EDX, 0x18bb68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 00000001001e091c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077c7fce5 7 bytes {MOV EDX, 0x18bae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077c7fcfd 7 bytes {MOV EDX, 0x18baa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077c7fd49 7 bytes {MOV EDX, 0x18b868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 00000001001e0048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077c7fe41 7 bytes {MOV EDX, 0x18b8a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 00000001001e02ee .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 00000001001e04b2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 00000001001e09fe .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 00000001001e0ae0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 00000001001c004c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077c80099 7 bytes {MOV EDX, 0x18b828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 00000001001e012a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 00000001001e0758 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 00000001001e0676 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 00000001001e03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077c810a5 7 bytes {MOV EDX, 0x18b9e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077c8111d 7 bytes {MOV EDX, 0x18b968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077c81321 7 bytes {MOV EDX, 0x18b8e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 00000001001e0594 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 00000001001e083a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 00000001001e020c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 00000001002e04bc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 00000001001e0f52 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 00000001002e0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 00000001002e0048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8ac4a9d1} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 00000001001e0ca6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 00000001002e03d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 00000001002e012c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 00000001002e02f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 00000001001e0e6e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c31465 2 bytes [C3, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c314bb 2 bytes [C3, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077c7f991 7 bytes {MOV EDX, 0xd8c228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077c7fbd5 7 bytes {MOV EDX, 0xd8c268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077c7fc05 7 bytes {MOV EDX, 0xd8c1a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077c7fc1d 7 bytes {MOV EDX, 0xd8c128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077c7fc35 7 bytes {MOV EDX, 0xd8c328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077c7fc65 7 bytes {MOV EDX, 0xd8c368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 0000000100f7091c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077c7fce5 7 bytes {MOV EDX, 0xd8c2e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077c7fcfd 7 bytes {MOV EDX, 0xd8c2a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077c7fd49 7 bytes {MOV EDX, 0xd8c068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 0000000100f70048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077c7fe41 7 bytes {MOV EDX, 0xd8c0a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 0000000100f702ee .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 0000000100f704b2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 0000000100f709fe .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 0000000100f70ae0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 0000000100e5004c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077c80099 7 bytes {MOV EDX, 0xd8c028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 0000000100f7012a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 0000000100f70758 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 0000000100f70676 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 0000000100f703d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077c810a5 7 bytes {MOV EDX, 0xd8c1e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077c8111d 7 bytes {MOV EDX, 0xd8c168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077c81321 7 bytes {MOV EDX, 0xd8c0e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 0000000100f70594 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 0000000100f7083a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 0000000100f7020c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 0000000100f804bc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 0000000100f70f52 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 0000000100f80210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 0000000100f80048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8b8ea9d1} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 0000000100f70ca6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 0000000100f803d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 0000000100f8012c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 0000000100f802f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 0000000100f70e6e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c31465 2 bytes [C3, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c314bb 2 bytes [C3, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077c7f991 7 bytes {MOV EDX, 0xb4ba28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077c7fbd5 7 bytes {MOV EDX, 0xb4ba68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077c7fc05 7 bytes {MOV EDX, 0xb4b9a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077c7fc1d 7 bytes {MOV EDX, 0xb4b928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077c7fc35 7 bytes {MOV EDX, 0xb4bb28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077c7fc65 7 bytes {MOV EDX, 0xb4bb68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 0000000100c6091c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077c7fce5 7 bytes {MOV EDX, 0xb4bae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077c7fcfd 7 bytes {MOV EDX, 0xb4baa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077c7fd49 7 bytes {MOV EDX, 0xb4b868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 0000000100c60048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077c7fe41 7 bytes {MOV EDX, 0xb4b8a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 0000000100c602ee .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 0000000100c604b2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 0000000100c609fe .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 0000000100c60ae0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 0000000100c0004c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077c80099 7 bytes {MOV EDX, 0xb4b828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 0000000100c6012a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 0000000100c60758 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 0000000100c60676 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 0000000100c603d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077c810a5 7 bytes {MOV EDX, 0xb4b9e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077c8111d 7 bytes {MOV EDX, 0xb4b968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077c81321 7 bytes {MOV EDX, 0xb4b8e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 0000000100c60594 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 0000000100c6083a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 0000000100c6020c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 0000000100c704bc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 0000000100c60f52 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 0000000100c70210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 0000000100c70048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8b5da9d1} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 0000000100c60ca6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 0000000100c703d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 0000000100c7012c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 0000000100c702f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 0000000100c60e6e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c31465 2 bytes [C3, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c314bb 2 bytes [C3, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077c7f991 7 bytes {MOV EDX, 0x6a9e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077c7fbd5 7 bytes {MOV EDX, 0x6a9e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077c7fc05 7 bytes {MOV EDX, 0x6a9da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077c7fc1d 7 bytes {MOV EDX, 0x6a9d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077c7fc35 7 bytes {MOV EDX, 0x6a9f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077c7fc65 7 bytes {MOV EDX, 0x6a9f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 000000010080091c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077c7fce5 7 bytes {MOV EDX, 0x6a9ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077c7fcfd 7 bytes {MOV EDX, 0x6a9ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077c7fd49 7 bytes {MOV EDX, 0x6a9c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 0000000100800048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077c7fe41 7 bytes {MOV EDX, 0x6a9ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 00000001008002ee .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 00000001008004b2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 00000001008009fe .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 0000000100800ae0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 000000010076004c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077c80099 7 bytes {MOV EDX, 0x6a9c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 000000010080012a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 0000000100800758 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 0000000100800676 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 00000001008003d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077c810a5 7 bytes {MOV EDX, 0x6a9de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077c8111d 7 bytes {MOV EDX, 0x6a9d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077c81321 7 bytes {MOV EDX, 0x6a9ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 0000000100800594 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 000000010080083a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 000000010080020c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 00000001008504bc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 0000000100800f52 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 0000000100850210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 0000000100850048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8b1ba9d1} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 0000000100800ca6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 00000001008503d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 000000010085012c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 00000001008502f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 0000000100800e6e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c31465 2 bytes [C3, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c314bb 2 bytes [C3, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077c7f991 7 bytes {MOV EDX, 0x6b2e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077c7fbd5 7 bytes {MOV EDX, 0x6b2e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077c7fc05 7 bytes {MOV EDX, 0x6b2da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077c7fc1d 7 bytes {MOV EDX, 0x6b2d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077c7fc35 7 bytes {MOV EDX, 0x6b2f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077c7fc65 7 bytes {MOV EDX, 0x6b2f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 000000010079091c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077c7fce5 7 bytes {MOV EDX, 0x6b2ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077c7fcfd 7 bytes {MOV EDX, 0x6b2ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077c7fd49 7 bytes {MOV EDX, 0x6b2c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 0000000100790048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077c7fe41 7 bytes {MOV EDX, 0x6b2ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 00000001007902ee .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 00000001007904b2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 00000001007909fe .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 0000000100790ae0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 000000010077004c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077c80099 7 bytes {MOV EDX, 0x6b2c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 000000010079012a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 0000000100790758 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 0000000100790676 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 00000001007903d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077c810a5 7 bytes {MOV EDX, 0x6b2de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077c8111d 7 bytes {MOV EDX, 0x6b2d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077c81321 7 bytes {MOV EDX, 0x6b2ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 0000000100790594 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 000000010079083a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 000000010079020c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 00000001007a04bc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 0000000100790f52 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 00000001007a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 00000001007a0048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8b10a9d1} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 0000000100790ca6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 00000001007a03d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 00000001007a012c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 00000001007a02f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 0000000100790e6e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c31465 2 bytes [C3, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c314bb 2 bytes [C3, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 000000010009091c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 0000000100090048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 00000001000902ee .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 00000001000904b2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 00000001000909fe .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 0000000100090ae0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 000000010009012a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 0000000100090758 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 0000000100090676 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 00000001000903d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 0000000100090594 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 000000010009083a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 000000010009020c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 00000001000a04bc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 0000000100090f52 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 00000001000a0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 00000001000a0048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8aa0a9d1} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 0000000100090ca6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 00000001000a03d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 00000001000a012c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 00000001000a02f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 0000000100090e6e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c31465 2 bytes [C3, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c314bb 2 bytes [C3, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077c7f991 7 bytes {MOV EDX, 0xc40e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077c7fbd5 7 bytes {MOV EDX, 0xc40e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077c7fc05 7 bytes {MOV EDX, 0xc40da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077c7fc1d 7 bytes {MOV EDX, 0xc40d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077c7fc35 7 bytes {MOV EDX, 0xc40f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077c7fc65 7 bytes {MOV EDX, 0xc40f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 0000000100ea091c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077c7fce5 7 bytes {MOV EDX, 0xc40ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077c7fcfd 7 bytes {MOV EDX, 0xc40ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077c7fd49 7 bytes {MOV EDX, 0xc40c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 0000000100ea0048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077c7fe41 7 bytes {MOV EDX, 0xc40ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 0000000100ea02ee .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 0000000100ea04b2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 0000000100ea09fe .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 0000000100ea0ae0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 0000000100d1004c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077c80099 7 bytes {MOV EDX, 0xc40c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 0000000100ea012a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 0000000100ea0758 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 0000000100ea0676 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 0000000100ea03d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077c810a5 7 bytes {MOV EDX, 0xc40de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077c8111d 7 bytes {MOV EDX, 0xc40d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077c81321 7 bytes {MOV EDX, 0xc40ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 0000000100ea0594 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 0000000100ea083a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 0000000100ea020c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 0000000100eb04bc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 0000000100ea0f52 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 0000000100eb0210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 0000000100eb0048 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8b81a9d1} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 0000000100ea0ca6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 0000000100eb03d8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 0000000100eb012c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 0000000100eb02f4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 0000000100ea0e6e .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c31465 2 bytes [C3, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c314bb 2 bytes [C3, 77] .text ... * 2 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c7fc90 5 bytes JMP 000000010029091c .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c7fdf4 5 bytes JMP 0000000100290048 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077c7fe88 5 bytes JMP 00000001002902ee .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c7ffe4 5 bytes JMP 00000001002904b2 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077c80018 5 bytes JMP 00000001002909fe .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077c80048 5 bytes JMP 0000000100290ae0 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c80064 5 bytes JMP 000000010002004c .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077c8077c 5 bytes JMP 000000010029012a .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c8086c 5 bytes JMP 0000000100290758 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c80884 5 bytes JMP 0000000100290676 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c80dd4 5 bytes JMP 00000001002903d0 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077c81900 5 bytes JMP 0000000100290594 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c81bc4 5 bytes JMP 000000010029083a .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077c81d50 5 bytes JMP 000000010029020c .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007569524f 7 bytes JMP 0000000100290f52 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000756953d0 7 bytes JMP 00000001002a0210 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075695677 1 byte JMP 00000001002a0048 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075695679 5 bytes {JMP 0xffffffff8ac0a9d1} .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007569589a 7 bytes JMP 0000000100290ca6 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075695a1d 7 bytes JMP 00000001002a03d8 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075695c9b 7 bytes JMP 00000001002a012c .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075695d87 7 bytes JMP 00000001002a02f4 .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075697240 7 bytes JMP 0000000100290e6e .text C:\Users\Art\Downloads\nijtpcqj.exe[5412] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000076951492 7 bytes JMP 00000001002a04bc ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e5431f871f Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 354 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74e5431f871f (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\Art\AppData\Local\Temp\RDR1B42.tmp 0 bytes ---- EOF - GMER 2.1 ----