GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-13 20:51:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE3O 465,76GB Running: bv8k4521.exe; Driver: C:\Users\Igor\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [4664] entry point in ".rdata" section 00000000739d71e6 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0xdef228; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0xdef268; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0xdef1a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0xdef128; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0xdef328; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0xdef368; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0xdef2e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0xdef2a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0xdef068; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0xdef0a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0xdef028; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0xdef1e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0xdef168; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0xdef0e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x492628; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x492668; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x4925a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x492528; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x492728; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x492768; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x4926e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x4926a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x492468; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x4924a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x492428; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x4925e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x492568; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x4924e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x372a28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x372a68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x3729a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x372928; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x372b28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x372b68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x372ae8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x372aa8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x372868; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x3728a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x372828; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x3729e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x372968; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x3728e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x47b228; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x47b268; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x47b1a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x47b128; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x47b328; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x47b368; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x47b2e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x47b2a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x47b068; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x47b0a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x47b028; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x47b1e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x47b168; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x47b0e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x285628; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x285668; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x2855a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x285528; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x285728; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x285768; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x2856e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x2856a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x285468; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x2854a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x285428; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x2855e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x285568; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x2854e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0xde4a28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0xde4a68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0xde49a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0xde4928; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0xde4b28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0xde4b68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0xde4ae8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0xde4aa8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0xde4868; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0xde48a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0xde4828; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0xde49e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0xde4968; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0xde48e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x95ba28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x95ba68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x95b9a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x95b928; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x95bb28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x95bb68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x95bae8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x95baa8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x95b868; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x95b8a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x95b828; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x95b9e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x95b968; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x95b8e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x7db628; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x7db668; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x7db5a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x7db528; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x7db728; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x7db768; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x7db6e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x7db6a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x7db468; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x7db4a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x7db428; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x7db5e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x7db568; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x7db4e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x979a28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x979a68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x9799a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x979928; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x979b28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x979b68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x979ae8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x979aa8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x979868; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x9798a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x979828; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x9799e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x979968; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x9798e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0xe43a28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0xe43a68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0xe439a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0xe43928; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0xe43b28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0xe43b68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0xe43ae8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0xe43aa8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0xe43868; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0xe438a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0xe43828; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0xe439e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0xe43968; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0xe438e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x784628; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x784668; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x7845a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x784528; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x784728; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x784768; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x7846e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x7846a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x784468; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x7844a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x784428; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x7845e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x784568; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x7844e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x8b3a28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x8b3a68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x8b39a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x8b3928; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x8b3b28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x8b3b68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x8b3ae8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x8b3aa8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x8b3868; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x8b38a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x8b3828; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x8b39e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x8b3968; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x8b38e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x4e0628; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x4e0668; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x4e05a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x4e0528; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x4e0728; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x4e0768; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x4e06e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x4e06a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x4e0468; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x4e04a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x4e0428; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x4e05e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x4e0568; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x4e04e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[2728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x742228; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x742268; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x7421a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x742128; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x742328; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x742368; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x7422e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x7422a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x742068; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x7420a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x742028; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x7421e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x742168; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x7420e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x26da28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x26da68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x26d9a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x26d928; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x26db28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x26db68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x26dae8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x26daa8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x26d868; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x26d8a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x26d828; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x26d9e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x26d968; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x26d8e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0x7c0a28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0x7c0a68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0x7c09a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0x7c0928; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0x7c0b28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0x7c0b68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0x7c0ae8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0x7c0aa8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0x7c0868; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0x7c08a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0x7c0828; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0x7c09e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0x7c0968; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0x7c08e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[5372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776df991 7 bytes {MOV EDX, 0xfb8a28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776dfbd5 7 bytes {MOV EDX, 0xfb8a68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776dfc05 7 bytes {MOV EDX, 0xfb89a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776dfc1d 7 bytes {MOV EDX, 0xfb8928; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776dfc35 7 bytes {MOV EDX, 0xfb8b28; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776dfc65 7 bytes {MOV EDX, 0xfb8b68; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776dfce5 7 bytes {MOV EDX, 0xfb8ae8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776dfcfd 7 bytes {MOV EDX, 0xfb8aa8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776dfd49 7 bytes {MOV EDX, 0xfb8868; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776dfe41 7 bytes {MOV EDX, 0xfb88a8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776e0099 7 bytes {MOV EDX, 0xfb8828; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776e10a5 7 bytes {MOV EDX, 0xfb89e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776e111d 7 bytes {MOV EDX, 0xfb8968; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776e1321 7 bytes {MOV EDX, 0xfb88e8; JMP RDX} .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076901465 2 bytes [90, 76] .text C:\Users\Igor\AppData\Local\Google\Chrome\Application\chrome.exe[1820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769014bb 2 bytes [90, 76] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [516:3852] 000007fef386d3c8 Thread C:\Windows\system32\svchost.exe [516:5672] 000007fef386d3c8 Thread C:\Windows\system32\svchost.exe [516:4216] 000007fef386d3c8 Thread C:\Windows\system32\svchost.exe [516:4188] 000007fef386d3c8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f7d5e1 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f7d5e1@a8f274814ebf 0xEC 0x29 0x0A 0x36 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f7d5e1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f7d5e1@a8f274814ebf 0xEC 0x29 0x0A 0x36 ... ---- Files - GMER 2.1 ---- File C:\Program Files\Microsoft Security Client\Backup\amd64 0 bytes File C:\Program Files\Microsoft Security Client\Backup\amd64\dw20shared.msi 2081792 bytes File C:\Program Files\Microsoft Security Client\Backup\amd64\epp.msi 8253440 bytes File C:\Program Files\Microsoft Security Client\Backup\amd64\setup.exe 1094152 bytes File C:\Program Files\Microsoft Security Client\Backup\amd64\sqmapi.dll 241984 bytes File C:\Program Files\Microsoft Security Client\Backup\amd64\Windows6.0-KB981889-v2.msu 1909720 bytes File C:\Program Files\Microsoft Security Client\Backup\amd64\Windows6.1-KB981889.msu 1318677 bytes File C:\Program Files\Microsoft Security Client\Backup\EppManifest.dll 182248 bytes executable File C:\Program Files\Microsoft Security Client\Backup\pl-pl 0 bytes File C:\Program Files\Microsoft Security Client\Backup\pl-pl\EULA.RTF 26750 bytes File C:\Program Files\Microsoft Security Client\Backup\pl-pl\setupres.dll.mui 49208 bytes executable File C:\Program Files\Microsoft Security Client\Backup\setupres.dll 8760 bytes executable File C:\Program Files\Microsoft Security Client\Drivers\Backup 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\mpfilter 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\mpfilter\mpfilter.cat 7715 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\mpfilter\mpfilter.inf 3137 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\mpfilter\mpfilter.sys 228768 bytes executable File C:\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.cat 7627 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.inf 2997 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.man 13354 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys 128456 bytes executable File C:\Program Files\Microsoft Security Client\Drivers\mpfilter 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.cat 7715 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.inf 3137 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.sys 230320 bytes executable File C:\Program Files\Microsoft Security Client\Drivers\NisDrv 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.cat 7627 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.inf 2997 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.man 14762 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.sys 130008 bytes executable File C:\Program Files\Microsoft Security Client\en-us\EULA.RTF 139995 bytes File C:\Program Files\Microsoft Security Client\en-us\MpAsDesc.dll.mui 47696 bytes executable File C:\Program Files\Microsoft Security Client\en-us\mpevmsg.dll.mui 37944 bytes executable File C:\Program Files\Microsoft Security Client\en-us\MsMpRes.dll.mui 93752 bytes executable File C:\Program Files\Microsoft Security Client\en-us\msseooberes.dll.mui 15744 bytes executable File C:\Program Files\Microsoft Security Client\en-us\setupres.dll.mui 43064 bytes executable File C:\Program Files\Microsoft Security Client\en-us\shellext.dll.mui 9272 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\EULA.RTF 26750 bytes File C:\Program Files\Microsoft Security Client\pl-pl\MpAsDesc.dll.mui 55888 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\MpEvMsg.dll.mui 42064 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\MsMpRes.dll.mui 107600 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\setupres.dll.mui 49208 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\shellext.dll.mui 9272 bytes executable File C:\Program Files\Windows Defender\pl-PL\MpAsDesc.dll.mui 41472 bytes executable File C:\Program Files\Windows Defender\pl-PL\MpEvMsg.dll.mui 17920 bytes executable File C:\Program Files\Windows Defender\pl-PL\MsMpRes.dll.mui 53248 bytes executable ---- EOF - GMER 2.1 ----