GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-04 20:50:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EARS-00Y5B1 rev.80.00A80 931,51GB Running: gmer.exe; Driver: C:\Users\mati\AppData\Local\Temp\aftciaoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031b2000 45 bytes [00, 00, 16, 02, 4E, 74, 66, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031b202f 29 bytes [00, 01, 00, 06, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\avp.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000771cfaa8 5 bytes JMP 0000000172a12e30 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\avp.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000771d0038 5 bytes JMP 0000000172a12df0 .text D:\Malwarebytes Anti-Malware\mbamservice.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076831465 2 bytes [83, 76] .text D:\Malwarebytes Anti-Malware\mbamservice.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768314bb 2 bytes [83, 76] .text ... * 2 .text D:\Spybot - Search & Destroy 2\SDTray.exe[5824] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074ad13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Spybot - Search & Destroy 2\SDTray.exe[5824] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074ad146b 8 bytes {JMP 0xffffffffffffffb0} .text D:\Spybot - Search & Destroy 2\SDTray.exe[5824] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074ad16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Spybot - Search & Destroy 2\SDTray.exe[5824] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074ad16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Spybot - Search & Destroy 2\SDTray.exe[5824] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074ad19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Spybot - Search & Destroy 2\SDTray.exe[5824] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074ad19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Spybot - Search & Destroy 2\SDTray.exe[5824] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074ad1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Spybot - Search & Destroy 2\SDTray.exe[5824] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074ad1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Spybot - Search & Destroy 2\SDTray.exe[5824] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074ad1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Spybot - Search & Destroy 2\SDTray.exe[5824] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074ad1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074ad13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074ad146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074ad16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074ad16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074ad19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074ad19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074ad1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074ad1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074ad1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[772] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074ad1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\steam.exe[3260] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074ad13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\steam.exe[3260] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074ad146b 8 bytes {JMP 0xffffffffffffffb0} .text D:\Steam\steam.exe[3260] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074ad16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\steam.exe[3260] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074ad16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\steam.exe[3260] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074ad19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\steam.exe[3260] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074ad19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\steam.exe[3260] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074ad1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\steam.exe[3260] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074ad1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\steam.exe[3260] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074ad1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\steam.exe[3260] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074ad1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\bin\steamwebhelper.exe[6024] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074ad13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\bin\steamwebhelper.exe[6024] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074ad146b 8 bytes {JMP 0xffffffffffffffb0} .text D:\Steam\bin\steamwebhelper.exe[6024] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074ad16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\bin\steamwebhelper.exe[6024] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074ad16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\bin\steamwebhelper.exe[6024] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074ad19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\bin\steamwebhelper.exe[6024] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074ad19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\bin\steamwebhelper.exe[6024] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074ad1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\bin\steamwebhelper.exe[6024] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074ad1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\bin\steamwebhelper.exe[6024] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074ad1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text D:\Steam\bin\steamwebhelper.exe[6024] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074ad1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3624] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076831465 2 bytes [83, 76] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3624] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000768314bb 2 bytes [83, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5580] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074ad13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5580] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074ad146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5580] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074ad16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5580] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074ad16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5580] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074ad19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5580] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074ad19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5580] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074ad1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5580] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074ad1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5580] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074ad1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5580] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074ad1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076fd11f5 8 bytes {JMP 0xd} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076fd1390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076fd143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076fd158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076fd191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076fd1b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076fd1bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076fd1d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076fd1eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076fd1edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076fd1f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076fd1fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076fd1fd7 8 bytes {JMP 0xb} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076fd2272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076fd2301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076fd2792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076fd27b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076fd27d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076fd282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076fd2890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076fd2d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076fd2d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076fd3023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076fd323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076fd33c0 16 bytes {JMP 0x4e} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076fd3a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076fd3ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076fd3b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076fd3d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076fd4190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077021380 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077021500 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077021530 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 8 bytes JMP a23f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077021700 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077021f80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074ad13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074ad146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074ad16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074ad16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074ad19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074ad19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074ad1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074ad1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074ad1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7084] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074ad1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076fd11f5 8 bytes {JMP 0xd} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076fd1390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076fd143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076fd158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076fd191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076fd1b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076fd1bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076fd1d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076fd1eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076fd1edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076fd1f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076fd1fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076fd1fd7 8 bytes {JMP 0xb} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076fd2272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076fd2301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076fd2792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076fd27b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076fd27d2 8 bytes {JMP 0x10} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076fd282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076fd2890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076fd2d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076fd2d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076fd3023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076fd323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076fd33c0 16 bytes {JMP 0x4e} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076fd3a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076fd3ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076fd3b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076fd3d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076fd4190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077021380 8 bytes {JMP QWORD [RIP-0x4d4cf]} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077021500 8 bytes {JMP QWORD [RIP-0x4d498]} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077021530 8 bytes {JMP QWORD [RIP-0x4d9b1]} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 8 bytes {JMP QWORD [RIP-0x4d7a7]} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077021700 8 bytes {JMP QWORD [RIP-0x4d9e3]} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 8 bytes {JMP QWORD [RIP-0x4dba6]} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077021f80 8 bytes {JMP QWORD [RIP-0x4de55]} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 8 bytes {JMP QWORD [RIP-0x4e770]} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074ad13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074ad146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074ad16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074ad16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074ad19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074ad19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074ad1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074ad1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074ad1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074ad1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076831465 2 bytes [83, 76] .text C:\Users\mati\AppData\Roaming\uTorrent\uTorrent.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768314bb 2 bytes [83, 76] .text ... * 2 .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076fd11f5 8 bytes {JMP 0xd} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076fd1390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076fd143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076fd158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076fd191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076fd1b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076fd1bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076fd1d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076fd1eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076fd1edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076fd1f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076fd1fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076fd1fd7 8 bytes {JMP 0xb} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076fd2272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076fd2301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076fd2792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076fd27b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076fd27d2 8 bytes {JMP 0x10} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076fd282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076fd2890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076fd2d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076fd2d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076fd3023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076fd323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076fd33c0 16 bytes {JMP 0x4e} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076fd3a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076fd3ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076fd3b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076fd3d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076fd4190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077021380 8 bytes {JMP QWORD [RIP-0x4d4cf]} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077021500 8 bytes {JMP QWORD [RIP-0x4d498]} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077021530 8 bytes {JMP QWORD [RIP-0x4d9b1]} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 8 bytes {JMP QWORD [RIP-0x4d7a7]} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077021700 8 bytes {JMP QWORD [RIP-0x4d9e3]} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 8 bytes {JMP QWORD [RIP-0x4dba6]} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077021f80 8 bytes {JMP QWORD [RIP-0x4de55]} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 8 bytes {JMP QWORD [RIP-0x4e770]} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074ad13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074ad146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074ad16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074ad16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074ad19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074ad19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074ad1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074ad1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074ad1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074ad1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076831465 2 bytes [83, 76] .text C:\Users\mati\Downloads\OTL.exe[4840] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000768314bb 2 bytes [83, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076fd11f5 8 bytes {JMP 0xd} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076fd1390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076fd143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076fd158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076fd191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076fd1b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076fd1bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076fd1d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076fd1eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076fd1edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076fd1f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076fd1fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076fd1fd7 8 bytes {JMP 0xb} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076fd2272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076fd2301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076fd2792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076fd27b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076fd27d2 8 bytes {JMP 0x10} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076fd282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076fd2890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076fd2d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076fd2d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076fd3023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076fd323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076fd33c0 16 bytes {JMP 0x4e} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076fd3a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076fd3ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076fd3b85 8 bytes [10, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076fd3d23 8 bytes [00, 6A, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076fd4190 8 bytes [A0, 69, F8, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077021380 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077021500 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077021530 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 8 bytes JMP a23f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077021700 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077021f80 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 8 bytes JMP 3f3f3f3f .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074ad13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074ad146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074ad16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074ad16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074ad19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074ad19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074ad1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074ad1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074ad1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6268] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074ad1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076fd11f5 8 bytes {JMP 0xd} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076fd1390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076fd143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076fd158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076fd191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076fd1b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076fd1bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076fd1d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076fd1eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076fd1edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076fd1f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076fd1fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076fd1fd7 8 bytes {JMP 0xb} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076fd2272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076fd2301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076fd2792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076fd27b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076fd27d2 8 bytes {JMP 0x10} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076fd282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076fd2890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076fd2d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076fd2d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076fd3023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076fd323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076fd33c0 16 bytes {JMP 0x4e} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076fd3a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076fd3ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076fd3b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076fd3d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076fd4190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077021380 8 bytes {JMP QWORD [RIP-0x4d4cf]} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077021500 8 bytes {JMP QWORD [RIP-0x4d498]} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077021530 8 bytes {JMP QWORD [RIP-0x4d9b1]} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077021650 8 bytes {JMP QWORD [RIP-0x4d7a7]} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077021700 8 bytes {JMP QWORD [RIP-0x4d9e3]} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077021d30 8 bytes {JMP QWORD [RIP-0x4dba6]} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077021f80 8 bytes {JMP QWORD [RIP-0x4de55]} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770227e0 8 bytes {JMP QWORD [RIP-0x4e770]} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000074ad13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000074ad146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000074ad16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 0000000074ad16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000074ad19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000074ad19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 0000000074ad1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 0000000074ad1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000074ad1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\mati\Desktop\gmer.exe[6324] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 0000000074ad1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff880021a106c] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [984:1556] 000007fefcef20b0 Thread C:\Windows\system32\svchost.exe [356:5528] 000007feef47d3c8 Thread C:\Windows\system32\svchost.exe [356:5888] 000007feef47d3c8 Thread C:\Windows\system32\svchost.exe [356:5000] 000007feef47d3c8 Thread C:\Windows\system32\svchost.exe [356:4760] 000007feef47d3c8 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2092:3744] 000007fef22659c4 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2092:192] 000007fef19f7468 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2092:4636] 000007fef19f7468 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2092:4456] 000007fef19f7468 Thread C:\Windows\System32\svchost.exe [2332:3092] 000007fefa979688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5060:3380] 000007fefb152bf8 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\sqlite3.dll (*** suspicious ***) @ C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe [3712](2009-06-27 08:11:12) 0000000060900000 ---- EOF - GMER 2.1 ----