GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-14 15:48:17 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEKT-22KA9T0 rev.01.01A01 298.09GB Running: cyqnv55v.exe; Driver: C:\Users\Magda\AppData\Local\Temp\pwlirfow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8E2B0AC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x8E36C0BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8E2B15A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8E2BD63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8E2BD688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8E2BD822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8E2BD5AA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8E36C494] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8E2BD5F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8E36C724] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8E2BD7DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8E2B2390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8E2B0B2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8E2B5B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8E2B0716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8E36C574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8E2B0B90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8E2B5F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8E2B2E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8E2BD666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8E2BD6AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8E2BD846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8E2BD5D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8E2B547E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8E2BD75A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8E2BD61A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8E2B586A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8E2BD800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8E36C312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8E2B2CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0x8E2B2842] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8E2B0BF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8E2B0C5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8E36C670] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8E2B07B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8E2B0982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8E2B0910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8E2B255A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8E2B26BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8E2B0A0A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8E36C3E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8E2B21EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8E2B0CC2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8E36C244] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8E36C80E] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 830C3758 4 Bytes [C4, 0A, 2B, 8E] .text ntkrnlpa.exe!KeSetEvent + 131 830C377C 4 Bytes [BA, C0, 36, 8E] .text ntkrnlpa.exe!KeSetEvent + 191 830C37DC 4 Bytes [A2, 15, 2B, 8E] .text ntkrnlpa.exe!KeSetEvent + 1D1 830C381C 8 Bytes [3C, D6, 2B, 8E, 88, D6, 2B, ...] {CMP AL, 0xd6; SUB ECX, [ESI-0x71d42978]} .text ntkrnlpa.exe!KeSetEvent + 1DD 830C3828 4 Bytes [22, D8, 2B, 8E] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 8325100F 4 Bytes CALL 8E2B355F \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 83254C83 4 Bytes CALL 8E2B3575 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Alwil Software\Avast5\avastui.exe[1260] kernel32.dll!SetUnhandledExceptionFilter 7598A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!LdrLoadDll 772D9378 5 Bytes JMP 009601F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!LdrUnloadDll 772EB680 5 Bytes JMP 009603FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtCreateFile + 6 7731426A 4 Bytes [28, 8C, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtCreateFile + B 7731426F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtMapViewOfSection + 6 773149BA 4 Bytes [28, 8F, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtMapViewOfSection + B 773149BF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenFile + 6 77314A4A 4 Bytes [68, 8C, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenFile + B 77314A4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenProcess + 6 77314ACA 4 Bytes [A8, 8D, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenProcess + B 77314ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenProcessToken + 6 77314ADA 4 Bytes CALL 7631DC6C C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenProcessToken + B 77314ADF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenProcessTokenEx + 6 77314AEA 4 Bytes [A8, 8E, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenProcessTokenEx + B 77314AEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenThread + 6 77314B3A 4 Bytes [68, 8D, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenThread + B 77314B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenThreadToken + 6 77314B4A 4 Bytes [68, 8E, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenThreadToken + B 77314B4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenThreadTokenEx + 6 77314B5A 4 Bytes CALL 7631DCED C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtOpenThreadTokenEx + B 77314B5F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtQueryAttributesFile + 6 77314BEA 4 Bytes [A8, 8C, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtQueryAttributesFile + B 77314BEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtQueryFullAttributesFile + 6 77314C9A 4 Bytes CALL 7631DE2B C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtQueryFullAttributesFile + B 77314C9F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtSetInformationFile + 6 7731517A 4 Bytes [28, 8D, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtSetInformationFile + B 7731517F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtSetInformationThread + 6 773151CA 4 Bytes [28, 8E, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtSetInformationThread + B 773151CF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtUnmapViewOfSection + 6 7731546A 4 Bytes [68, 8F, 91, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1856] ntdll.dll!NtUnmapViewOfSection + B 7731546F 1 Byte [E2] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1868] kernel32.dll!SetUnhandledExceptionFilter 7598A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!LdrLoadDll 772D9378 5 Bytes JMP 006C01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!LdrUnloadDll 772EB680 5 Bytes JMP 006C03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtCreateFile + 6 7731426A 4 Bytes [28, 08, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtCreateFile + B 7731426F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtMapViewOfSection + 6 773149BA 4 Bytes [28, 0B, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtMapViewOfSection + B 773149BF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenFile + 6 77314A4A 4 Bytes [68, 08, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenFile + B 77314A4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenProcess + 6 77314ACA 4 Bytes [A8, 09, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenProcess + B 77314ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenProcessToken + 6 77314ADA 4 Bytes CALL 7631B0E8 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenProcessToken + B 77314ADF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenProcessTokenEx + 6 77314AEA 4 Bytes [A8, 0A, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenProcessTokenEx + B 77314AEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenThread + 6 77314B3A 4 Bytes [68, 09, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenThread + B 77314B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenThreadToken + 6 77314B4A 4 Bytes [68, 0A, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenThreadToken + B 77314B4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenThreadTokenEx + 6 77314B5A 4 Bytes CALL 7631B169 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtOpenThreadTokenEx + B 77314B5F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtQueryAttributesFile + 6 77314BEA 4 Bytes [A8, 08, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtQueryAttributesFile + B 77314BEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtQueryFullAttributesFile + 6 77314C9A 4 Bytes CALL 7631B2A7 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtQueryFullAttributesFile + B 77314C9F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtSetInformationFile + 6 7731517A 4 Bytes [28, 09, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtSetInformationFile + B 7731517F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtSetInformationThread + 6 773151CA 4 Bytes [28, 0A, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtSetInformationThread + B 773151CF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtUnmapViewOfSection + 6 7731546A 4 Bytes [68, 0B, 66, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1992] ntdll.dll!NtUnmapViewOfSection + B 7731546F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2260] ntdll.dll!LdrLoadDll 772D9378 5 Bytes JMP 000601F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2260] ntdll.dll!LdrUnloadDll 772EB680 5 Bytes JMP 000603FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2260] ntdll.dll!NtMapViewOfSection + 6 773149BA 4 Bytes [18, 20, E0, 5F] {SBB [EAX], AH; LOOPNZ 0x63} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2260] ntdll.dll!NtMapViewOfSection + B 773149BF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!LdrLoadDll 772D9378 5 Bytes JMP 00ED01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!LdrUnloadDll 772EB680 5 Bytes JMP 00ED03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtCreateFile + 6 7731426A 4 Bytes [28, 7C, E7, 00] {SUB [EDI+0x0], BH} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtCreateFile + B 7731426F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtMapViewOfSection + 6 773149BA 4 Bytes [28, 7F, E7, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtMapViewOfSection + B 773149BF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenFile + 6 77314A4A 4 Bytes [68, 7C, E7, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenFile + B 77314A4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenProcess + 6 77314ACA 4 Bytes [A8, 7D, E7, 00] {TEST AL, 0x7d; OUT 0x0, EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenProcess + B 77314ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenProcessToken + 6 77314ADA 4 Bytes CALL 7632325C C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenProcessToken + B 77314ADF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenProcessTokenEx + 6 77314AEA 4 Bytes [A8, 7E, E7, 00] {TEST AL, 0x7e; OUT 0x0, EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenProcessTokenEx + B 77314AEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenThread + 6 77314B3A 4 Bytes [68, 7D, E7, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenThread + B 77314B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenThreadToken + 6 77314B4A 4 Bytes [68, 7E, E7, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenThreadToken + B 77314B4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenThreadTokenEx + 6 77314B5A 4 Bytes CALL 763232DD C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtOpenThreadTokenEx + B 77314B5F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtQueryAttributesFile + 6 77314BEA 4 Bytes [A8, 7C, E7, 00] {TEST AL, 0x7c; OUT 0x0, EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtQueryAttributesFile + B 77314BEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtQueryFullAttributesFile + 6 77314C9A 4 Bytes CALL 7632341B C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtQueryFullAttributesFile + B 77314C9F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtSetInformationFile + 6 7731517A 4 Bytes [28, 7D, E7, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtSetInformationFile + B 7731517F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtSetInformationThread + 6 773151CA 4 Bytes [28, 7E, E7, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtSetInformationThread + B 773151CF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtUnmapViewOfSection + 6 7731546A 4 Bytes [68, 7F, E7, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4980] ntdll.dll!NtUnmapViewOfSection + B 7731546F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!LdrLoadDll 772D9378 5 Bytes JMP 00AD01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!LdrUnloadDll 772EB680 5 Bytes JMP 00AD03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtCreateFile + 6 7731426A 4 Bytes [28, 88, 94, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtCreateFile + B 7731426F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtMapViewOfSection + 6 773149BA 4 Bytes [28, 8B, 94, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtMapViewOfSection + B 773149BF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenFile + 6 77314A4A 4 Bytes [68, 88, 94, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenFile + B 77314A4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenProcess + 6 77314ACA 4 Bytes [A8, 89, 94, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenProcess + B 77314ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenProcessToken + 6 77314ADA 4 Bytes CALL 7631DF68 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenProcessToken + B 77314ADF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenProcessTokenEx + 6 77314AEA 4 Bytes [A8, 8A, 94, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenProcessTokenEx + B 77314AEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenThread + 6 77314B3A 4 Bytes [68, 89, 94, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenThread + B 77314B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenThreadToken + 6 77314B4A 4 Bytes [68, 8A, 94, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenThreadToken + B 77314B4F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenThreadTokenEx + 6 77314B5A 4 Bytes CALL 7631DFE9 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtOpenThreadTokenEx + B 77314B5F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtQueryAttributesFile + 6 77314BEA 4 Bytes [A8, 88, 94, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtQueryAttributesFile + B 77314BEF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtQueryFullAttributesFile + 6 77314C9A 4 Bytes CALL 7631E127 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtQueryFullAttributesFile + B 77314C9F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtSetInformationFile + 6 7731517A 4 Bytes [28, 89, 94, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtSetInformationFile + B 7731517F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtSetInformationThread + 6 773151CA 4 Bytes [28, 8A, 94, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtSetInformationThread + B 773151CF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtUnmapViewOfSection + 6 7731546A 4 Bytes [68, 8B, 94, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5512] ntdll.dll!NtUnmapViewOfSection + B 7731546F 1 Byte [E2] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74147817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74185EFD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7414BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7413F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [741475E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7413E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [741992D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7414DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7413FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7413FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [741371CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [741CCB4F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7416C840] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7413D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74136853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7413687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll IAT C:\Windows\Explorer.EXE[1880] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74142AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19227_none_9e528838ca1611c0\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp aswTdi.sys AttachedDevice \Driver\tdx \Device\Udp aswTdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2021 ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707\wtw.exe_{12354bb0-d75e-11e2-a6ef-001e3368795d} 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707\wtw.exe_{12354bb0-d75e-11e2-a6ef-001e3368795d}\C 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707\wtw.exe_{12354bb0-d75e-11e2-a6ef-001e3368795d}\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707\wtw.exe_{12354bb0-d75e-11e2-a6ef-001e3368795d}\C\Users\Magda 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707\wtw.exe_{12354bb0-d75e-11e2-a6ef-001e3368795d}\C\Users\Magda\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707\wtw.exe_{12354bb0-d75e-11e2-a6ef-001e3368795d}\C\Users\Magda\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707\wtw.exe_{12354bb0-d75e-11e2-a6ef-001e3368795d}\C\Users\Magda\AppData\Roaming\.wtw 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707\wtw.exe_{12354bb0-d75e-11e2-a6ef-001e3368795d}\C\Users\Magda\AppData\Roaming\.wtw\profiles 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707\wtw.exe_{12354bb0-d75e-11e2-a6ef-001e3368795d}\C\Users\Magda\AppData\Roaming\.wtw\profiles\Megg 0 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707\wtw.exe_{12354bb0-d75e-11e2-a6ef-001e3368795d}\C\Users\Magda\AppData\Roaming\.wtw\profiles\Megg\.name 8 bytes File C:\avast! sandbox\S-1-5-21-251121527-2021168873-2295293381-1000\r707\wtw.exe_{12354bb0-d75e-11e2-a6ef-001e3368795d}\C\Users\Magda\AppData\Roaming\.wtw\profiles\Megg\wtw.db 0 bytes ---- EOF - GMER 2.1 ----