GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-26 13:22:34 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000054 WDC_WD16 rev.01.0 149,05GB Running: r8oboee1.exe; Driver: C:\Users\admin\AppData\Local\Temp\uwddakob.sys ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwReplaceKey + 151D 82A42B65 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A7CC12 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtCreateFile + 6 76F655F2 4 Bytes [28, DC, 8A, 00] {SUB AH, BL; MOV AL, [EAX]} .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtCreateFile + B 76F655F7 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtMapViewOfSection + 6 76F65C52 4 Bytes [28, DF, 8A, 00] {SUB BH, BL; MOV AL, [EAX]} .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtMapViewOfSection + B 76F65C57 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenFile + 6 76F65D02 4 Bytes [68, DC, 8A, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenFile + B 76F65D07 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenProcess + 6 76F65DB2 4 Bytes [A8, DD, 8A, 00] {TEST AL, 0xdd; MOV AL, [EAX]} .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenProcess + B 76F65DB7 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenProcessToken + 6 76F65DC2 4 Bytes CALL 75F6E8A4 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenProcessToken + B 76F65DC7 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenProcessTokenEx + 6 76F65DD2 4 Bytes [A8, DE, 8A, 00] {TEST AL, 0xde; MOV AL, [EAX]} .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenProcessTokenEx + B 76F65DD7 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenThread + 6 76F65E32 4 Bytes [68, DD, 8A, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenThread + B 76F65E37 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenThreadToken + 6 76F65E42 4 Bytes [68, DE, 8A, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenThreadToken + B 76F65E47 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenThreadTokenEx + 6 76F65E52 4 Bytes CALL 75F6E935 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtOpenThreadTokenEx + B 76F65E57 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtQueryAttributesFile + 6 76F65F62 4 Bytes [A8, DC, 8A, 00] {TEST AL, 0xdc; MOV AL, [EAX]} .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtQueryAttributesFile + B 76F65F67 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtQueryFullAttributesFile + 6 76F66012 4 Bytes CALL 75F6EAF3 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtQueryFullAttributesFile + B 76F66017 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtSetInformationFile + 6 76F66662 4 Bytes [28, DD, 8A, 00] {SUB CH, BL; MOV AL, [EAX]} .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtSetInformationFile + B 76F66667 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtSetInformationThread + 6 76F666C2 4 Bytes [28, DE, 8A, 00] {SUB DH, BL; MOV AL, [EAX]} .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtSetInformationThread + B 76F666C7 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtUnmapViewOfSection + 6 76F669E2 4 Bytes [68, DF, 8A, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[2024] ntdll.dll!NtUnmapViewOfSection + B 76F669E7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtMapViewOfSection + 6 76F65C52 4 Bytes [18, F0, 74, 71] {SBB AL, DH; JZ 0x75} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtMapViewOfSection + B 76F65C57 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtCreateFile + 6 76F655F2 4 Bytes [28, 80, 7A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtCreateFile + B 76F655F7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtMapViewOfSection + 6 76F65C52 4 Bytes [28, 83, 7A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtMapViewOfSection + B 76F65C57 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenFile + 6 76F65D02 4 Bytes [68, 80, 7A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenFile + B 76F65D07 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenProcess + 6 76F65DB2 4 Bytes [A8, 81, 7A, 00] {TEST AL, 0x81; JP 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenProcess + B 76F65DB7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenProcessToken + 6 76F65DC2 4 Bytes CALL 75F6D848 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenProcessToken + B 76F65DC7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenProcessTokenEx + 6 76F65DD2 4 Bytes [A8, 82, 7A, 00] {TEST AL, 0x82; JP 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenProcessTokenEx + B 76F65DD7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenThread + 6 76F65E32 4 Bytes [68, 81, 7A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenThread + B 76F65E37 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenThreadToken + 6 76F65E42 4 Bytes [68, 82, 7A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenThreadToken + B 76F65E47 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenThreadTokenEx + 6 76F65E52 4 Bytes CALL 75F6D8D9 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtOpenThreadTokenEx + B 76F65E57 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtQueryAttributesFile + 6 76F65F62 4 Bytes [A8, 80, 7A, 00] {TEST AL, 0x80; JP 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtQueryAttributesFile + B 76F65F67 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtQueryFullAttributesFile + 6 76F66012 4 Bytes CALL 75F6DA97 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtQueryFullAttributesFile + B 76F66017 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtSetInformationFile + 6 76F66662 4 Bytes [28, 81, 7A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtSetInformationFile + B 76F66667 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtSetInformationThread + 6 76F666C2 4 Bytes [28, 82, 7A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtSetInformationThread + B 76F666C7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtUnmapViewOfSection + 6 76F669E2 4 Bytes [68, 83, 7A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4404] ntdll.dll!NtUnmapViewOfSection + B 76F669E7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtCreateFile + 6 76F655F2 4 Bytes [28, 40, EF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtCreateFile + B 76F655F7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtMapViewOfSection + 6 76F65C52 4 Bytes [28, 43, EF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtMapViewOfSection + B 76F65C57 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenFile + 6 76F65D02 4 Bytes [68, 40, EF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenFile + B 76F65D07 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenProcess + 6 76F65DB2 4 Bytes [A8, 41, EF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenProcess + B 76F65DB7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenProcessToken + 6 76F65DC2 4 Bytes CALL 75F74D08 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenProcessToken + B 76F65DC7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenProcessTokenEx + 6 76F65DD2 4 Bytes [A8, 42, EF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenProcessTokenEx + B 76F65DD7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenThread + 6 76F65E32 4 Bytes [68, 41, EF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenThread + B 76F65E37 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenThreadToken + 6 76F65E42 4 Bytes [68, 42, EF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenThreadToken + B 76F65E47 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenThreadTokenEx + 6 76F65E52 4 Bytes CALL 75F74D99 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtOpenThreadTokenEx + B 76F65E57 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtQueryAttributesFile + 6 76F65F62 4 Bytes [A8, 40, EF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtQueryAttributesFile + B 76F65F67 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtQueryFullAttributesFile + 6 76F66012 4 Bytes CALL 75F74F57 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtQueryFullAttributesFile + B 76F66017 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtSetInformationFile + 6 76F66662 4 Bytes [28, 41, EF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtSetInformationFile + B 76F66667 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtSetInformationThread + 6 76F666C2 4 Bytes [28, 42, EF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtSetInformationThread + B 76F666C7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtUnmapViewOfSection + 6 76F669E2 4 Bytes [68, 43, EF, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4948] ntdll.dll!NtUnmapViewOfSection + B 76F669E7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtCreateFile + 6 76F655F2 4 Bytes [28, 24, F2, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtCreateFile + B 76F655F7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtMapViewOfSection + 6 76F65C52 4 Bytes [28, 27, F2, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtMapViewOfSection + B 76F65C57 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenFile + 6 76F65D02 4 Bytes [68, 24, F2, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenFile + B 76F65D07 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenProcess + 6 76F65DB2 4 Bytes [A8, 25, F2, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenProcess + B 76F65DB7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenProcessToken + 6 76F65DC2 4 Bytes CALL 75F74FEC C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenProcessToken + B 76F65DC7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenProcessTokenEx + 6 76F65DD2 4 Bytes [A8, 26, F2, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenProcessTokenEx + B 76F65DD7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenThread + 6 76F65E32 4 Bytes [68, 25, F2, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenThread + B 76F65E37 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenThreadToken + 6 76F65E42 4 Bytes [68, 26, F2, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenThreadToken + B 76F65E47 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenThreadTokenEx + 6 76F65E52 4 Bytes CALL 75F7507D C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtOpenThreadTokenEx + B 76F65E57 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtQueryAttributesFile + 6 76F65F62 4 Bytes [A8, 24, F2, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtQueryAttributesFile + B 76F65F67 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtQueryFullAttributesFile + 6 76F66012 4 Bytes CALL 75F7523B C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtQueryFullAttributesFile + B 76F66017 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtSetInformationFile + 6 76F66662 4 Bytes [28, 25, F2, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtSetInformationFile + B 76F66667 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtSetInformationThread + 6 76F666C2 4 Bytes [28, 26, F2, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtSetInformationThread + B 76F666C7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtUnmapViewOfSection + 6 76F669E2 4 Bytes [68, 27, F2, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5072] ntdll.dll!NtUnmapViewOfSection + B 76F669E7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtCreateFile + 6 76F655F2 4 Bytes [28, 1C, 79, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtCreateFile + B 76F655F7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtMapViewOfSection + 6 76F65C52 4 Bytes [28, 1F, 79, 00] {SUB [EDI], BL; JNS 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtMapViewOfSection + B 76F65C57 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenFile + 6 76F65D02 4 Bytes [68, 1C, 79, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenFile + B 76F65D07 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenProcess + 6 76F65DB2 4 Bytes [A8, 1D, 79, 00] {TEST AL, 0x1d; JNS 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenProcess + B 76F65DB7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenProcessToken + 6 76F65DC2 4 Bytes CALL 75F6D6E4 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenProcessToken + B 76F65DC7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenProcessTokenEx + 6 76F65DD2 4 Bytes [A8, 1E, 79, 00] {TEST AL, 0x1e; JNS 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenProcessTokenEx + B 76F65DD7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenThread + 6 76F65E32 4 Bytes [68, 1D, 79, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenThread + B 76F65E37 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenThreadToken + 6 76F65E42 4 Bytes [68, 1E, 79, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenThreadToken + B 76F65E47 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenThreadTokenEx + 6 76F65E52 4 Bytes CALL 75F6D775 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtOpenThreadTokenEx + B 76F65E57 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtQueryAttributesFile + 6 76F65F62 4 Bytes [A8, 1C, 79, 00] {TEST AL, 0x1c; JNS 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtQueryAttributesFile + B 76F65F67 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtQueryFullAttributesFile + 6 76F66012 4 Bytes CALL 75F6D933 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtQueryFullAttributesFile + B 76F66017 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtSetInformationFile + 6 76F66662 4 Bytes [28, 1D, 79, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtSetInformationFile + B 76F66667 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtSetInformationThread + 6 76F666C2 4 Bytes [28, 1E, 79, 00] {SUB [ESI], BL; JNS 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtSetInformationThread + B 76F666C7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtUnmapViewOfSection + 6 76F669E2 4 Bytes [68, 1F, 79, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5172] ntdll.dll!NtUnmapViewOfSection + B 76F669E7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtCreateFile + 6 76F655F2 4 Bytes [28, D8, FB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtCreateFile + B 76F655F7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtMapViewOfSection + 6 76F65C52 4 Bytes [28, DB, FB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtMapViewOfSection + B 76F65C57 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenFile + 6 76F65D02 4 Bytes [68, D8, FB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenFile + B 76F65D07 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenProcess + 6 76F65DB2 4 Bytes [A8, D9, FB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenProcess + B 76F65DB7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenProcessToken + 6 76F65DC2 4 Bytes CALL 75F759A0 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenProcessToken + B 76F65DC7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenProcessTokenEx + 6 76F65DD2 4 Bytes [A8, DA, FB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenProcessTokenEx + B 76F65DD7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenThread + 6 76F65E32 4 Bytes [68, D9, FB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenThread + B 76F65E37 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenThreadToken + 6 76F65E42 4 Bytes [68, DA, FB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenThreadToken + B 76F65E47 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenThreadTokenEx + 6 76F65E52 4 Bytes CALL 75F75A31 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtOpenThreadTokenEx + B 76F65E57 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtQueryAttributesFile + 6 76F65F62 4 Bytes [A8, D8, FB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtQueryAttributesFile + B 76F65F67 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtQueryFullAttributesFile + 6 76F66012 4 Bytes CALL 75F75BEF C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtQueryFullAttributesFile + B 76F66017 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtSetInformationFile + 6 76F66662 4 Bytes [28, D9, FB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtSetInformationFile + B 76F66667 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtSetInformationThread + 6 76F666C2 4 Bytes [28, DA, FB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtSetInformationThread + B 76F666C7 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtUnmapViewOfSection + 6 76F669E2 4 Bytes [68, DB, FB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5708] ntdll.dll!NtUnmapViewOfSection + B 76F669E7 1 Byte [E2] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73B25635] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73B256F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B424A2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B4251D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73B38581] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73B34D35] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73B350DC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73B351B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73B366DE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73B382D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73B38827] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73B39088] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73B3E22B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[348] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73B34C67] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@6B0A3F9A 445 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{86B6883A-8ACA-11E4-A87D-806E6F6E6963} 1414983288 ---- Files - GMER 2.2 ---- File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_00002f 225976 bytes File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_000031 46068 bytes File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_00009f 123644 bytes File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_0000b7 19852 bytes File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_0000be 53633 bytes File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_000109 32642 bytes File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_00010a 54126 bytes executable File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_00010c 32644 bytes File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_00010d 32645 bytes File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_000116 51447 bytes File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_000118 32648 bytes File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_000119 18511 bytes File C:\Users\admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_00011d 32643 bytes ---- EOF - GMER 2.2 ----