GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-26 18:58:50 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000029 WDC_WD10JPVX-60JC3T0 rev.01.01A01 931,51GB Running: tfotpsh1.exe; Driver: C:\Users\nofa\AppData\Local\Temp\awldrfod.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2260] entry point in ".rdata" section 00000000739dbb10 .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlRealPredecessor + 68 00007ffe6d5613b4 8 bytes {JMP 0xffffffffffffffd0} .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe6d56148f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 436 00007ffe6d561654 8 bytes [D0, 6A, 9B, 7E, 00, 00, 00, ...] .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 677 00007ffe6d561745 8 bytes [C0, 6A, 9B, 7E, 00, 00, 00, ...] .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 248 00007ffe6d561848 8 bytes [B0, 6A, 9B, 7E, 00, 00, 00, ...] .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 944 00007ffe6d561b00 8 bytes [A0, 6A, 9B, 7E, 00, 00, 00, ...] .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUnlockModuleSection + 487 00007ffe6d562327 8 bytes [70, 6A, 9B, 7E, 00, 00, 00, ...] .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe6d56243f 8 bytes {JMP 0xffffffffffffffec} .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d605260 8 bytes {JMP QWORD [RIP-0xa3766]} .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe6d605560 8 bytes {JMP QWORD [RIP-0xa39f2]} .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d6055c0 8 bytes {JMP QWORD [RIP-0xa3f72]} .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d605800 8 bytes {JMP QWORD [RIP-0xa3fbe]} .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe6d605960 8 bytes {JMP QWORD [RIP-0xa4221]} .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d606730 8 bytes {JMP QWORD [RIP-0xa42f7]} .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe6d606d30 8 bytes {JMP QWORD [RIP-0xa4a0f]} .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d607ef0 8 bytes {JMP QWORD [RIP-0xa628f]} .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\system32\wow64cpu.dll!BTCpuProcessInit + 101 0000000061cf1405 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 572 0000000061cf164c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 883 0000000061cf1783 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000061cf17ae 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\nofa\AppData\Local\Microsoft\OneDrive\OneDrive.exe[5708] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000061cf17e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\iertutil.dll [5708] entry point in ".rdata" section 000000006bebcaf0 .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlRealPredecessor + 68 00007ffe6d5613b4 8 bytes {JMP 0xffffffffffffffd0} .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe6d56148f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 436 00007ffe6d561654 8 bytes [D0, 6A, 77, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 677 00007ffe6d561745 8 bytes [C0, 6A, 77, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 248 00007ffe6d561848 8 bytes [B0, 6A, 77, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 944 00007ffe6d561b00 8 bytes [A0, 6A, 77, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUnlockModuleSection + 487 00007ffe6d562327 8 bytes [70, 6A, 77, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe6d56243f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d605260 8 bytes {JMP QWORD [RIP-0xa3766]} .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe6d605560 8 bytes {JMP QWORD [RIP-0xa39f2]} .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d6055c0 8 bytes {JMP QWORD [RIP-0xa3f72]} .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d605800 8 bytes {JMP QWORD [RIP-0xa3fbe]} .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe6d605960 8 bytes {JMP QWORD [RIP-0xa4221]} .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d606730 8 bytes {JMP QWORD [RIP-0xa42f7]} .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe6d606d30 8 bytes {JMP QWORD [RIP-0xa4a0f]} .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d607ef0 8 bytes {JMP QWORD [RIP-0xa628f]} .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\system32\wow64cpu.dll!BTCpuProcessInit + 101 0000000061cf1405 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 572 0000000061cf164c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 883 0000000061cf1783 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000061cf17ae 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Origin\Origin.exe[5728] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000061cf17e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5728] entry point in ".rdata" section 00000000739dbb10 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [5728] entry point in ".rdata" section 0000000064018fa0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlRealPredecessor + 68 00007ffe6d5613b4 8 bytes {JMP 0xffffffffffffffd0} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe6d56148f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 436 00007ffe6d561654 8 bytes [D0, 6A, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 677 00007ffe6d561745 8 bytes [C0, 6A, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 248 00007ffe6d561848 8 bytes [B0, 6A, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 944 00007ffe6d561b00 8 bytes [A0, 6A, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUnlockModuleSection + 487 00007ffe6d562327 8 bytes [70, 6A, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe6d56243f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d605260 8 bytes {JMP QWORD [RIP-0xa3766]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe6d605560 8 bytes {JMP QWORD [RIP-0xa39f2]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d6055c0 8 bytes {JMP QWORD [RIP-0xa3f72]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d605800 8 bytes {JMP QWORD [RIP-0xa3fbe]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe6d605960 8 bytes {JMP QWORD [RIP-0xa4221]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d606730 8 bytes {JMP QWORD [RIP-0xa42f7]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe6d606d30 8 bytes {JMP QWORD [RIP-0xa4a0f]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d607ef0 8 bytes {JMP QWORD [RIP-0xa628f]} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\system32\wow64cpu.dll!BTCpuProcessInit + 101 0000000061cf1405 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 572 0000000061cf164c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 883 0000000061cf1783 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000061cf17ae 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5988] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000061cf17e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\iertutil.dll [5988] entry point in ".rdata" section 000000006bebcaf0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5988] entry point in ".rdata" section 00000000739dbb10 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [5988] entry point in ".rdata" section 0000000064018fa0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [5988] entry point in ".rdata" section 00000000707fbc40 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlRealPredecessor + 68 00007ffe6d5613b4 8 bytes {JMP 0xffffffffffffffd0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe6d56148f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 436 00007ffe6d561654 8 bytes [D0, 6A, B5, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 677 00007ffe6d561745 8 bytes [C0, 6A, B5, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 248 00007ffe6d561848 8 bytes [B0, 6A, B5, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 944 00007ffe6d561b00 8 bytes [A0, 6A, B5, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUnlockModuleSection + 487 00007ffe6d562327 8 bytes [70, 6A, B5, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe6d56243f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d605260 8 bytes {JMP QWORD [RIP-0xa3766]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe6d605560 8 bytes {JMP QWORD [RIP-0xa39f2]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d6055c0 8 bytes {JMP QWORD [RIP-0xa3f72]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d605800 8 bytes {JMP QWORD [RIP-0xa3fbe]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe6d605960 8 bytes {JMP QWORD [RIP-0xa4221]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d606730 8 bytes {JMP QWORD [RIP-0xa42f7]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe6d606d30 8 bytes {JMP QWORD [RIP-0xa4a0f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d607ef0 8 bytes {JMP QWORD [RIP-0xa628f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\system32\wow64cpu.dll!BTCpuProcessInit + 101 0000000061cf1405 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 572 0000000061cf164c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 883 0000000061cf1783 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000061cf17ae 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6344] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000061cf17e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [6344] entry point in ".rdata" section 0000000070cd0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlRealPredecessor + 68 00007ffe6d5613b4 8 bytes {JMP 0xffffffffffffffd0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe6d56148f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 436 00007ffe6d561654 8 bytes [D0, 6A, B4, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 677 00007ffe6d561745 8 bytes [C0, 6A, B4, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 248 00007ffe6d561848 8 bytes [B0, 6A, B4, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 944 00007ffe6d561b00 8 bytes [A0, 6A, B4, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUnlockModuleSection + 487 00007ffe6d562327 8 bytes [70, 6A, B4, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe6d56243f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d605260 8 bytes {JMP QWORD [RIP-0xa3766]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe6d605560 8 bytes {JMP QWORD [RIP-0xa39f2]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d6055c0 8 bytes {JMP QWORD [RIP-0xa3f72]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d605800 8 bytes {JMP QWORD [RIP-0xa3fbe]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe6d605960 8 bytes {JMP QWORD [RIP-0xa4221]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d606730 8 bytes {JMP QWORD [RIP-0xa42f7]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe6d606d30 8 bytes {JMP QWORD [RIP-0xa4a0f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d607ef0 8 bytes {JMP QWORD [RIP-0xa628f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\system32\wow64cpu.dll!BTCpuProcessInit + 101 0000000061cf1405 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 572 0000000061cf164c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 883 0000000061cf1783 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000061cf17ae 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6360] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000061cf17e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [6360] entry point in ".rdata" section 0000000070cd0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlRealPredecessor + 68 00007ffe6d5613b4 8 bytes {JMP 0xffffffffffffffd0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe6d56148f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 436 00007ffe6d561654 8 bytes [D0, 6A, 09, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 677 00007ffe6d561745 8 bytes [C0, 6A, 09, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 248 00007ffe6d561848 8 bytes [B0, 6A, 09, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 944 00007ffe6d561b00 8 bytes [A0, 6A, 09, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUnlockModuleSection + 487 00007ffe6d562327 8 bytes [70, 6A, 09, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe6d56243f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d605260 8 bytes {JMP QWORD [RIP-0xa3766]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe6d605560 8 bytes {JMP QWORD [RIP-0xa39f2]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d6055c0 8 bytes {JMP QWORD [RIP-0xa3f72]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d605800 8 bytes {JMP QWORD [RIP-0xa3fbe]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe6d605960 8 bytes {JMP QWORD [RIP-0xa4221]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d606730 8 bytes {JMP QWORD [RIP-0xa42f7]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe6d606d30 8 bytes {JMP QWORD [RIP-0xa4a0f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d607ef0 8 bytes {JMP QWORD [RIP-0xa628f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\system32\wow64cpu.dll!BTCpuProcessInit + 101 0000000061cf1405 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 572 0000000061cf164c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 883 0000000061cf1783 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000061cf17ae 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6552] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000061cf17e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [6552] entry point in ".rdata" section 0000000070cd0380 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6552] entry point in ".rdata" section 00000000739dbb10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlRealPredecessor + 68 00007ffe6d5613b4 8 bytes {JMP 0xffffffffffffffd0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe6d56148f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 436 00007ffe6d561654 8 bytes [D0, 6A, 59, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 677 00007ffe6d561745 8 bytes [C0, 6A, 59, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 248 00007ffe6d561848 8 bytes [B0, 6A, 59, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 944 00007ffe6d561b00 8 bytes [A0, 6A, 59, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUnlockModuleSection + 487 00007ffe6d562327 8 bytes [70, 6A, 59, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe6d56243f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d605260 8 bytes {JMP QWORD [RIP-0xa3766]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe6d605560 8 bytes {JMP QWORD [RIP-0xa39f2]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d6055c0 8 bytes {JMP QWORD [RIP-0xa3f72]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d605800 8 bytes {JMP QWORD [RIP-0xa3fbe]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe6d605960 8 bytes {JMP QWORD [RIP-0xa4221]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d606730 8 bytes {JMP QWORD [RIP-0xa42f7]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe6d606d30 8 bytes {JMP QWORD [RIP-0xa4a0f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d607ef0 8 bytes {JMP QWORD [RIP-0xa628f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\system32\wow64cpu.dll!BTCpuProcessInit + 101 0000000061cf1405 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 572 0000000061cf164c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 883 0000000061cf1783 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000061cf17ae 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6676] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000061cf17e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [6676] entry point in ".rdata" section 0000000070cd0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlRealPredecessor + 68 00007ffe6d5613b4 8 bytes {JMP 0xffffffffffffffd0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe6d56148f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 436 00007ffe6d561654 8 bytes [D0, 6A, 11, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 677 00007ffe6d561745 8 bytes [C0, 6A, 11, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 248 00007ffe6d561848 8 bytes [B0, 6A, 11, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 944 00007ffe6d561b00 8 bytes [A0, 6A, 11, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUnlockModuleSection + 487 00007ffe6d562327 8 bytes [70, 6A, 11, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe6d56243f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d605260 8 bytes {JMP QWORD [RIP-0xa3766]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe6d605560 8 bytes {JMP QWORD [RIP-0xa39f2]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d6055c0 8 bytes {JMP QWORD [RIP-0xa3f72]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d605800 8 bytes {JMP QWORD [RIP-0xa3fbe]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe6d605960 8 bytes {JMP QWORD [RIP-0xa4221]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d606730 8 bytes {JMP QWORD [RIP-0xa42f7]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe6d606d30 8 bytes {JMP QWORD [RIP-0xa4a0f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d607ef0 8 bytes {JMP QWORD [RIP-0xa628f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\system32\wow64cpu.dll!BTCpuProcessInit + 101 0000000061cf1405 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 572 0000000061cf164c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 883 0000000061cf1783 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000061cf17ae 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5724] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000061cf17e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [5724] entry point in ".rdata" section 0000000070cd0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlRealPredecessor + 68 00007ffe6d5613b4 8 bytes {JMP 0xffffffffffffffd0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe6d56148f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 436 00007ffe6d561654 8 bytes [D0, 6A, 56, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 677 00007ffe6d561745 8 bytes [C0, 6A, 56, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 248 00007ffe6d561848 8 bytes [B0, 6A, 56, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 944 00007ffe6d561b00 8 bytes [A0, 6A, 56, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUnlockModuleSection + 487 00007ffe6d562327 8 bytes [70, 6A, 56, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe6d56243f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d605260 8 bytes {JMP QWORD [RIP-0xa3766]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe6d605560 8 bytes {JMP QWORD [RIP-0xa39f2]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d6055c0 8 bytes {JMP QWORD [RIP-0xa3f72]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d605800 8 bytes {JMP QWORD [RIP-0xa3fbe]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe6d605960 8 bytes {JMP QWORD [RIP-0xa4221]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d606730 8 bytes {JMP QWORD [RIP-0xa42f7]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe6d606d30 8 bytes {JMP QWORD [RIP-0xa4a0f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d607ef0 8 bytes {JMP QWORD [RIP-0xa628f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\system32\wow64cpu.dll!BTCpuProcessInit + 101 0000000061cf1405 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 572 0000000061cf164c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 883 0000000061cf1783 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000061cf17ae 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6352] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000061cf17e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [6352] entry point in ".rdata" section 0000000070cd0380 .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlRealPredecessor + 68 00007ffe6d5613b4 8 bytes {JMP 0xffffffffffffffd0} .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe6d56148f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 436 00007ffe6d561654 8 bytes [D0, 6A, F8, 7F, 00, 00, 00, ...] .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 677 00007ffe6d561745 8 bytes [C0, 6A, F8, 7F, 00, 00, 00, ...] .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 248 00007ffe6d561848 8 bytes [B0, 6A, F8, 7F, 00, 00, 00, ...] .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 944 00007ffe6d561b00 8 bytes [A0, 6A, F8, 7F, 00, 00, 00, ...] .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUnlockModuleSection + 487 00007ffe6d562327 8 bytes [70, 6A, F8, 7F, 00, 00, 00, ...] .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe6d56243f 8 bytes {JMP 0xffffffffffffffec} .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d605260 8 bytes {JMP QWORD [RIP-0xa3766]} .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe6d605560 8 bytes {JMP QWORD [RIP-0xa39f2]} .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d6055c0 8 bytes {JMP QWORD [RIP-0xa3f72]} .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d605800 8 bytes {JMP QWORD [RIP-0xa3fbe]} .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe6d605960 8 bytes {JMP QWORD [RIP-0xa4221]} .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d606730 8 bytes {JMP QWORD [RIP-0xa42f7]} .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe6d606d30 8 bytes {JMP QWORD [RIP-0xa4a0f]} .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d607ef0 8 bytes {JMP QWORD [RIP-0xa628f]} .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\system32\wow64cpu.dll!BTCpuProcessInit + 101 0000000061cf1405 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 572 0000000061cf164c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 883 0000000061cf1783 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000061cf17ae 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\nofa\Downloads\tfotpsh1.exe[7276] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000061cf17e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [7276] entry point in ".rdata" section 0000000070cd0380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlRealPredecessor + 68 00007ffe6d5613b4 8 bytes {JMP 0xffffffffffffffd0} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffe6d56148f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 436 00007ffe6d561654 8 bytes [D0, 6A, 76, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlpMergeSecurityAttributeInformation + 677 00007ffe6d561745 8 bytes [C0, 6A, 76, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 248 00007ffe6d561848 8 bytes [B0, 6A, 76, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 944 00007ffe6d561b00 8 bytes [A0, 6A, 76, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUnlockModuleSection + 487 00007ffe6d562327 8 bytes [70, 6A, 76, FF, 00, 00, 00, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffe6d56243f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d605260 8 bytes {JMP QWORD [RIP-0xa3766]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffe6d605560 8 bytes {JMP QWORD [RIP-0xa39f2]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d6055c0 8 bytes {JMP QWORD [RIP-0xa3f72]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d605800 8 bytes {JMP QWORD [RIP-0xa3fbe]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffe6d605960 8 bytes {JMP QWORD [RIP-0xa4221]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d606730 8 bytes {JMP QWORD [RIP-0xa42f7]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe6d606d30 8 bytes {JMP QWORD [RIP-0xa4a0f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d607ef0 8 bytes {JMP QWORD [RIP-0xa628f]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\system32\wow64cpu.dll!BTCpuProcessInit + 101 0000000061cf1405 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 572 0000000061cf164c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\system32\wow64cpu.dll!BTCpuGetBopCode + 883 0000000061cf1783 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 30 0000000061cf17ae 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7312] C:\WINDOWS\system32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000061cf17e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [7312] entry point in ".rdata" section 0000000070cd0380 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\Explorer.EXE[3004] @ C:\WINDOWS\system32\RPCRT4.dll[ntdll.dll!NtAlpcConnectPortEx] [617564f0] C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x64\prremote.dll ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [808:868] fffff96016124060 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1653801934 Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\5@Timestamp 0x85 0x30 0x65 0x88 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3201 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 532 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x3B 0x15 0xA3 0x1B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x3B 0x7D 0x67 0x7D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x3B 0xAD 0xDE 0xB9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xAB 0x5B 0x14 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----