GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-08 11:25:12 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 TOSHIBA_THNSNK256GCS8_SATA_256GB rev.K8DC4101 238,47GB Running: ty7vn7hz.exe; Driver: C:\Users\D&A\AppData\Local\Temp\kgpdiuog.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2432] entry point in ".rdata" section 0000000071368fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2432] entry point in ".rdata" section 00000000711e16f0 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [2644] entry point in ".rdata" section 000000007205c940 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2644] entry point in ".rdata" section 0000000071368fc0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ff849e665c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ff849ec63c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ff849ec6ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007ff84746ddc0 6 bytes {JMP QWORD [RIP+0xb323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ff847471800 6 bytes {JMP QWORD [RIP+0x187f7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007ff847474a33 2 bytes [C5, 0E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007ff8474ac1c0 6 bytes {JMP QWORD [RIP+0xd4e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007ff8474ad620 6 bytes {JMP QWORD [RIP+0x939da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007ff8474b0860 6 bytes {JMP QWORD [RIP+0xf079a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x167a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x155c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1684] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007ff84746ddc0 6 bytes {JMP QWORD [RIP+0xb323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ff847471800 6 bytes {JMP QWORD [RIP+0x187f7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007ff847474a33 2 bytes [C5, 0E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007ff8474ac1c0 6 bytes {JMP QWORD [RIP+0xd4e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007ff8474ad620 6 bytes {JMP QWORD [RIP+0x939da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007ff8474b0860 6 bytes {JMP QWORD [RIP+0xf079a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x167a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x155c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12048] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x167a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x155c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7856] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x167a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x155c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8184] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ff849e665c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff849ec6260 16 bytes {MOV RAX, 0x7ff79f970d60; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ff849ec63c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ff849ec6540 16 bytes {MOV RAX, 0x7ff79f970de0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff849ec6580 16 bytes {MOV RAX, 0x7ff79f9711d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ff849ec65a0 16 bytes {MOV RAX, 0x7ff79f970fc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff849ec65c0 16 bytes {MOV RAX, 0x7ff79f970c40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ff849ec6600 16 bytes {MOV RAX, 0x7ff79f970cb0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ff849ec66a0 16 bytes {MOV RAX, 0x7ff79f970e50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007ff849ec66c0 16 bytes {MOV RAX, 0x7ff79f971220; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff849ec6720 16 bytes {MOV RAX, 0x7ff79f970f40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ff849ec6860 16 bytes {MOV RAX, 0x7ff79f970f80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ff849ec6ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff849ec6b60 16 bytes {MOV RAX, 0x7ff79f970ec0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ff849ec83d0 16 bytes {MOV RAX, 0x7ff79f971200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff849ec8490 16 bytes {MOV RAX, 0x7ff79f9711a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ff849ec8730 16 bytes {MOV RAX, 0x7ff79f970fa0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007ff84746ddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ff847471800 6 bytes {JMP QWORD [RIP+0x189f7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007ff847474a33 2 bytes [C5, 0F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007ff8474ac1c0 6 bytes {JMP QWORD [RIP+0xe4e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007ff8474ad620 6 bytes {JMP QWORD [RIP+0xa39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007ff8474b0860 4 bytes [FF, 25, 9A, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\System32\KERNEL32.DLL!WinExec + 5 00007ff8474b0865 1 byte [00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x168a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x156c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ff849e665c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff849ec6260 16 bytes {MOV RAX, 0x7ff79f970d60; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ff849ec63c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ff849ec6540 16 bytes {MOV RAX, 0x7ff79f970de0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff849ec6580 16 bytes {MOV RAX, 0x7ff79f9711d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ff849ec65a0 16 bytes {MOV RAX, 0x7ff79f970fc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff849ec65c0 16 bytes {MOV RAX, 0x7ff79f970c40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ff849ec6600 16 bytes {MOV RAX, 0x7ff79f970cb0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ff849ec66a0 16 bytes {MOV RAX, 0x7ff79f970e50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007ff849ec66c0 16 bytes {MOV RAX, 0x7ff79f971220; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff849ec6720 16 bytes {MOV RAX, 0x7ff79f970f40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ff849ec6860 16 bytes {MOV RAX, 0x7ff79f970f80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ff849ec6ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff849ec6b60 16 bytes {MOV RAX, 0x7ff79f970ec0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ff849ec83d0 16 bytes {MOV RAX, 0x7ff79f971200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff849ec8490 16 bytes {MOV RAX, 0x7ff79f9711a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ff849ec8730 16 bytes {MOV RAX, 0x7ff79f970fa0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007ff84746ddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ff847471800 6 bytes {JMP QWORD [RIP+0x189f7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007ff847474a33 2 bytes [C5, 0F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007ff8474ac1c0 6 bytes {JMP QWORD [RIP+0xe4e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007ff8474ad620 6 bytes {JMP QWORD [RIP+0xa39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007ff8474b0860 4 bytes [FF, 25, 9A, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\System32\KERNEL32.DLL!WinExec + 5 00007ff8474b0865 1 byte [00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x168a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x156c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x167a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x155c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12056] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ff849e665c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff849ec6260 16 bytes {MOV RAX, 0x7ff79f970d60; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ff849ec63c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ff849ec6540 16 bytes {MOV RAX, 0x7ff79f970de0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff849ec6580 16 bytes {MOV RAX, 0x7ff79f9711d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ff849ec65a0 16 bytes {MOV RAX, 0x7ff79f970fc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff849ec65c0 16 bytes {MOV RAX, 0x7ff79f970c40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ff849ec6600 16 bytes {MOV RAX, 0x7ff79f970cb0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ff849ec66a0 16 bytes {MOV RAX, 0x7ff79f970e50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007ff849ec66c0 16 bytes {MOV RAX, 0x7ff79f971220; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff849ec6720 16 bytes {MOV RAX, 0x7ff79f970f40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ff849ec6860 16 bytes {MOV RAX, 0x7ff79f970f80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ff849ec6ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff849ec6b60 16 bytes {MOV RAX, 0x7ff79f970ec0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ff849ec83d0 16 bytes {MOV RAX, 0x7ff79f971200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff849ec8490 16 bytes {MOV RAX, 0x7ff79f9711a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ff849ec8730 16 bytes {MOV RAX, 0x7ff79f970fa0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007ff84746ddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ff847471800 6 bytes {JMP QWORD [RIP+0x189f7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007ff847474a33 2 bytes [C5, 0F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007ff8474ac1c0 6 bytes {JMP QWORD [RIP+0xe4e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007ff8474ad620 6 bytes {JMP QWORD [RIP+0xa39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007ff8474b0860 4 bytes [FF, 25, 9A, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\System32\KERNEL32.DLL!WinExec + 5 00007ff8474b0865 1 byte [00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x168a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x156c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ff849e665c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff849ec6260 16 bytes {MOV RAX, 0x7ff79f970d60; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ff849ec63c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ff849ec6540 16 bytes {MOV RAX, 0x7ff79f970de0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff849ec6580 16 bytes {MOV RAX, 0x7ff79f9711d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ff849ec65a0 16 bytes {MOV RAX, 0x7ff79f970fc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff849ec65c0 16 bytes {MOV RAX, 0x7ff79f970c40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ff849ec6600 16 bytes {MOV RAX, 0x7ff79f970cb0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ff849ec66a0 16 bytes {MOV RAX, 0x7ff79f970e50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007ff849ec66c0 16 bytes {MOV RAX, 0x7ff79f971220; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff849ec6720 16 bytes {MOV RAX, 0x7ff79f970f40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ff849ec6860 16 bytes {MOV RAX, 0x7ff79f970f80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ff849ec6ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff849ec6b60 16 bytes {MOV RAX, 0x7ff79f970ec0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ff849ec83d0 16 bytes {MOV RAX, 0x7ff79f971200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff849ec8490 16 bytes {MOV RAX, 0x7ff79f9711a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ff849ec8730 16 bytes {MOV RAX, 0x7ff79f970fa0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007ff84746ddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ff847471800 6 bytes {JMP QWORD [RIP+0x189f7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007ff847474a33 2 bytes [C5, 0F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007ff8474ac1c0 6 bytes {JMP QWORD [RIP+0xe4e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007ff8474ad620 6 bytes {JMP QWORD [RIP+0xa39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007ff8474b0860 4 bytes [FF, 25, 9A, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\System32\KERNEL32.DLL!WinExec + 5 00007ff8474b0865 1 byte [00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x168a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x156c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ff849e665c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff849ec6260 16 bytes {MOV RAX, 0x7ff79f970d60; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ff849ec63c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ff849ec6540 16 bytes {MOV RAX, 0x7ff79f970de0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff849ec6580 16 bytes {MOV RAX, 0x7ff79f9711d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ff849ec65a0 16 bytes {MOV RAX, 0x7ff79f970fc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff849ec65c0 16 bytes {MOV RAX, 0x7ff79f970c40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ff849ec6600 16 bytes {MOV RAX, 0x7ff79f970cb0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ff849ec66a0 16 bytes {MOV RAX, 0x7ff79f970e50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007ff849ec66c0 16 bytes {MOV RAX, 0x7ff79f971220; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff849ec6720 16 bytes {MOV RAX, 0x7ff79f970f40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ff849ec6860 16 bytes {MOV RAX, 0x7ff79f970f80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ff849ec6ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff849ec6b60 16 bytes {MOV RAX, 0x7ff79f970ec0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ff849ec83d0 16 bytes {MOV RAX, 0x7ff79f971200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff849ec8490 16 bytes {MOV RAX, 0x7ff79f9711a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ff849ec8730 16 bytes {MOV RAX, 0x7ff79f970fa0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007ff84746ddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ff847471800 6 bytes {JMP QWORD [RIP+0x189f7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007ff847474a33 2 bytes [C5, 0F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007ff8474ac1c0 6 bytes {JMP QWORD [RIP+0xe4e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007ff8474ad620 6 bytes {JMP QWORD [RIP+0xa39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007ff8474b0860 4 bytes [FF, 25, 9A, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\System32\KERNEL32.DLL!WinExec + 5 00007ff8474b0865 1 byte [00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x168a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x156c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} ? C:\WINDOWS\SYSTEM32\iertutil.dll [11448] entry point in ".rdata" section 00000000711e16f0 ? C:\WINDOWS\SYSTEM32\d3d10_1.dll [11448] entry point in ".rdata" section 0000000071de2810 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [11448] entry point in ".rdata" section 000000005cfaa020 ? C:\WINDOWS\system32\ncryptsslp.dll [11448] entry point in ".rdata" section 000000005cf804f0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [11772] entry point in ".rdata" section 00000000711e16f0 ? C:\WINDOWS\SYSTEM32\d3d10_1.dll [11772] entry point in ".rdata" section 0000000071de2810 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [11772] entry point in ".rdata" section 000000005cfaa020 ? C:\WINDOWS\system32\ncryptsslp.dll [11772] entry point in ".rdata" section 000000005cf804f0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5888] entry point in ".rdata" section 00000000711e16f0 ? C:\WINDOWS\SYSTEM32\d3d10_1.dll [5888] entry point in ".rdata" section 0000000071de2810 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5888] entry point in ".rdata" section 000000005cfaa020 ? C:\WINDOWS\system32\ncryptsslp.dll [5888] entry point in ".rdata" section 000000005cf804f0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4400] entry point in ".rdata" section 00000000711e16f0 ? C:\WINDOWS\SYSTEM32\d3d10_1.dll [4400] entry point in ".rdata" section 0000000071de2810 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4400] entry point in ".rdata" section 000000005cfaa020 ? C:\WINDOWS\system32\ncryptsslp.dll [4400] entry point in ".rdata" section 000000005cf804f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ff849e665c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff849ec6260 16 bytes {MOV RAX, 0x7ff79f970d60; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ff849ec63c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ff849ec6540 16 bytes {MOV RAX, 0x7ff79f970de0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff849ec6580 16 bytes {MOV RAX, 0x7ff79f9711d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ff849ec65a0 16 bytes {MOV RAX, 0x7ff79f970fc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff849ec65c0 16 bytes {MOV RAX, 0x7ff79f970c40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ff849ec6600 16 bytes {MOV RAX, 0x7ff79f970cb0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ff849ec66a0 16 bytes {MOV RAX, 0x7ff79f970e50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007ff849ec66c0 16 bytes {MOV RAX, 0x7ff79f971220; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff849ec6720 16 bytes {MOV RAX, 0x7ff79f970f40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ff849ec6860 16 bytes {MOV RAX, 0x7ff79f970f80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ff849ec6ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff849ec6b60 16 bytes {MOV RAX, 0x7ff79f970ec0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ff849ec83d0 16 bytes {MOV RAX, 0x7ff79f971200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff849ec8490 16 bytes {MOV RAX, 0x7ff79f9711a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ff849ec8730 16 bytes {MOV RAX, 0x7ff79f970fa0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007ff84746ddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ff847471800 6 bytes {JMP QWORD [RIP+0x189f7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007ff847474a33 2 bytes [C5, 0F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007ff8474ac1c0 6 bytes {JMP QWORD [RIP+0xe4e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007ff8474ad620 6 bytes {JMP QWORD [RIP+0xa39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007ff8474b0860 4 bytes [FF, 25, 9A, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\System32\KERNEL32.DLL!WinExec + 5 00007ff8474b0865 1 byte [00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x168a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x156c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ff849e665c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff849ec6260 16 bytes {MOV RAX, 0x7ff79f970d60; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ff849ec63c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ff849ec6540 16 bytes {MOV RAX, 0x7ff79f970de0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff849ec6580 16 bytes {MOV RAX, 0x7ff79f9711d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ff849ec65a0 16 bytes {MOV RAX, 0x7ff79f970fc0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff849ec65c0 16 bytes {MOV RAX, 0x7ff79f970c40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ff849ec6600 16 bytes {MOV RAX, 0x7ff79f970cb0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ff849ec66a0 16 bytes {MOV RAX, 0x7ff79f970e50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007ff849ec66c0 16 bytes {MOV RAX, 0x7ff79f971220; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff849ec6720 16 bytes {MOV RAX, 0x7ff79f970f40; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ff849ec6860 16 bytes {MOV RAX, 0x7ff79f970f80; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ff849ec6ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff849ec6b60 16 bytes {MOV RAX, 0x7ff79f970ec0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ff849ec83d0 16 bytes {MOV RAX, 0x7ff79f971200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff849ec8490 16 bytes {MOV RAX, 0x7ff79f9711a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ff849ec8730 16 bytes {MOV RAX, 0x7ff79f970fa0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileW 00007ff84746ddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ff847471800 6 bytes {JMP QWORD [RIP+0x189f7fa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileW + 3 00007ff847474a33 2 bytes [C5, 0F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\System32\KERNEL32.DLL!CopyFileA 00007ff8474ac1c0 6 bytes {JMP QWORD [RIP+0xe4e3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\System32\KERNEL32.DLL!MoveFileA 00007ff8474ad620 6 bytes {JMP QWORD [RIP+0xa39da]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\System32\KERNEL32.DLL!WinExec 00007ff8474b0860 4 bytes [FF, 25, 9A, 07] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\System32\KERNEL32.DLL!WinExec + 5 00007ff8474b0865 1 byte [00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteExW 00007ff847656a90 6 bytes {JMP QWORD [RIP+0x168a56a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\System32\SHELL32.dll!ShellExecuteW 00007ff847754c60 6 bytes {JMP QWORD [RIP+0x156c39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\System32\WS2_32.dll!WSAStartup 00007ff8496c2630 6 bytes {JMP QWORD [RIP+0x7e9ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ff83e0ed360 6 bytes {JMP QWORD [RIP+0x9e3c9a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFile 00007ff83e0f8a80 6 bytes {JMP QWORD [RIP+0x93857a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ff83e143370 6 bytes {JMP QWORD [RIP+0x92dc8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ff83e143c60 6 bytes {JMP QWORD [RIP+0x86d39a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW 00007ff83e14c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ff83e14c7f4 2 bytes [90, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ff83e17e240 6 bytes {JMP QWORD [RIP+0x932dba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ff83e185170 6 bytes {JMP QWORD [RIP+0x90be8a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ff83e1ece40 6 bytes {JMP QWORD [RIP+0x8241ba]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ff83e1ed730 6 bytes {JMP QWORD [RIP+0x8038ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ff83e215b30 6 bytes {JMP QWORD [RIP+0x7bb4ca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ff83e6c2230 6 bytes {JMP QWORD [RIP+0x18edca]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ff83e6c22c0 6 bytes {JMP QWORD [RIP+0x1ded3a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ff83e74f610 6 bytes {JMP QWORD [RIP+0x1719ea]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ff83e74f790 6 bytes {JMP QWORD [RIP+0x12186a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ff83e74f8e0 6 bytes {JMP QWORD [RIP+0x23171a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ff83e74f9c0 6 bytes {JMP QWORD [RIP+0x20163a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ff83e74fc50 6 bytes {JMP QWORD [RIP+0x1d13aa]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] C:\WINDOWS\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ff83e74fd20 6 bytes {JMP QWORD [RIP+0x1a12da]} ? C:\WINDOWS\system32\apphelp.dll [10844] entry point in ".rdata" section 00000000705df7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[msvcrt.dll!_XcptFilter] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[KERNEL32.dll!TerminateProcess] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[KERNEL32.dll!UnhandledExceptionFilter] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[KERNEL32.dll!FreeLibraryAndExitThread] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[KERNEL32.dll!GetModuleHandleExA] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[KERNEL32.dll!SetEvent] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[KERNEL32.dll!CreateThread] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[KERNEL32.dll!GetTickCount] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[KERNEL32.dll!LoadLibraryExA] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[KERNEL32.dll!Sleep] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[ADVAPI32.dll!RegOpenKeyExA] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\rasctrs.dll[ADVAPI32.dll!OpenSCManagerA] [0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[msvcrt.dll!_initterm] [cccccccccccccccc] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[msvcrt.dll!malloc] [cccccccccccccccc] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[msvcrt.dll!free] [c41c10ff0ffc883] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[msvcrt.dll!_amsg_exit] [ccccccccccc3c8ff] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[msvcrt.dll!_XcptFilter] [cccccccccccccccc] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[msvcrt.dll!memmove] [cccccccccccccccc] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[ADVAPI32.dll!WmiOpenBlock] [ccccc328c48348c1] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[ADVAPI32.dll!WmiQueryAllDataW] [dc1b70fcccccccc] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[ADVAPI32.dll!WmiCloseBlock] [4e0fc98580070000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[ADVAPI32.dll!DeregisterEventSource] [ccccccccccccc3c1] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[ADVAPI32.dll!RegisterEventSourceA] [74894808245c8948] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[ADVAPI32.dll!RegCloseKey] [4118247c89481024] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[ADVAPI32.dll!RegQueryValueExA] [718d4820ec834856] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[ADVAPI32.dll!ReportEventA] [74003e83f98b4808] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[ADVAPI32.dll!RegOpenKeyExA] [3a74001079834864] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!RtlCaptureContext] [8b492274f6854d08] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!GetTickCount] [dd15ff068b49084e] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!RtlVirtualUnwind] [49105e8b49000075] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!UnhandledExceptionFilter] [72e815ffce8b] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [de75db8548f38b4c] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!GetCurrentProcess] [6783480008668348] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!TerminateProcess] [8548404f8b480010] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!RtlLookupFunctionEntry] [8b48018b480d74c9] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!HeapFree] [75a815ff1040] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!lstrlenW] [5c8b480026830000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!Sleep] [483824748b483024] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!QueryPerformanceCounter] [20c4834840247c8b] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!GetCurrentProcessId] [c0000005b9c35e41] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!GetCurrentThreadId] [ccccccfffffeafe8] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\WINDOWS\system32\usbperf.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [cccccccccccccccc] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[msvcrt.dll!wcsncat_s] [8948102474894808] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[msvcrt.dll!_initterm] [48ec8b4857415641] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[msvcrt.dll!malloc] [ea8b4cf63350ec83] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[msvcrt.dll!free] [8b48e07589d98b48] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[msvcrt.dll!_amsg_exit] [48fe8b000078e30d] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[msvcrt.dll!_XcptFilter] [568de68b44e87589] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[msvcrt.dll!wcsncpy_s] [70468d44f0758908] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[msvcrt.dll!_ltow] [3f0e15fff8758948] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[msvcrt.dll!_vsnprintf] [c08548f08b4c0000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[msvcrt.dll!memcpy] [f44000002be840f] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[msvcrt.dll!memset] [8b4808568d5a7bb7] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ntdll.dll!RtlVirtualUnwind] [8349c7b70f4502c7] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ntdll.dll!RtlLookupFunctionEntry] [3ee015ff10c0] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ntdll.dll!RtlCaptureContext] [f68548c033f08b48] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ntdll.dll!NtQueryValueKey] [8b480000021f840f] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ntdll.dll!RtlNtStatusToDosError] [548d41000078830d] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ntdll.dll!NtClose] [468d480689660824] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ntdll.dll!RtlInitUnicodeString] [8948027e89446610] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ntdll.dll!NtOpenKey] [664a7bb70f440846] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ntdll.dll!NtQuerySystemInformation] [c7b70f4502c78341] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[WINSTA.dll!WinStationEnumerateExW] [415e415f41e38b49] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[WINSTA.dll!WinStationFreeMemory] [ccccccc35d5c415d] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[UTILDLL.dll!StrConnectState] [385b8b4900000230] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!UnhandledExceptionFilter] [4800000170c38401] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!Sleep] [8b44000000d0938b] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!lstrlenW] [3b480a8b4819ebc8] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetProcessHeap] [4a084a03480d72f9] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [75d2854868528b48] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!DisableThreadLibraryCalls] [74d28548d48b49e2] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetLastError] [14c28ca44014e0b] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!OutputDebugStringA] [cb84014e22eb2042] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!HeapFree] [7d8118eb00000100] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [4c07750004000088] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetCurrentProcess] [14c08eb48c34401] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!TerminateProcess] [34900000090c384] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!QueryPerformanceCounter] [feaf820ffe3b48f8] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetCurrentProcessId] [4830244c8b48ffff] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetCurrentThreadId] [8d8b48c38b480000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetTickCount] [e8cc334800000120] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ADVAPI32.dll!RegisterEventSourceW] [21eb00000006b828] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ADVAPI32.dll!RegQueryValueExA] [b81aeb00000005b8] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ADVAPI32.dll!RegCloseKey] [3b813eb00000004] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ADVAPI32.dll!DeregisterEventSource] [2b80ceb000000] IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[4596] @ C:\Windows\System32\perfts.dll[ADVAPI32.dll!RegOpenKeyExA] [1b805eb0000] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5816] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8016ebd5c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ff8499f002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8340] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8016ebd5c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ff8499f002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2968] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8016ebd5c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ff8499f002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\System32\ole32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2560] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8016ebd5c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ff8499f002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\System32\ole32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11256] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8016ebd5c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ff8499f002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\System32\ole32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11552] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8016ebd5c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ff8499f002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\System32\ole32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\System32\ole32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7ff8499f006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7ff848c9002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1540] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8016ebd5c] C:\Program Files (x86)\Google\Chrome\Application\57.0.2987.133\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\svchost.exe [848:412] 00007ff8448d8ae0 Thread C:\Windows\System32\WUDFHost.exe [592:4892] 00007ff8299a6f30 Thread C:\Windows\System32\WUDFHost.exe [592:4952] 00007ff83e832cf0 Thread C:\Windows\System32\WUDFHost.exe [592:4960] 00007ff82f92ed10 Thread C:\Windows\System32\WUDFHost.exe [592:4972] 00007ff8297e2690 Thread C:\WINDOWS\system32\svchost.exe [1056:10588] 00007ff80ea2ac90 Thread C:\WINDOWS\system32\svchost.exe [1056:10616] 00007ff80ea23590 Thread C:\WINDOWS\system32\svchost.exe [1056:7128] 00007ff8426b9040 Thread C:\WINDOWS\system32\svchost.exe [1056:7136] 00007ff83d4499e0 Thread C:\WINDOWS\system32\svchost.exe [1056:7144] 00007ff83e832cf0 Thread C:\WINDOWS\system32\svchost.exe [1208:1960] 00007ff83d4499e0 Thread C:\WINDOWS\system32\svchost.exe [1208:1964] 00007ff83e832cf0 Thread C:\WINDOWS\system32\svchost.exe [1324:4092] 00007ff8338c3bc0 Thread C:\WINDOWS\system32\svchost.exe [1324:2064] 00007ff833801240 Thread C:\WINDOWS\system32\svchost.exe [1324:3916] 00007ff830daa3b0 Thread C:\WINDOWS\system32\svchost.exe [1324:4104] 00007ff82f0d25e0 Thread C:\WINDOWS\system32\svchost.exe [1324:8880] 00007ff8338c2080 Thread C:\WINDOWS\system32\svchost.exe [1796:1860] 00007ff83df5fa00 Thread C:\WINDOWS\system32\svchost.exe [1796:1872] 00007ff83d9510a0 Thread C:\WINDOWS\system32\svchost.exe [1796:1976] 00007ff83e832cf0 Thread C:\WINDOWS\system32\svchost.exe [1796:1336] 00007ff83d2f5be0 Thread C:\WINDOWS\system32\svchost.exe [1796:1216] 00007ff83d2f9b30 Thread C:\WINDOWS\system32\svchost.exe [1796:1488] 00007ff83e832cf0 Thread C:\WINDOWS\system32\svchost.exe [1888:1944] 00007ff83d4b44b0 Thread C:\WINDOWS\system32\svchost.exe [1888:1736] 00007ff845446750 Thread C:\WINDOWS\System32\spoolsv.exe [2004:9300] 00007ff832e15bc0 Thread C:\WINDOWS\System32\spoolsv.exe [2004:9304] 00007ff832172740 Thread C:\WINDOWS\System32\spoolsv.exe [2004:9312] 00007ff81f821180 Thread C:\WINDOWS\System32\spoolsv.exe [2004:9316] 00007ff81f628e40 Thread C:\WINDOWS\system32\svchost.exe [2652:696] 00007ff832e15bc0 Thread C:\WINDOWS\system32\svchost.exe [2652:992] 00007ff832172740 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4220:4276] 00007ff82e097944 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4220:4280] 00007ff82df5beb4 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4220:4448] 00007ff82df5beb4 Thread C:\WINDOWS\system32\svchost.exe [9440:9532] 00007ff81ac0b180 Thread C:\WINDOWS\system32\svchost.exe [9440:9536] 00007ff81ac0f5f0 Thread C:\WINDOWS\system32\csrss.exe [4424:2800] ffffc98a33606c20 Thread C:\WINDOWS\system32\svchost.exe [10472:484] 00007ff82fd9dbe0 Thread C:\WINDOWS\system32\svchost.exe [10472:4652] 00007ff82fd9dbe0 Thread C:\Windows\System32\RuntimeBroker.exe [10860:7328] 00007ff8445e2880 Thread C:\Windows\System32\RuntimeBroker.exe [10860:1008] 00007ff8437bbb70 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso20win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [1928] 000000005ad50000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [1928] 0000000004a30000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [1928] 0000000059cc0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso50win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [1928] 0000000071e90000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [1928] 00000000597e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [1928] 0000000057360000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [1928] 0000000056400000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [1928] 000000005b650000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\riched20.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [1928] 0000000054a40000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso20win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11448] 000000005ad50000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11448] 0000000004990000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11448] 0000000059cc0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso50win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11448] 0000000071e90000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11448] 00000000597e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11448] 0000000057360000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11448] 0000000056400000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11448] 000000005b650000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\riched20.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11448] 0000000054a40000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso20win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11772] 000000005ad50000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11772] 0000000004790000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11772] 0000000059cc0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso50win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11772] 0000000071e90000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11772] 00000000597e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11772] 0000000057360000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11772] 0000000056400000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11772] 000000005b650000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\riched20.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [11772] 0000000054a40000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso20win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [5888] 000000005ad50000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [5888] 0000000004970000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [5888] 0000000059cc0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso50win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [5888] 0000000071e90000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [5888] 00000000597e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [5888] 0000000057360000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [5888] 0000000056400000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [5888] 000000005b650000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\riched20.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [5888] 0000000054a40000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso20win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [4400] 000000005ad50000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [4400] 0000000004150000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [4400] 0000000059cc0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso50win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [4400] 0000000071e90000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [4400] 00000000597e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [4400] 0000000057360000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [4400] 0000000056400000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [4400] 000000005b650000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\riched20.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [4400] 0000000054a40000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ADAL.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [4400] 000000005d080000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 205969175 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xB5 0xFB 0x4C 0x74 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xB5 0x63 0x11 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xB5 0x93 0x88 0x12 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----