GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-19 16:40:49 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 Hitachi_HDS721616PLA380 rev.P22OA70A 153,39GB Running: biye8q4n.exe; Driver: C:\Users\zby\AppData\Local\Temp\uwldypow.sys ---- System - GMER 2.0 ---- INT 0x62 ? 8530ECB8 INT 0x72 ? 8530ECB8 INT 0x82 ? 8530ECB8 INT 0x92 ? 8530ECB8 INT 0x92 ? 8530ECB8 INT 0x92 ? 86B57CB8 INT 0x92 ? 86B57CB8 INT 0x92 ? 8530ECB8 INT 0x93 ? 86B57CB8 INT 0xA3 ? 86B57CB8 INT 0xB3 ? 86B57CB8 ---- Kernel code sections - GMER 2.0 ---- .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x82FDAB2E] PAGE PCIIDEX.SYS!DllUnload 8A86C5C0 5 Bytes JMP 84F281C8 PAGE ataport.SYS!DllUnload 8A8ACB2E 5 Bytes JMP 8530E1C8 .text USBPORT.SYS!DllUnload 8F18541B 5 Bytes JMP 86B571C8 .text afvwaf31.SYS!A0DB34FC6FE35D429A28ADDE5467D4D7 8F1D7900 48 Bytes JMP F432118C ? C:\Windows\System32\Drivers\afvwaf31.SYS suspicious PE modification PAGE spsys.sys!?SPVersion@@3PADA + 1ABF 9E08F03F 110 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...] PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 9E08F0AF 1 Byte [16] PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 9E08F0AF 128 Bytes [16, 3B, C8, 75, E2, B0, 01, ...] PAGE spsys.sys!?SPVersion@@3PADA + 1BB0 9E08F130 6 Bytes [0E, 83, 78, 14, 01, 75] PAGE spsys.sys!?SPVersion@@3PADA + 1BB7 9E08F137 2298 Bytes [83, 78, 18, 37, 75, 02, B3, ...] PAGE ... .text C:\Windows\system32\DRIVERS\athsgt.sys section is writeable [0xA0AED300, 0x21F20, 0xE8000020] ---- User code sections - GMER 2.0 ---- .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtCreateFile + 6 776043DA 4 Bytes CALL 5A5F4406 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtCreateFile + B 776043DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtMapViewOfSection + 6 77604B2A 4 Bytes [28, EB, 27, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtMapViewOfSection + B 77604B2F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenFile + 6 77604BBA 4 Bytes CALL 5A5F4BE6 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenFile + B 77604BBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenProcess + 6 77604C3A 4 Bytes JMP 5A5F4C66 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenProcess + B 77604C3F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenProcessToken + 6 77604C4A 4 Bytes CALL 76607438 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenProcessToken + B 77604C4F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenProcessTokenEx + 6 77604C5A 4 Bytes JMP E2FF0027 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenProcessTokenEx + B 77604C5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenThread + 6 77604CAA 4 Bytes JMP 5A5F4CD6 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenThread + B 77604CAF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenThreadToken + 6 77604CBA 4 Bytes JMP E2FF0027 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenThreadToken + B 77604CBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenThreadTokenEx + 6 77604CCA 4 Bytes CALL 766074B9 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtOpenThreadTokenEx + B 77604CCF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtQueryAttributesFile + 6 77604D5A 4 Bytes CALL 5A5F4D86 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtQueryAttributesFile + B 77604D5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtQueryFullAttributesFile + 6 77604E0A 4 Bytes CALL 766075F7 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtQueryFullAttributesFile + B 77604E0F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtSetInformationFile + 6 776052EA 4 Bytes JMP 5A5F5316 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtSetInformationFile + B 776052EF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtSetInformationThread + 6 7760533A 4 Bytes JMP E2FF0027 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtSetInformationThread + B 7760533F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtUnmapViewOfSection + 6 776055DA 4 Bytes [68, EB, 27, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] ntdll.dll!NtUnmapViewOfSection + B 776055DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtCreateFile + 6 776043DA 4 Bytes [28, 7C, 31, 00] {SUB [ECX+ESI+0x0], BH} .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtCreateFile + B 776043DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtMapViewOfSection + 6 77604B2A 4 Bytes [28, 7F, 31, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtMapViewOfSection + B 77604B2F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenFile + 6 77604BBA 4 Bytes [68, 7C, 31, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenFile + B 77604BBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenProcess + 6 77604C3A 4 Bytes [A8, 7D, 31, 00] {TEST AL, 0x7d; XOR [EAX], EAX} .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenProcess + B 77604C3F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenProcessToken + 6 77604C4A 4 Bytes CALL 76607DCC .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenProcessToken + B 77604C4F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenProcessTokenEx + 6 77604C5A 4 Bytes [A8, 7E, 31, 00] {TEST AL, 0x7e; XOR [EAX], EAX} .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenProcessTokenEx + B 77604C5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenThread + 6 77604CAA 4 Bytes [68, 7D, 31, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenThread + B 77604CAF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenThreadToken + 6 77604CBA 4 Bytes [68, 7E, 31, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenThreadToken + B 77604CBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenThreadTokenEx + 6 77604CCA 4 Bytes CALL 76607E4D .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtOpenThreadTokenEx + B 77604CCF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtQueryAttributesFile + 6 77604D5A 4 Bytes [A8, 7C, 31, 00] {TEST AL, 0x7c; XOR [EAX], EAX} .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtQueryAttributesFile + B 77604D5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtQueryFullAttributesFile + 6 77604E0A 4 Bytes CALL 76607F8B .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtQueryFullAttributesFile + B 77604E0F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtSetInformationFile + 6 776052EA 4 Bytes [28, 7D, 31, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtSetInformationFile + B 776052EF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtSetInformationThread + 6 7760533A 4 Bytes [28, 7E, 31, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtSetInformationThread + B 7760533F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtUnmapViewOfSection + 6 776055DA 4 Bytes [68, 7F, 31, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7364] ntdll.dll!NtUnmapViewOfSection + B 776055DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtCreateFile + 6 776043DA 4 Bytes [28, 18, 45, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtCreateFile + B 776043DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtMapViewOfSection + 6 77604B2A 4 Bytes [28, 1B, 45, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtMapViewOfSection + B 77604B2F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenFile + 6 77604BBA 4 Bytes [68, 18, 45, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenFile + B 77604BBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenProcess + 6 77604C3A 4 Bytes [A8, 19, 45, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenProcess + B 77604C3F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenProcessToken + 6 77604C4A 4 Bytes CALL 76609168 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenProcessToken + B 77604C4F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenProcessTokenEx + 6 77604C5A 4 Bytes [A8, 1A, 45, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenProcessTokenEx + B 77604C5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenThread + 6 77604CAA 4 Bytes [68, 19, 45, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenThread + B 77604CAF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenThreadToken + 6 77604CBA 4 Bytes [68, 1A, 45, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenThreadToken + B 77604CBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenThreadTokenEx + 6 77604CCA 4 Bytes CALL 766091E9 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtOpenThreadTokenEx + B 77604CCF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtQueryAttributesFile + 6 77604D5A 4 Bytes [A8, 18, 45, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtQueryAttributesFile + B 77604D5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtQueryFullAttributesFile + 6 77604E0A 4 Bytes CALL 76609327 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtQueryFullAttributesFile + B 77604E0F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtSetInformationFile + 6 776052EA 4 Bytes [28, 19, 45, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtSetInformationFile + B 776052EF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtSetInformationThread + 6 7760533A 4 Bytes [28, 1A, 45, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtSetInformationThread + B 7760533F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtUnmapViewOfSection + 6 776055DA 4 Bytes [68, 1B, 45, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[7808] ntdll.dll!NtUnmapViewOfSection + B 776055DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtCreateFile + 6 776043DA 4 Bytes [28, E0, A3, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtCreateFile + B 776043DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtMapViewOfSection + 6 77604B2A 4 Bytes [28, E3, A3, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtMapViewOfSection + B 77604B2F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenFile + 6 77604BBA 4 Bytes [68, E0, A3, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenFile + B 77604BBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenProcess + 6 77604C3A 4 Bytes [A8, E1, A3, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenProcess + B 77604C3F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenProcessToken + 6 77604C4A 4 Bytes CALL 7660F030 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenProcessToken + B 77604C4F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenProcessTokenEx + 6 77604C5A 4 Bytes [A8, E2, A3, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenProcessTokenEx + B 77604C5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenThread + 6 77604CAA 4 Bytes [68, E1, A3, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenThread + B 77604CAF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenThreadToken + 6 77604CBA 4 Bytes [68, E2, A3, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenThreadToken + B 77604CBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenThreadTokenEx + 6 77604CCA 4 Bytes CALL 7660F0B1 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtOpenThreadTokenEx + B 77604CCF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtQueryAttributesFile + 6 77604D5A 4 Bytes [A8, E0, A3, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtQueryAttributesFile + B 77604D5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtQueryFullAttributesFile + 6 77604E0A 4 Bytes CALL 7660F1EF .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtQueryFullAttributesFile + B 77604E0F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtSetInformationFile + 6 776052EA 4 Bytes [28, E1, A3, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtSetInformationFile + B 776052EF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtSetInformationThread + 6 7760533A 4 Bytes [28, E2, A3, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtSetInformationThread + B 7760533F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtUnmapViewOfSection + 6 776055DA 4 Bytes [68, E3, A3, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[15872] ntdll.dll!NtUnmapViewOfSection + B 776055DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtCreateFile + 6 776043DA 4 Bytes [28, D8, 53, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtCreateFile + B 776043DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtMapViewOfSection + 6 77604B2A 4 Bytes [28, DB, 53, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtMapViewOfSection + B 77604B2F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenFile + 6 77604BBA 4 Bytes [68, D8, 53, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenFile + B 77604BBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenProcess + 6 77604C3A 4 Bytes [A8, D9, 53, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenProcess + B 77604C3F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenProcessToken + 6 77604C4A 4 Bytes CALL 7660A028 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenProcessToken + B 77604C4F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenProcessTokenEx + 6 77604C5A 4 Bytes [A8, DA, 53, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenProcessTokenEx + B 77604C5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenThread + 6 77604CAA 4 Bytes [68, D9, 53, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenThread + B 77604CAF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenThreadToken + 6 77604CBA 4 Bytes [68, DA, 53, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenThreadToken + B 77604CBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenThreadTokenEx + 6 77604CCA 4 Bytes CALL 7660A0A9 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtOpenThreadTokenEx + B 77604CCF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtQueryAttributesFile + 6 77604D5A 4 Bytes [A8, D8, 53, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtQueryAttributesFile + B 77604D5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtQueryFullAttributesFile + 6 77604E0A 4 Bytes CALL 7660A1E7 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtQueryFullAttributesFile + B 77604E0F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtSetInformationFile + 6 776052EA 4 Bytes [28, D9, 53, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtSetInformationFile + B 776052EF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtSetInformationThread + 6 7760533A 4 Bytes [28, DA, 53, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtSetInformationThread + B 7760533F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtUnmapViewOfSection + 6 776055DA 4 Bytes [68, DB, 53, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[24272] ntdll.dll!NtUnmapViewOfSection + B 776055DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtCreateFile + 6 776043DA 4 Bytes [28, 64, 3F, 00] {SUB [EDI+EDI+0x0], AH} .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtCreateFile + B 776043DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtMapViewOfSection + 6 77604B2A 4 Bytes [28, 67, 3F, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtMapViewOfSection + B 77604B2F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenFile + 6 77604BBA 4 Bytes [68, 64, 3F, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenFile + B 77604BBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenProcess + 6 77604C3A 4 Bytes [A8, 65, 3F, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenProcess + B 77604C3F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenProcessToken + 6 77604C4A 4 Bytes CALL 76608BB4 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenProcessToken + B 77604C4F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenProcessTokenEx + 6 77604C5A 4 Bytes [A8, 66, 3F, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenProcessTokenEx + B 77604C5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenThread + 6 77604CAA 4 Bytes [68, 65, 3F, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenThread + B 77604CAF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenThreadToken + 6 77604CBA 4 Bytes [68, 66, 3F, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenThreadToken + B 77604CBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenThreadTokenEx + 6 77604CCA 4 Bytes CALL 76608C35 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtOpenThreadTokenEx + B 77604CCF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtQueryAttributesFile + 6 77604D5A 4 Bytes [A8, 64, 3F, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtQueryAttributesFile + B 77604D5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtQueryFullAttributesFile + 6 77604E0A 4 Bytes CALL 76608D73 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtQueryFullAttributesFile + B 77604E0F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtSetInformationFile + 6 776052EA 4 Bytes [28, 65, 3F, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtSetInformationFile + B 776052EF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtSetInformationThread + 6 7760533A 4 Bytes [28, 66, 3F, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtSetInformationThread + B 7760533F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtUnmapViewOfSection + 6 776055DA 4 Bytes [68, 67, 3F, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] ntdll.dll!NtUnmapViewOfSection + B 776055DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtCreateFile + 6 776043DA 4 Bytes [28, 58, B2, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtCreateFile + B 776043DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtMapViewOfSection + 6 77604B2A 4 Bytes [28, 5B, B2, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtMapViewOfSection + B 77604B2F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenFile + 6 77604BBA 4 Bytes [68, 58, B2, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenFile + B 77604BBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenProcess + 6 77604C3A 4 Bytes [A8, 59, B2, 00] {TEST AL, 0x59; MOV DL, 0x0} .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenProcess + B 77604C3F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenProcessToken + 6 77604C4A 4 Bytes CALL 7660FEA8 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenProcessToken + B 77604C4F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenProcessTokenEx + 6 77604C5A 4 Bytes [A8, 5A, B2, 00] {TEST AL, 0x5a; MOV DL, 0x0} .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenProcessTokenEx + B 77604C5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenThread + 6 77604CAA 4 Bytes [68, 59, B2, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenThread + B 77604CAF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenThreadToken + 6 77604CBA 4 Bytes [68, 5A, B2, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenThreadToken + B 77604CBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenThreadTokenEx + 6 77604CCA 4 Bytes CALL 7660FF29 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtOpenThreadTokenEx + B 77604CCF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtQueryAttributesFile + 6 77604D5A 4 Bytes [A8, 58, B2, 00] {TEST AL, 0x58; MOV DL, 0x0} .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtQueryAttributesFile + B 77604D5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtQueryFullAttributesFile + 6 77604E0A 4 Bytes CALL 76610067 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtQueryFullAttributesFile + B 77604E0F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtSetInformationFile + 6 776052EA 4 Bytes [28, 59, B2, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtSetInformationFile + B 776052EF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtSetInformationThread + 6 7760533A 4 Bytes [28, 5A, B2, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtSetInformationThread + B 7760533F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtUnmapViewOfSection + 6 776055DA 4 Bytes [68, 5B, B2, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] ntdll.dll!NtUnmapViewOfSection + B 776055DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtCreateFile + 6 776043DA 4 Bytes [28, 4C, 93, 00] {SUB [EBX+EDX*4+0x0], CL} .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtCreateFile + B 776043DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtMapViewOfSection + 6 77604B2A 4 Bytes [28, 4F, 93, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtMapViewOfSection + B 77604B2F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenFile + 6 77604BBA 4 Bytes [68, 4C, 93, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenFile + B 77604BBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenProcess + 6 77604C3A 4 Bytes [A8, 4D, 93, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenProcess + B 77604C3F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenProcessToken + 6 77604C4A 4 Bytes CALL 7660DF9C .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenProcessToken + B 77604C4F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenProcessTokenEx + 6 77604C5A 4 Bytes [A8, 4E, 93, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenProcessTokenEx + B 77604C5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenThread + 6 77604CAA 4 Bytes [68, 4D, 93, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenThread + B 77604CAF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenThreadToken + 6 77604CBA 4 Bytes [68, 4E, 93, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenThreadToken + B 77604CBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenThreadTokenEx + 6 77604CCA 4 Bytes CALL 7660E01D .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtOpenThreadTokenEx + B 77604CCF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtQueryAttributesFile + 6 77604D5A 4 Bytes [A8, 4C, 93, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtQueryAttributesFile + B 77604D5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtQueryFullAttributesFile + 6 77604E0A 4 Bytes CALL 7660E15B .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtQueryFullAttributesFile + B 77604E0F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtSetInformationFile + 6 776052EA 4 Bytes [28, 4D, 93, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtSetInformationFile + B 776052EF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtSetInformationThread + 6 7760533A 4 Bytes [28, 4E, 93, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtSetInformationThread + B 7760533F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtUnmapViewOfSection + 6 776055DA 4 Bytes [68, 4F, 93, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] ntdll.dll!NtUnmapViewOfSection + B 776055DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtCreateFile + 6 776043DA 4 Bytes [28, 9C, A6, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtCreateFile + B 776043DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtMapViewOfSection + 6 77604B2A 4 Bytes [28, 9F, A6, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtMapViewOfSection + B 77604B2F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenFile + 6 77604BBA 4 Bytes [68, 9C, A6, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenFile + B 77604BBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenProcess + 6 77604C3A 4 Bytes [A8, 9D, A6, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenProcess + B 77604C3F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenProcessToken + 6 77604C4A 4 Bytes CALL 7660F2EC .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenProcessToken + B 77604C4F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenProcessTokenEx + 6 77604C5A 4 Bytes [A8, 9E, A6, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenProcessTokenEx + B 77604C5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenThread + 6 77604CAA 4 Bytes [68, 9D, A6, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenThread + B 77604CAF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenThreadToken + 6 77604CBA 4 Bytes [68, 9E, A6, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenThreadToken + B 77604CBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenThreadTokenEx + 6 77604CCA 4 Bytes CALL 7660F36D .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtOpenThreadTokenEx + B 77604CCF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtQueryAttributesFile + 6 77604D5A 4 Bytes [A8, 9C, A6, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtQueryAttributesFile + B 77604D5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtQueryFullAttributesFile + 6 77604E0A 4 Bytes CALL 7660F4AB .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtQueryFullAttributesFile + B 77604E0F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtSetInformationFile + 6 776052EA 4 Bytes [28, 9D, A6, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtSetInformationFile + B 776052EF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtSetInformationThread + 6 7760533A 4 Bytes [28, 9E, A6, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtSetInformationThread + B 7760533F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtUnmapViewOfSection + 6 776055DA 4 Bytes [68, 9F, A6, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] ntdll.dll!NtUnmapViewOfSection + B 776055DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtCreateFile + 6 776043DA 4 Bytes [28, 78, 58, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtCreateFile + B 776043DF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtMapViewOfSection + 6 77604B2A 4 Bytes [28, 7B, 58, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtMapViewOfSection + B 77604B2F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenFile + 6 77604BBA 4 Bytes [68, 78, 58, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenFile + B 77604BBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenProcess + 6 77604C3A 4 Bytes [A8, 79, 58, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenProcess + B 77604C3F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenProcessToken + 6 77604C4A 4 Bytes CALL 7660A4C8 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenProcessToken + B 77604C4F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenProcessTokenEx + 6 77604C5A 4 Bytes [A8, 7A, 58, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenProcessTokenEx + B 77604C5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenThread + 6 77604CAA 4 Bytes [68, 79, 58, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenThread + B 77604CAF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenThreadToken + 6 77604CBA 4 Bytes [68, 7A, 58, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenThreadToken + B 77604CBF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenThreadTokenEx + 6 77604CCA 4 Bytes CALL 7660A549 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtOpenThreadTokenEx + B 77604CCF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtQueryAttributesFile + 6 77604D5A 4 Bytes [A8, 78, 58, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtQueryAttributesFile + B 77604D5F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtQueryFullAttributesFile + 6 77604E0A 4 Bytes CALL 7660A687 .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtQueryFullAttributesFile + B 77604E0F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtSetInformationFile + 6 776052EA 4 Bytes [28, 79, 58, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtSetInformationFile + B 776052EF 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtSetInformationThread + 6 7760533A 4 Bytes [28, 7A, 58, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtSetInformationThread + B 7760533F 1 Byte [E2] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtUnmapViewOfSection + 6 776055DA 4 Bytes [68, 7B, 58, 00] .text C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] ntdll.dll!NtUnmapViewOfSection + B 776055DF 1 Byte [E2] ---- Kernel IAT/EAT - GMER 2.0 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [82EE5F12] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [82EE6232] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82EE5730] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82EE60F0] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [82EE5856] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [82EE5914] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74697817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [746EA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7469BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7468F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746975E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7468E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [746C8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7469DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7468FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7468FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746871CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7471CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [746BC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7468D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74686853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7468687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74692AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[2752] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00280010 IAT C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[25360] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00410010 IAT C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27156] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00B40010 IAT C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[27232] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00940010 IAT C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[34552] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00A80010 IAT C:\Users\zby\AppData\Local\Google\Chrome\Application\chrome.exe[41424] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 005A0010 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC1 0x61 0xA8 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xAC 0x92 0x8A 0x9A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x81 0xDE 0x92 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5C 0x0A 0x68 0x65 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x71 0x7A 0x9A 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC1 0x61 0xA8 0x67 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xAC 0x92 0x8A 0x9A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x81 0xDE 0x92 0x80 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5C 0x0A 0x68 0x65 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x71 0x7A 0x9A 0xFE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)