GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-07 14:44:53 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_SP2504C rev.VT100-33 232,89GB Running: sxdb0hb0.exe; Driver: C:\Users\admin\AppData\Local\Temp\axldrpod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80003205000 45 bytes [00, 00, 10, 02, 4D, 6D, 43, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff8000320502f 16 bytes [00, 01, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [4552] entry point in ".rdata" section 0000000074a171e6 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0x4b7e28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0x4b7e68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0x4b7da8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0x4b7d28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0x4b7f28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0x4b7f68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0x4b7ee8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0x4b7ea8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0x4b7c68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0x4b7ca8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0x4b7c28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0x4b7de8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0x4b7d68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0x4b7ce8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0xb2e228; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0xb2e268; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0xb2e1a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0xb2e128; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0xb2e328; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0xb2e368; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0xb2e2e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0xb2e2a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0xb2e068; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0xb2e0a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0xb2e028; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0xb2e1e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0xb2e168; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0xb2e0e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0xf8e628; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0xf8e668; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0xf8e5a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0xf8e528; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0xf8e728; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0xf8e768; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0xf8e6e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0xf8e6a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0xf8e468; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0xf8e4a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0xf8e428; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0xf8e5e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0xf8e568; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0xf8e4e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0x5b2a28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0x5b2a68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0x5b29a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0x5b2928; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0x5b2b28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0x5b2b68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0x5b2ae8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0x5b2aa8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0x5b2868; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0x5b28a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0x5b2828; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0x5b29e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0x5b2968; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0x5b28e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0x882e28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0x882e68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0x882da8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0x882d28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0x882f28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0x882f68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0x882ee8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0x882ea8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0x882c68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0x882ca8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0x882c28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0x882de8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0x882d68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0x882ce8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0xd61e28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0xd61e68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0xd61da8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0xd61d28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0xd61f28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0xd61f68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0xd61ee8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0xd61ea8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0xd61c68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0xd61ca8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0xd61c28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0xd61de8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0xd61d68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0xd61ce8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0xb4d628; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0xb4d668; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0xb4d5a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0xb4d528; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0xb4d728; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0xb4d768; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0xb4d6e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0xb4d6a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0xb4d468; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0xb4d4a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0xb4d428; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0xb4d5e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0xb4d568; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0xb4d4e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0x692e28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0x692e68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0x692da8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0x692d28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0x692f28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0x692f68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0x692ee8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0x692ea8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0x692c68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0x692ca8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0x692c28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0x692de8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0x692d68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0x692ce8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0xe14228; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0xe14268; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0xe141a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0xe14128; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0xe14328; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0xe14368; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0xe142e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0xe142a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0xe14068; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0xe140a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0xe14028; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0xe141e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0xe14168; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0xe140e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Program Files (x86)\JDownloader 2\JDownloader 2.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Program Files (x86)\JDownloader 2\JDownloader 2.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0x2eda28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0x2eda68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0x2ed9a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0x2ed928; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0x2edb28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0x2edb68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0x2edae8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0x2edaa8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0x2ed868; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0x2ed8a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0x2ed828; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0x2ed9e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0x2ed968; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0x2ed8e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[5888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\Desktop\OTL.exe[5224] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\Desktop\OTL.exe[5224] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0x119628; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0x119668; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0x1195a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0x119528; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0x119728; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0x119768; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0x1196e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0x1196a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0x119468; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0x1194a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0x119428; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0x1195e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0x119568; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0x1194e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007781f991 7 bytes {MOV EDX, 0x796a28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007781fbd5 7 bytes {MOV EDX, 0x796a68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007781fc05 7 bytes {MOV EDX, 0x7969a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007781fc1d 7 bytes {MOV EDX, 0x796928; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007781fc35 7 bytes {MOV EDX, 0x796b28; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007781fc65 7 bytes {MOV EDX, 0x796b68; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007781fce5 7 bytes {MOV EDX, 0x796ae8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007781fcfd 7 bytes {MOV EDX, 0x796aa8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007781fd49 7 bytes {MOV EDX, 0x796868; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007781fe41 7 bytes {MOV EDX, 0x7968a8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077820099 7 bytes {MOV EDX, 0x796828; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778210a5 7 bytes {MOV EDX, 0x7969e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007782111d 7 bytes {MOV EDX, 0x796968; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077821321 7 bytes {MOV EDX, 0x7968e8; JMP RDX} .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Users\admin\AppData\Local\Google\Chrome\Application\chrome.exe[4556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:1980] 0000000077853e45 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:1512] 0000000077852e25 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2288] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2292] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2296] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2300] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2304] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2340] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2344] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2348] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2352] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2356] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2608] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2612] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2616] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2876] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2880] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2896] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2900] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:3068] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2084] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:1516] 0000000077853e45 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2596] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:1984] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:992] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2036] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:2968] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:3556] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:4072] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:4076] 0000000073b529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1632:3444] 0000000073b529e1 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E0FD20B-0036-56C2-7583-DE56978A4739} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E0FD20B-0036-56C2-7583-DE56978A4739}@madkeeagoelffmgljookkgeamo 0x6F 0x61 0x65 0x69 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E0FD20B-0036-56C2-7583-DE56978A4739}@abekbfomeklfmclafdoamjncpbcjpofdhc 0x70 0x61 0x6F 0x6A ... ---- Files - GMER 2.1 ---- File C:\Program Files (x86)\JDownloader 2\cfg\downloadList166587.zip 3165 bytes File C:\Users\admin\AppData\Local\Opera\Opera\cache\g_0009\opr03JCH.tmp 9959 bytes File C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr03JCN.tmp 9959 bytes ---- EOF - GMER 2.1 ----