GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-03 13:48:47 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\0000002a GOODRAM rev.SAFM12.2 223,57GB Running: by7pipkt.exe; Driver: C:\Users\pcc\AppData\Local\Temp\kfxdqpob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, 36, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, 36, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, 36, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe[9924] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\NTASN1.dll [9924] entry point in ".rdata" section 000000006cc0a020 ? C:\WINDOWS\system32\ncryptsslp.dll [9924] entry point in ".rdata" section 000000006b4804f0 .text C:\WINDOWS\system32\PnkBstrA.exe[7640] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\WINDOWS\system32\PnkBstrA.exe[7640] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\WINDOWS\system32\PnkBstrA.exe[7640] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\WINDOWS\system32\PnkBstrA.exe[7640] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\WINDOWS\system32\PnkBstrA.exe[7640] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [7640] entry point in ".rdata" section 000000006b4df7c0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, 3D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, 3D, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, 3D, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2588] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2588] entry point in ".rdata" section 000000006cc0a020 ? C:\WINDOWS\system32\ncryptsslp.dll [2588] entry point in ".rdata" section 000000006b4804f0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, 8F, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, 8F, FE, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, 8F, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[10568] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\NTASN1.dll [10568] entry point in ".rdata" section 000000006cc0a020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [10568] entry point in ".rdata" section 000000006fc61590 ? C:\WINDOWS\system32\apphelp.dll [10568] entry point in ".rdata" section 000000006b4df7c0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, 5F, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, 5F, FE, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, 5F, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe[9744] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\NTASN1.dll [9744] entry point in ".rdata" section 000000006cc0a020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9744] entry point in ".rdata" section 000000006fc61590 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, 4B, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, 4B, 7E, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, 4B, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[6684] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [6684] entry point in ".rdata" section 000000006b4df7c0 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, 89, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, 89, FE, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, 89, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7240] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [7240] entry point in ".rdata" section 000000007206c940 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [7240] entry point in ".rdata" section 0000000071598fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7240] entry point in ".rdata" section 000000006fc61590 ? C:\WINDOWS\System32\apphelp.dll [7240] entry point in ".rdata" section 000000006b4df7c0 ? C:\Windows\System32\ActXPrxy.dll [7240] entry point in ".rdata" section 0000000058a69c50 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [7240] entry point in ".rdata" section 000000005880da90 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, C5, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, C5, FE, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, C5, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[8424] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, C9, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, C9, FE, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, C9, FE, 00, 00, 00, ...] .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\Steam.exe[6528] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, B6, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, B6, 7E, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, B6, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[8452] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\NTASN1.dll [8452] entry point in ".rdata" section 000000006cc0a020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8452] entry point in ".rdata" section 000000006fc61590 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, 5C, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, 5C, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, 5C, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3636] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, 81, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, 81, 7E, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, 81, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[6152] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6152] entry point in ".rdata" section 000000006cc0a020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6152] entry point in ".rdata" section 000000006fc61590 .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 2 bytes [50, 6E] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 210 00007ffbac1f1332 5 bytes [FE, 00, 00, 00, 00] .text ... * 5 .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 2 bytes [20, 6E] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 371 00007ffbac1f16b3 5 bytes [FE, 00, 00, 00, 00] .text ... * 3 .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 2 bytes {JMP 0xffffffffffffffec} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 178 00007ffbac1f2312 5 bytes [FE, 00, 00, 00, 00] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[4716] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [4716] entry point in ".rdata" section 000000007206c940 ? C:\WINDOWS\SYSTEM32\atlthunk.dll [4716] entry point in ".data" section 0000000070384290 ? C:\WINDOWS\system32\apphelp.dll [4716] entry point in ".rdata" section 000000006b4df7c0 ? C:\Windows\System32\mfwmaaec.dll [4716] entry point in ".rdata" section 000000005a0c2e20 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [4716] entry point in ".rdata" section 0000000071598fc0 ? C:\Windows\System32\ActXPrxy.dll [4716] entry point in ".rdata" section 0000000058a69c50 .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, 04, FF, 00, 00, 00, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, 04, FF, 00, 00, 00, ...] .text ... * 2 .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, 04, FF, 00, 00, 00, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[920] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, E6, FF, 00, 00, 00, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, E6, FF, 00, 00, 00, ...] .text ... * 2 .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, E6, FF, 00, 00, 00, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\AppData\Local\Discord\app-0.0.297\Discord.exe[2992] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [2992] entry point in ".rdata" section 000000007206c940 .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffbac1f132f 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffbac1f1421 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffbac1f16b0 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffbac1f1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffbac1f230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffbac296260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffbac296560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffbac2965c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbac296800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffbac296960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbac297770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffbac297d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbac298fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000005f9f1462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000005f9f16b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000005f9f17eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005f9f181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\pcc\Desktop\forum\gmer\by7pipkt.exe[4316] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000005f9f1857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [4316] entry point in ".rdata" section 000000006b4df7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\system32\AUDIODG.EXE[ntdll.dll!NtClose] [7ffbac3d0010] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [7ffbac3d0000] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\KERNEL32.DLL[ntdll.dll!NtClose] [7ffbac3d0010] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\KERNELBASE.dll[ntdll.dll!NtClose] [7ffbac3d0010] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [7ffbac3d0000] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\RPCRT4.dll[ntdll.dll!NtClose] [7ffbac3d0010] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\sechost.dll[ntdll.dll!NtClose] [7ffbac3d0010] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\bcryptPrimitives.dll[ntdll.dll!NtClose] [7ffbac3d0010] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [7ffbac3d0000] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\audioeng.dll[ntdll.dll!NtClose] [7ffbac3d0010] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\AVRT.dll[ntdll.dll!NtClose] [7ffbac3d0010] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\ADVAPI32.dll[ntdll.dll!NtClose] [7ffbac3d0010] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\SETUPAPI.dll[ntdll.dll!NtClose] [7ffbac3d0010] IAT C:\WINDOWS\system32\AUDIODG.EXE[9328] @ C:\WINDOWS\System32\windows.storage.dll[ntdll.dll!NtClose] [7ffbac3d0010] ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ????????? ?????????????????????p??L?????N?????????s???????N?????????????????{1AA7F846-C7F5-11D0-A376-00C04FC9DA04}??????? ?????????????????????p?????? ?N???&?????????????????????????N????????????d????{1AA7F840-C7F5-11D0-A376-00C04FC9DA04}????????N????????????e????@%Systemroot%\system32\mprddm.dll,-202????????N?????????????????{76560D00-2BFD-11d2-9539-3078302C2030}??????? ??????????????????????????????? ?????????????????????p?????? ?N???&??????????????????????????????????????d??????????????????N????????????e????@%Systemroot%\system32\mprddm.dll,-203????????B?????????????%SystemRoot%\System32\mprddm.dll??????N?????????????????{76560D81-2BFD-11d2-9539-3078302C2030}??????? ??????????????????Microsoft???? ???????p?????????????p????????????????????????? ?????????????????????p??L?????N?????????s???????N?????????????????{1AA7F841-C7F5-11D0-A376-00C04FC9DA04}??????????????? ?????????????????????p?????? ?N???&?????????????????????????N????????????d????{1AA7F83F-C7F5-11D0-A376-00C04FC9DA04}????????????????????N???????? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -65144451 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2622 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xAA 0x51 0xD1 0x9F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xAA 0xB9 0x95 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xAA 0xE9 0x0C 0x3E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0x52 0x81 0xB7 0xC1 ... ---- Files - GMER 2.2 ---- File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\29A49A74B6A6E6CB78B8C2B9F20AFD83CF1B5BB2 4121 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\548ED1AED105F2003EB4549771CBE4547DAAFF39 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\762595217FF2BBA5A5E3C535EDED04B7ED475775 41362 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\FC825ECE36F1DF2F5C730A97A3340CFCF0DB15CA 470016 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\CE49A5554E7C016051B9198CFB78A4431F1FD9A9 3639 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\049D1EF64815953717151FBD410297E4228F94B6 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\C140F61DD5CABD0F57861407E6C24EAA5E47BB67 4266 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\B91F48EE49E8B00F10640CFE185D86DAF4C595E7 2513 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\FE9E415ADAC1B0E50B856ADF8DD3DC41BACABEBF 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\7355B93EA631C6409986D276DDE4BD8D1D3F1BC8 11552 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\C6D8B30C1E284163A253A91824D694E1BC5CE83F 5378 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\C4DAE4D1AC63FE3AAF3DD5618B04231D2BB99CD7 4180 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\FB1E8F1FFFF0A350F0EFDE190322C858AC79FB33 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\801255A5C574D88019BC579DCC9022F2FD5742CB 4332 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\004809235FDBFA477D56CB5522D46380192734D6 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\B70E268311D4CF860C7D669B878FBF8A1AA36A16 1561037 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\398AC999E5FCC5429587C1C56CD158D081188CE4 404717 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\A935CEE4AF088091461EFE90DE5F5DE7B3C5848E 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\22424F17AE84545ADC506BFE4F865184FF4A7761 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\97C42C5368FD30CDD214016D038A3980530B461A 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\6BF89060DEFD77E50DCDA0C56DEC646AC11837F2 18423 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\8E6325D828193154708FB580471CA8724DC8C3F8 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\D2D29AE7E58C11D78850CD45DB2ABF5C70357DDD 4224 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\A15205E274DBC93033D79F6E19A7F3E11E31A221 232442 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\F28E78A8E75663EB6E2CB196FC5A3A52D3DAE314 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\1746FEE55E8F850EAD0F985B89C5DDB64C4314F7 11070 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\D3DA722D8FAC2477861E269D180F8FE986CB8FCD 805232 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\F592BE26FE344357250C27691DD78CCAE17E938A 3043 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\6F245223B1638B7D2E0D3A31C813F0D64E0EA64A 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\4ECC7997D100C3750480634E0FA4FDBA2876AE1E 69894 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\E950066F492ADC05534DA207E8C8315CF90EC06C 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\2A1F625D115100D6F2EBC563275C75A9FEAD50BA 69894 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\0B4D385F7705CD3DF37CFD362180AE6D502A9236 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\BBBDDAC262D9D1108FB34DF58395E03BCC82722B 4100 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\836A852E8FF3F76C1F33E7F0F017BBA9C5829B66 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\8375637583D1244C0E2CB56882DB017A171826CA 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\0A7CBB23A7F6E43BAE18C229F05B35F784098098 493810 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\3FB5BDF73F69E4624BB8AF5CE8F24811F266E478 12464 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\A84DA1BBEAF43B79280629526C8A807D275DFA2E 10000 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\0821C321642C049B5CCED67772ADB0478C615231 4712 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\1DC7F9E7C650E82FC6B7E55691375F052A4C7B7A 9788 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\CE7F939EA4DF24BEACC090B711EEC48EAE452BCB 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\395F9D4DE2620C94032DE7003ED56ACD5EA02549 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\D78347C5504A822440FDE12F94420A00ADC69D4B 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\E0AF0505D86D6E8A6A6B08535FEBE602E58D879A 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\E0EA8E512ECBF8F8EEF15B51C14B637CB43D5F1D 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\E0F67C55B462CD51F01061DA33D6F0AFA752A280 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\5655E1190162229FBA39680C798AC5AE38C3D4B2 0 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\972EE004A111EE4524AE45632F693990009254BA 476309 bytes File C:\Users\pcc\AppData\Local\Mozilla\Firefox\Profiles\1f2qb600.default\cache2\entries\0576D071D916C6A9B67FFA6FA7F71D85FEA6E35E 16570 bytes ---- EOF - GMER 2.2 ----