GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2019-12-19 22:45:17 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f TOSHIBA_MQ01ABD100 rev.AX0A4M 931,51GB Running: qbhwiozx.exe; Driver: C:\Users\Jeanne\AppData\Local\Temp\awldypog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\ESET\ESET Security\ekrn.exe[912] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007fffbc5a169a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\ESET\ESET Security\ekrn.exe[912] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007fffbc5a16a2 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\ESET\ESET Security\ekrn.exe[912] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007fffbc5a181a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\ESET\ESET Security\ekrn.exe[912] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007fffbc5a1832 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\atiesrxx.exe[948] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffbc5a169a 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\atiesrxx.exe[948] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffbc5a16a2 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\atiesrxx.exe[948] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffbc5a181a 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\atiesrxx.exe[948] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffbc5a1832 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\atieclxx.exe[352] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffbc5a169a 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\atieclxx.exe[352] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffbc5a16a2 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\atieclxx.exe[352] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffbc5a181a 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\atieclxx.exe[352] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffbc5a1832 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\WLANExt.exe[1176] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffbc5a169a 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\WLANExt.exe[1176] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffbc5a16a2 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\WLANExt.exe[1176] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffbc5a181a 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\WLANExt.exe[1176] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffbc5a1832 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1540] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffbc5a169a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1540] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffbc5a16a2 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1540] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffbc5a181a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1540] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffbc5a1832 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1540] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007fffa4551f6a 4 bytes [55, A4, FF, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1540] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007fffa4551f82 4 bytes [55, A4, FF, 7F] .text C:\Program Files\Microsoft SQL Server\MSSQL12.INSERTGT\MSSQL\Binn\sqlservr.exe[1656] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffbc5a169a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Microsoft SQL Server\MSSQL12.INSERTGT\MSSQL\Binn\sqlservr.exe[1656] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffbc5a16a2 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Microsoft SQL Server\MSSQL12.INSERTGT\MSSQL\Binn\sqlservr.exe[1656] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffbc5a181a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Microsoft SQL Server\MSSQL12.INSERTGT\MSSQL\Binn\sqlservr.exe[1656] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffbc5a1832 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1992] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffbc5a169a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1992] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffbc5a16a2 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1992] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffbc5a181a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1992] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffbc5a1832 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1444] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007fffbc5a169a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1444] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007fffbc5a16a2 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1444] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007fffbc5a181a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1444] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007fffbc5a1832 4 bytes [5A, BC, FF, 7F] .text C:\Program Files (x86)\TinyWall\TinyWall.exe[2152] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007fffbc5a169a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files (x86)\TinyWall\TinyWall.exe[2152] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007fffbc5a16a2 4 bytes [5A, BC, FF, 7F] .text C:\Program Files (x86)\TinyWall\TinyWall.exe[2152] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007fffbc5a181a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files (x86)\TinyWall\TinyWall.exe[2152] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007fffbc5a1832 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\wbem\wmiprvse.exe[3088] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffbc5a169a 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\wbem\wmiprvse.exe[3088] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffbc5a16a2 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\wbem\wmiprvse.exe[3088] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffbc5a181a 4 bytes [5A, BC, FF, 7F] .text C:\Windows\system32\wbem\wmiprvse.exe[3088] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffbc5a1832 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\ESET\ESET Security\eguiproxy.exe[1696] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007fffbc5a169a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\ESET\ESET Security\eguiproxy.exe[1696] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007fffbc5a16a2 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\ESET\ESET Security\eguiproxy.exe[1696] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007fffbc5a181a 4 bytes [5A, BC, FF, 7F] .text C:\Program Files\ESET\ESET Security\eguiproxy.exe[1696] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007fffbc5a1832 4 bytes [5A, BC, FF, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2752] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7fff8c9717e4; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007fffbd93ac50 14 bytes {MOV RAX, 0x7ff6b96c11d0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007fffbd93adc0 14 bytes {MOV RAX, 0x7ff6b96c1200; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007fffbd93ade0 14 bytes {MOV RAX, 0x7ff6b96c1450; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007fffbd93adf0 14 bytes {MOV RAX, 0x7ff6b96c1380; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffbd93ae00 14 bytes {MOV RAX, 0x7ff6b96c1140; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007fffbd93ae20 14 bytes {MOV RAX, 0x7ff6b96c11b0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007fffbd93ae70 14 bytes {MOV RAX, 0x7ff6b96c1230; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007fffbd93ae80 14 bytes {MOV RAX, 0x7ff6b96c14a0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007fffbd93aeb0 14 bytes {MOV RAX, 0x7ff6b96c1300; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007fffbd93af50 14 bytes {MOV RAX, 0x7ff6b96c1340; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007fffbd93b0d0 14 bytes {MOV RAX, 0x7ff6b96c1270; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007fffbd93bc70 14 bytes {MOV RAX, 0x7ff6b96c1480; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007fffbd93bcc0 14 bytes {MOV RAX, 0x7ff6b96c1420; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007fffbd93be10 14 bytes {MOV RAX, 0x7ff6b96c1360; JMP RAX} ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff8298fc57] C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fffbd4d002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[924] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff8298fc57] C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fffbd4d002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2164] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff8298fc57] C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fffbd4d002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2180] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff8298fc57] C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fffbd4d002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2468] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff8298fc57] C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fffbd4d002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[804] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff8298fc57] C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fffbd4d002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff8298fc57] C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fffbd4d002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3024] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff8298fc57] C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fffbd4d002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2960] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff8298fc57] C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fffbd4d002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5716] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff8298fc57] C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fffbd4d002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5928] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fff8298fc57] C:\Program Files (x86)\Google\Chrome\Application\78.0.3904.108\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7fffbd4d002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5704] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7fffbd4d006c] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [540:564] fffff960008d8b90 Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [1028:240] 00000000755e78a0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x38 0x76 0xEB 0x9D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x67 0xB2 0x45 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x38 0x76 0xEB 0x9D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x67 0xB2 0x45 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 86 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SDC41460_00_07DD_7A^8345379FC0480CA8F01F10D8077BD311@Timestamp 0x9A 0xEC 0xFD 0x08 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 640 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1240664254 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID a7656660-1294-4717-8300-33a015b Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{ec9374e6-0261-4079-b5a1-e6543b6e1d79} Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@1008 0xA5 0xB1 0x5C 0xA8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\303a6419d88f Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{321249d8-a551-4c47-92d8-ccbb6be6cab8}@LastProbeTime 1576701470 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{321249d8-a551-4c47-92d8-ccbb6be6cab8}@NetworkPerformsHijacking 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{4A1D3855-368A-4CCE-A083-96F0614C4BF4}@DefunctTimestamp 0xAF 0x7F 0xFA 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ??r?, ?gru ?18 ?19, 09:27:48??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2557174 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 9305 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{F8A79662-6FA5-43D0-B209-0EAB29100777} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RA4=255.255.255.255|Name=[TW9waFBDHCwa8N][TCP] Allow local subnet (broadcast)|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{9580FF0E-A4CB-4F2D-B251-95267C05644C} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RA4=255.255.255.255|Name=[TW9waFBDHCwa8N][UDP] Allow local subnet (broadcast)|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{9C685024-F040-4075-BB54-D962673803E7} v2.22|Action=Allow|Active=TRUE|Dir=In|RA4=LocalSubnet|RA6=LocalSubnet|Name=[TW9waFBDHCwa8N][in] Allow local subnet|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{46E4EE5E-5004-4422-9528-8BC377D9C080} v2.22|Action=Allow|Active=TRUE|Dir=Out|RA4=LocalSubnet|RA6=LocalSubnet|Name=[TW9waFBDHCwa8N][out] Allow local subnet|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{94D9B51C-42AD-40D0-83E7-37CC2EDAF1E1} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=443|RPort=80|App=C:\Windows\system32\svchost.exe|Name=[TWOWyPAs07SrWU] TCP Outbound Ports|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{CFB589DE-44E0-4F69-8B0D-518EC7538C82} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|App=C:\Windows\system32\svchost.exe|Svc=wuauserv|Name=[TWzHRMCTU3GnMK] TCP Outbound Ports|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{7064D0D7-FDA7-4178-88C8-896CDB63B4AB} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|RPort=123|App=C:\Windows\system32\svchost.exe|Svc=W32Time|Name=[TW2izmsQ9Dolxe][in] Time synchronization|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{23D7CBE1-1B18-46CC-B61B-505C87A727AF} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=123|App=C:\Windows\system32\svchost.exe|Svc=W32Time|Name=[TW2izmsQ9Dolxe][out] Time synchronization|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{F9922A8F-1C87-4E55-AA50-2C9D01D8D8E3} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=5357|RPort=5358|RA4=LocalSubnet|RA6=LocalSubnet|App=System|Name=[TWGuTET8l04hBI] WSD Event Client|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{732FFC11-F658-4197-B09B-F44A31E2BD5B} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=5357|LPort=5358|RA4=LocalSubnet|RA6=LocalSubnet|App=System|Name=[TWGuTET8l04hBI] WSD Event Server|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{326A3EA4-1FEF-405A-8BA4-0B7E4DD71732} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=2869|RA4=LocalSubnet|RA6=LocalSubnet|App=System|Name=[TWGuTET8l04hBI] UPnP Client|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{349C3FE0-910A-4559-B0AC-3BA8058CED5B} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=2869|RA4=LocalSubnet|RA6=LocalSubnet|App=System|Name=[TWGuTET8l04hBI] UPnP Server|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{C8353546-F68C-4D32-81F4-D6E36531EAD6} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=3702|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=fdphost|Name=[TWp9s3yAEuGYIh] WSD Client|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{47A8B86C-EE84-4765-B0A5-CEDF6E6B8E66} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3702|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=fdphost|Name=[TWp9s3yAEuGYIh] WSD Server|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{46C16C12-2C23-43E9-8908-9023E3A86494} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=2869|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=upnphost|Name=[TWPa8QI9OmzmJZ] UPnP Client|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{B2F3745F-9D81-497E-937F-D22BBF30984E} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=2869|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=upnphost|Name=[TWPa8QI9OmzmJZ] UPnP Server|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{F173AC93-760A-4F5F-80C1-3D2BE08893C5} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=1900|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=ssdpsrv|Name=[TWtXznhKXbgHz5] SSDP Client|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{E559A9F5-A818-4CF9-B820-77D2D3CFAA99} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=1900|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=ssdpsrv|Name=[TWtXznhKXbgHz5] SSDP Server|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{15510BB9-7DAD-44FA-8188-F61ED694CCBD} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=Dnscache|Name=[TWumH2Nqi2aAxv][in] LLMNR-UDP (server)|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{C2143616-E036-4A8E-ADB1-F863FF23A420} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|LPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=Dnscache|Name=[TWumH2Nqi2aAxv][out] LLMNR-UDP (server)|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{E1F2569C-293F-4986-8419-0B721423ACBD} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|RPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=Dnscache|Name=[TWumH2Nqi2aAxv][in] LLMNR-UDP (client)|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{B37E1036-7743-4070-995C-3C6DB744807E} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=Dnscache|Name=[TWumH2Nqi2aAxv][out] LLMNR-UDP (client)|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{2041E58F-AA8C-43D1-9F4A-9F916C0F2C4E} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|RPort=53|RA4=DNS|RA6=DNS|App=C:\Windows\system32\svchost.exe|Svc=Dnscache|Name=[TWumH2Nqi2aAxv][in] DNS client UDP|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{1C5E79F1-7A52-433E-AE73-D95BE541E8AA} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=53|RA4=DNS|RA6=DNS|App=C:\Windows\system32\svchost.exe|Svc=Dnscache|Name=[TWumH2Nqi2aAxv][out] DNS client UDP|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{6E043D9A-B943-4423-BD3D-6B1D4D8A8C83} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort=53|RA4=DNS|RA6=DNS|App=C:\Windows\system32\svchost.exe|Svc=Dnscache|Name=[TWumH2Nqi2aAxv] DNS client TCP|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{5808DC7C-EEA2-4F6B-86F7-312012BC6079} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=67|App=C:\Windows\system32\svchost.exe|Svc=lmhosts|Name=[TWmAwUhivp2ljU] UDP Outbound Ports|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{4D90572B-F46C-4544-9750-3645801CAA99} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=546|RPort=547|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=dhcp|Name=[TWR3WJWnI1ZPgD][in] DHCP IPv6 client|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{E95682DA-0592-488D-B611-71D9C588363E} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|LPort=546|RPort=547|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=dhcp|Name=[TWR3WJWnI1ZPgD][out] DHCP IPv6 client|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{6C3FF9DE-37A3-468A-A1CC-38EECE522A05} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=68|RPort=67|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=dhcp|Name=[TWR3WJWnI1ZPgD][in] DHCP IPv4 client|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{E0996CDF-F7E6-4D0D-B819-9EE11B442A23} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|LPort=68|RPort=67|RA4=LocalSubnet|RA6=LocalSubnet|App=C:\Windows\system32\svchost.exe|Svc=dhcp|Name=[TWR3WJWnI1ZPgD][out] DHCP IPv4 client|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{816A91D1-FC1E-43B3-8B1D-CBE12C1F3D88} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|App=C:\Program Files (x86)\TinyWall\TinyWall.exe|Name=[TWY760OKYgu7qH] TCP Outbound Ports|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{EAC067E9-52B2-4238-A2A0-361B0A8D42CA} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=129:0|ICMP6=1:*|ICMP6=3:*|ICMP6=2:0|Name=[TWXeG5AClHmxUq] ICMPv6 (safe)|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{73CB4C85-0C72-482E-82F7-96D0ACBB57D6} v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=3:*|ICMP4=11:*|RA4=DefaultGateway|RA6=DefaultGateway|Name=[TWXeG5AClHmxUq] ICMPv4 (safe)|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{76B2393B-B72E-463F-A024-870E672DC7B8} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=128:0|Name=[TWXeG5AClHmxUq] ICMPv6 (echo-req) out|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{C007CC71-FEEA-4F1F-8C38-A481F19BB91E} v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=1|ICMP4=8:0|Name=[TWXeG5AClHmxUq] ICMPv4 (echo-req) out|Desc=| Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 111 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 164 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A547BD42-5610-454B-9E36-6E03F5805FD7}@LeaseObtainedTime 1576697867 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A547BD42-5610-454B-9E36-6E03F5805FD7}@T1 1576741067 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A547BD42-5610-454B-9E36-6E03F5805FD7}@T2 1576773467 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A547BD42-5610-454B-9E36-6E03F5805FD7}@LeaseTerminatesTime 1576784267 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A547BD42-5610-454B-9E36-6E03F5805FD7}@DhcpConnForceBroadcastFlag 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Count 4897 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----