|
|||||||
|
|
|
 |
|
|
Strumenti |
03-06-2014, 09:41
|
#1 |
|
Senior Member
Iscritto dal: Jun 2002
Città: Siena-Firenze
Messaggi: 1276
|
[Seven] "Win32:Rootkit-gen [Rtk]": falso positivo o cosa?
Salve, da una settimana o giù di lì ho questo coso che mi fa girare le palle.
Che in teoria dovrebbe essere un coso vecchio per WindowsXP ma invece io ho Seven... boh, vabbè, andiamo oltre. In verità non so che cosa generi come effetti negativi. Avast dice che me l'ha bloccato in tempo, mi metto a scansionare, gli faccio cancellare il file infetto, faccio scansione all'avvio, tutto ok e dopo un po' di tempo/giorni mentre navigo su internet ricompare a caso. Ripeto il processo ma sempre solita zolfa. Ho provato anche: 1) McAfee Rootkit Remover 2) Windows Defender 3) BitDefender Removal 4) Malwarebytes... qualcosa Nessuno mi trova niente. L'unico che mi trova questa cosa, random, è Avast! Fin qui verrebbe da pensare: "Ok è un falso positivo, non ti preoccupare!" Senonchè:
 Io non so più cosa fare, cosa mi consigliate?
__________________
Intel 3770 - Asrock Z77 Extreme4 - Corsair DDR3 Veng 1600CL8 8GB - Crucial M4 256GB WD WD2002FAEX - Seasonic X-560 - Asus ROG STRIX-GTX1070-8G - LG 27GN850-B - Corsair Obsidian 550D |
|
|
|
03-06-2014, 11:38
|
#2 | |
|
Bannato
Iscritto dal: Dec 2013
Messaggi: 392
|
Quote:
Che cos'e che ti fa dire il fatto che e un falso positivo? hai dovuto fare un crack ,un patch di un certo programma o conosci il programma stesso? se e cosi ,alora vai nella lista bianca del antivirus , e incola la sua path di destinazione. Cosi non ti dara piu noia. Ultima modifica di diana33 : 03-06-2014 alle 11:46. |
|
|
|
|
|
03-06-2014, 11:44
|
#3 |
|
Senior Member
Iscritto dal: Jun 2002
Città: Siena-Firenze
Messaggi: 1276
|
No che ricordi nessun crack o roba simile, l'ultimo usato è di un secolo fa quindi sicuramente non è quello.
A guardare il Process ID non avevo pensato... Ora l'ho tolto di nuovo (con Avast) e non mi trova niente, al momento il PID 4 è System (NT Kernel & System). Appena mi ritorna (tanto già so che mi tornerà...) andrò a vedere a cosa corrisponde di preciso. Ma quando ho visto a cosa corrisponde poi che me ne faccio? Mi chiedi perchè mi stessi domandando se fosse un falso positivo. Beh... semplicemente perchè Avast è l'unico antivirus o simile, di quelli che ho provato, che mi rileva una minaccia. La cosa mi aveva un po' insospettito, però boh...
__________________
Intel 3770 - Asrock Z77 Extreme4 - Corsair DDR3 Veng 1600CL8 8GB - Crucial M4 256GB WD WD2002FAEX - Seasonic X-560 - Asus ROG STRIX-GTX1070-8G - LG 27GN850-B - Corsair Obsidian 550D |
|
|
|
|
03-06-2014, 12:11
|
#4 |
|
Senior Member
Iscritto dal: Jun 2002
Città: Siena-Firenze
Messaggi: 1276
|
Ora il file non c'è + (l'ho cancellato :P)
Ma tanto so già che ricomparirà. Appena succede lo scansionerò con qualche virusscan online, ottima idea!
__________________
Intel 3770 - Asrock Z77 Extreme4 - Corsair DDR3 Veng 1600CL8 8GB - Crucial M4 256GB WD WD2002FAEX - Seasonic X-560 - Asus ROG STRIX-GTX1070-8G - LG 27GN850-B - Corsair Obsidian 550D |
|
|
|
|
03-06-2014, 18:23
|
#5 | |
|
Bannato
Iscritto dal: Dec 2013
Messaggi: 392
|
Quote:
 Se non fosse cosi ,come gia detto ,digita nel comand prompt il comando : Codice:
netstat -ano Se vuoi tenere avast come av ,cerca di ripristinarlo come in questa guida : http://en.kioskea.net/faq/29640-avas...fault-settings e controlla aggiornamenti del suo database. Il falso postivo io non lo nomino solo quando un virus lo trova ,meglio fare qualche ricerca nei forum dedicati -per esempio il forum di avast e giu perche estato modificato dai hacker  immagina che fiduccia puoi mettere in un av cosi, e potrei dire piutosto ,che se devo scaricare qualcosa , spesso la persona che mette il link incolla un hash da controllare ,oppure dice chiaramente - codice binario rilevato come virus,altrimenti , i va chiesto un log di virustotal . Cosi ,anche prima di aprire il file , i inserisco il percorso nella lista bianca del antivirus. Power script e un esempio noto. Non mi ha mai dato problemi pero non i permetto neanche fare quello che vuole lui -del tipo installare plugin oppure scaricare script perche ognitanto mi sbocca un erore.
|
|
|
|
|
|
03-06-2014, 18:42
|
#6 |
|
Senior Member
Iscritto dal: Jun 2002
Città: Siena-Firenze
Messaggi: 1276
|
Il problema delle comunicazioni verso l'esterno potrebbe non essere un vero problema. Nel senso che ci sono goziliardi di TIX, Gateway, Proxy e Firewall fisici fra il mio PC e il mondo esterno (rete aziendale), ma per scrupolo un controllino è bene farlo ugualmente, in tal senso grazie mille per le dritte
 Il forum di Avast di solito è la prima cosa che controllo ma è down da diversi giorni lol, settimane pure forse xD
__________________
Intel 3770 - Asrock Z77 Extreme4 - Corsair DDR3 Veng 1600CL8 8GB - Crucial M4 256GB WD WD2002FAEX - Seasonic X-560 - Asus ROG STRIX-GTX1070-8G - LG 27GN850-B - Corsair Obsidian 550D |
|
|
|
|
04-06-2014, 08:29
|
#7 |
|
Senior Member
Iscritto dal: Jun 2002
Città: Siena-Firenze
Messaggi: 1276
|
Eccoci! Appena ricomparso.
Ora mi metto a fare tutte le cose che ci siamo detti. Primo step: impossibile fare la scansione online del file pijsapoq.xrj. Anche dopo aver tolto la spunta a "nascondi file protetti e di sistema" di Windows, il file non compare sotto la cartella System32 e non è nemmeno nella quarantena di Avast. Secondo step: Ho fatto il netstat. Qui due screenshot visto che non mi ricordo come loggare su un file di testo le schermate DOS   Ci son diversi processi Listening e addirittura uno Estabilished, relativamente al PID 4. Ma siamo sicuri che sono tutti processi negativi stabiliti da questo trojan/virus?
__________________
Intel 3770 - Asrock Z77 Extreme4 - Corsair DDR3 Veng 1600CL8 8GB - Crucial M4 256GB WD WD2002FAEX - Seasonic X-560 - Asus ROG STRIX-GTX1070-8G - LG 27GN850-B - Corsair Obsidian 550D Ultima modifica di akumasama : 04-06-2014 alle 08:43. |
|
|
|
|
04-06-2014, 09:26
|
#8 |
|
Senior Member
Iscritto dal: Jun 2002
Città: Siena-Firenze
Messaggi: 1276
|
In compenso ho trovato questo che prima non avevo notato:
 Sembra che ci siano dei processi schedulizzati, ed è per questo che anche quando lo elimino dopo un po' di tempo (random) mi ritorna. Perchè la schedulizzazione riesegue quel coso e fa ripartire il processo da caso. Una volta eseguito anche se Avast mi rileva la minaccia e dice di averlo stoppato, non stoppa un tubo e tramite il PID 4 vengono scaricati dei file temporanei nella cartella System32 infetti col worm Conficker. Penso proprio che la mia ipotesi sia corretta. Mi stupisco però che Avast e gli altri software che ho utilizzato non riescano a rimuovere completamente e addirittura nemmeno a rilevare questa minaccia. Pure Eset Sysinspector lo sente come una minaccia moderata di livello 1. Checazz...
__________________
Intel 3770 - Asrock Z77 Extreme4 - Corsair DDR3 Veng 1600CL8 8GB - Crucial M4 256GB WD WD2002FAEX - Seasonic X-560 - Asus ROG STRIX-GTX1070-8G - LG 27GN850-B - Corsair Obsidian 550D |
|
|
|
|
04-06-2014, 20:06
|
#9 |
|
Moderatore
Iscritto dal: Jun 2007
Città: 127.0.0.1
Messaggi: 25885
|
Allega un log di Gmer
__________________
Try again and you will be luckier.
|
|
|
|
|
04-06-2014, 21:33
|
#10 |
|
Bannato
Iscritto dal: Dec 2013
Messaggi: 392
|
SI ,non e una situazione molto bella - avrai un script nel rundll che si riffa tutte le volte e si pianifica a scaricarsi i suoi file.Intanto inizia cosi : disabilita le tue porte 139 e 445- tante queste porte in uscita non dovrebbe servirti mai ,nonostante hai la rete aziendale :
NetBIOS di sicurezza NetBIOS trasporta informazioni in pacchetti come le informazioni del dominio, i nomi dei computer e le informazioni sull’account. Tali informazioni non dovrebbero mai lasciare la vostra rete locale, poichè la scoperta da parte di persone malintenzionate potrebbe comportare una violazione della sicurezza della rete. Disabilitare NetBIOS su TCP/IP è interamente l’opzione migliore a meno che NetBIOS è un requisito sulla rete. Questo potrebbe essere il caso se si dispone di applicazioni di rete più vecchie che necessitano di NetBIOS per la comunicazione. La condivisione delle risorse in Windows 7 La condivisione delle risorse di rete sulla porta 445, come implementata in Windows 7 è più efficiente che in esecuzione SMB su NetBIOS su TPC/IP. Questo metodo elimina elimina il NetBIOS e i rischi di sicurezza associati alle porte 135, 137 e 139. Si può effettivamente disabilitare NetBIOS su TCP/IP in Windows 7 tramite le impostazioni avanzate della scheda di rete. È inoltre possibile disattivare NBT impostando il codice specifico del fornitore Microsoft opzione 1 ad un valore di 2 sul server DHCP. Protezione Porta 445 La disattivazione NBT raggiunge un livello di sicurezza che lascia queste porte funzionali, ma è comunque necessario assicurare la Porta 445. E’ meglio impostare il firewall per consentire mai alla porta 445 il traffico di rete in uscita. Alcuni raccomandano di disabilitare la porta 445 sul firewall a meno che realmente ne hanno bisogno per un periodo di tempo. Questo è più difficile, ma è il metodo più sicuro per l’utilizzo della Porta 445. La tua porta 445 comunica con esterno scaricando dei file attraverso un server che neanche lo trovato con iana . Come ha detto Chill-Out ,posta anche un log di gmer , anche se penso che la situazione va oltre ...il tuo computer e quello che si chiama zombie - viene richiamato in rete , e puo dare informazioni dei tuoi account bancari ,oppure fare partire script malevole verso altri- beh , la tipologia di zeus boot. Vorrei tanto sapere chi e il tuo tecnico di rete. Ultima modifica di diana33 : 04-06-2014 alle 21:45. |
|
|
|
|
05-06-2014, 06:58
|
#11 |
|
Senior Member
Iscritto dal: Jun 2002
Città: Siena-Firenze
Messaggi: 1276
|
Ziobo che casino. Vediamo se riesco a chiudere ste porte che sono secoli che non ci sfruzzico.
Io devo ancora capire come cavolo è arrivata quest'infezione con un Windows7 aggiornato e antivirus attivo. Sopratutto non capisco come mai gli antivirus facciano così fatica a rilevare questa minaccia e ad eliminarla del tutto. Tipo gli eventi pianificati, li vedo io... perchè non li vedono anche gli antivirus? Perchè non li eliminano? Etc etc. Qui va a finire che facevo prima a formattare tutto...
__________________
Intel 3770 - Asrock Z77 Extreme4 - Corsair DDR3 Veng 1600CL8 8GB - Crucial M4 256GB WD WD2002FAEX - Seasonic X-560 - Asus ROG STRIX-GTX1070-8G - LG 27GN850-B - Corsair Obsidian 550D Ultima modifica di akumasama : 05-06-2014 alle 07:02. |
|
|
|
|
05-06-2014, 07:30
|
#12 |
|
Senior Member
Iscritto dal: Jun 2002
Città: Siena-Firenze
Messaggi: 1276
|
Ho disattivato Ipv2 e Netbios, non so se serve per la nostra rete (è una rete basata su dominio), mi informerò.
Qui sotto il log di Gmer. Vedo che tira fuori un sacco di roba dall'account utent "Senio-Local" che però manco viene usato, fu un account creato una tantum manco mi ricordo per quale motivo, ma non è l'account utente normalmente in uso che dovrebbe essere rotondi_s ed è un account di rete (ma ovviamente con una cartella specifica dentro a c:\Utenti) Io continuo a non capire come mai sia così difficile togliere quei due script rundll dagli scheduled tasks. Porca miseria ESET Sys Inspector me li mostra, me li fa vedere... perchè non posso toglierli in nessun modo? Poi le porte 445 e 139 non so come chiuderle, consigli? Non posso farlo tramite Windows Firewall, non c'è modo di farlo via CMD? Codice:
GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-05 08:24:58 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500413AS rev.JC45 465,76GB Running: gmer.exe; Driver: C:\Users\ROTOND~1\AppData\Local\Temp\kgldapoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff80002e05000 45 bytes [00, 00, 23, 02, 4E, 53, 49, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 591 fffff80002e0502f 16 bytes [00, 58, 40, E3, 06, 80, FA, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[448] C:\Windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\wininit.exe[524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\services.exe[572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[640] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\lsm.exe[648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[872] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[932] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[996] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1040] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1156] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1228] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1488] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1648] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1756] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1860] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1276] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2132] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2252] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[2360] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\Explorer.EXE[2372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[2656] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[2772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2996] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2416] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2416] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [2416] entry point in ".rdata" section 000000006dd871e6 .text C:\Windows\system32\SearchIndexer.exe[2908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3252] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000752387b1 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3252] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3260] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3292] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3272] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[4480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[4384] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[1772] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe[4260] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Users\ROTOND~1\AppData\Local\Temp\0572827\1251860.exe[2024] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Windows\system32\taskhost.exe[820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe[2872] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[5252] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3928] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3928] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 00000001000303fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3928] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [3928] entry point in ".rdata" section 000000006dd871e6 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0x11d628; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0x11d668; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 7 bytes {MOV EDX, 0x11d5a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 7 bytes {MOV EDX, 0x11d528; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0x11d728; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0x11d768; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0x11d6e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0x11d6a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0x11d468; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0x11d4a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0x11d428; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 7 bytes {MOV EDX, 0x11d5e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 7 bytes {MOV EDX, 0x11d568; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0x11d4e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 00000001001d01f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 00000001001d03fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[1656] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0x373e28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0x373e68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 7 bytes {MOV EDX, 0x373da8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 7 bytes {MOV EDX, 0x373d28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0x373f28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0x373f68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0x373ee8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0x373ea8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0x373c68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0x373ca8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0x373c28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 7 bytes {MOV EDX, 0x373de8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 7 bytes {MOV EDX, 0x373d68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0x373ce8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 00000001004501f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 00000001004503fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0xf92228; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0xf92268; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 7 bytes {MOV EDX, 0xf921a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 7 bytes {MOV EDX, 0xf92128; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0xf92328; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0xf92368; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0xf922e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0xf922a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0xf92068; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0xf920a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0xf92028; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 7 bytes {MOV EDX, 0xf921e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 7 bytes {MOV EDX, 0xf92168; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0xf920e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 00000001010701f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 00000001010703fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[6040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0x400628; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0x400668; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 7 bytes {MOV EDX, 0x4005a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 7 bytes {MOV EDX, 0x400528; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0x400728; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0x400768; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0x4006e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0x4006a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0x400468; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0x4004a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0x400428; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 7 bytes {MOV EDX, 0x4005e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 7 bytes {MOV EDX, 0x400568; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0x4004e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 00000001004d01f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 00000001004d03fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0xf19628; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0xf19668; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 7 bytes {MOV EDX, 0xf195a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 7 bytes {MOV EDX, 0xf19528; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0xf19728; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0xf19768; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0xf196e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0xf196a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0xf19468; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0xf194a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0xf19428; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 7 bytes {MOV EDX, 0xf195e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 7 bytes {MOV EDX, 0xf19568; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0xf194e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 0000000100ff01f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 0000000100ff03fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0xc1da28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0xc1da68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 7 bytes {MOV EDX, 0xc1d9a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 7 bytes {MOV EDX, 0xc1d928; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0xc1db28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0xc1db68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0xc1dae8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0xc1daa8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0xc1d868; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0xc1d8a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0xc1d828; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 7 bytes {MOV EDX, 0xc1d9e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 7 bytes {MOV EDX, 0xc1d968; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0xc1d8e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 0000000100ce01f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 0000000100ce03fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0x85da28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0x85da68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 7 bytes {MOV EDX, 0x85d9a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 7 bytes {MOV EDX, 0x85d928; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0x85db28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0x85db68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0x85dae8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0x85daa8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0x85d868; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0x85d8a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0x85d828; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 7 bytes {MOV EDX, 0x85d9e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 7 bytes {MOV EDX, 0x85d968; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0x85d8e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 00000001009201f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 00000001009203fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0x747e28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0x747e68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 7 bytes {MOV EDX, 0x747da8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 7 bytes {MOV EDX, 0x747d28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0x747f28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0x747f68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0x747ee8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0x747ea8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0x747c68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0x747ca8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0x747c28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 7 bytes {MOV EDX, 0x747de8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 7 bytes {MOV EDX, 0x747d68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0x747ce8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 00000001008501f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 00000001008503fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0x118e28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0x118e68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 2 bytes [BA, A8] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 8 000000007720fc28 4 bytes {ADC [RAX], EAX; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 2 bytes [BA, 28] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 8 000000007720fc40 4 bytes {ADC [RAX], EAX; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0x118f28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0x118f68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0x118ee8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0x118ea8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0x118c68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0x118ca8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0x118c28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 2 bytes [BA, E8] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 8 00000000772110c8 4 bytes {ADC [RAX], EAX; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 2 bytes [BA, 68] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 8 0000000077211140 4 bytes {ADC [RAX], EAX; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0x118ce8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 00000001002101f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 00000001002103fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0x609628; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0x609668; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 7 bytes {MOV EDX, 0x6095a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 7 bytes {MOV EDX, 0x609528; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0x609728; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0x609768; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0x6096e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0x6096a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0x609468; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0x6094a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0x609428; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 7 bytes {MOV EDX, 0x6095e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 7 bytes {MOV EDX, 0x609568; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0x6094e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 00000001006d01f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 00000001006d03fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0xa1ae28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0xa1ae68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 7 bytes {MOV EDX, 0xa1ada8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 7 bytes {MOV EDX, 0xa1ad28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0xa1af28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0xa1af68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0xa1aee8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0xa1aea8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0xa1ac68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0xa1aca8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0xa1ac28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 7 bytes {MOV EDX, 0xa1ade8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 7 bytes {MOV EDX, 0xa1ad68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0xa1ace8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 3 bytes JMP 0000000100ae01f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll + 4 000000007722c4e1 1 byte [89] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 0000000100ae03fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[3964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007720f9b1 7 bytes {MOV EDX, 0x3aea28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007720fbf5 7 bytes {MOV EDX, 0x3aea68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007720fc25 7 bytes {MOV EDX, 0x3ae9a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007720fc3d 7 bytes {MOV EDX, 0x3ae928; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007720fc55 7 bytes {MOV EDX, 0x3aeb28; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007720fc85 7 bytes {MOV EDX, 0x3aeb68; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007720fd05 7 bytes {MOV EDX, 0x3aeae8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007720fd1d 7 bytes {MOV EDX, 0x3aeaa8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007720fd69 7 bytes {MOV EDX, 0x3ae868; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007720fe61 7 bytes {MOV EDX, 0x3ae8a8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772100b9 7 bytes {MOV EDX, 0x3ae828; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772110c5 7 bytes {MOV EDX, 0x3ae9e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007721113d 7 bytes {MOV EDX, 0x3ae968; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077211341 7 bytes {MOV EDX, 0x3ae8e8; JMP RDX} .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007722c4dd 5 bytes JMP 00000001004001f8 .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077231287 5 bytes JMP 00000001004003fc .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text C:\Users\Senio-local\AppData\Local\Google\Chrome\Application\chrome.exe[5248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 .text C:\Windows\system32\AUDIODG.EXE[1928] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007698eecd 1 byte [62] .text C:\Users\ROTOND~1\AppData\Local\Temp\Rar$EXa0.586\gmer.exe[3832] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007525a30a 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2792:2988] 000007fef5fc3e0c Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2792:2332] 000007fef5fc3e0c Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2792:2652] 000007fef4b7bc60 ---- Processes - GMER 2.1 ---- Process C:\Users\ROTOND~1\AppData\Local\Temp\Rar$EXa0.586\gmer.exe (*** suspicious ***) @ C:\Users\ROTOND~1\AppData\Local\Temp\Rar$EXa0.586\gmer.exe [3832](2014-06-05 06:11:20) 0000000000400000 ---- EOF - GMER 2.1 ----
__________________
Intel 3770 - Asrock Z77 Extreme4 - Corsair DDR3 Veng 1600CL8 8GB - Crucial M4 256GB WD WD2002FAEX - Seasonic X-560 - Asus ROG STRIX-GTX1070-8G - LG 27GN850-B - Corsair Obsidian 550D |
|
|
|
|
05-06-2014, 09:19
|
#13 |
|
Senior Member
Iscritto dal: Jun 2002
Città: Siena-Firenze
Messaggi: 1276
|
Nel frattempo ho finito la scansione avanzata (durata un secolo) con Emsisoft e mi ha trovato DownadupJob.A (B) e Downadup.Gen (B).
Eliminati entrambi. Ha dovuto riavviare per cancellare alcuni file. Ha appena riavviato e nel frattempo ho notato che gli scheduled rundll relativi al file pijsapoq.xrl.qualcosa sono scomparsi. Boh? Se entro qualche giorno non mi ricompare direi che l'ho eliminato. Netbios cmq lo tengo disattivato. A prescindere che sia stato eliminato del tutto o meno, mi rimangono i seguenti dubbi: 1) Come cavolo è possibile che mi sia beccato quest'infezione con firewall su firewall e antivirus attivo? Viene dall'esterno oppure è possibile che sia stato un attacco automatizzato da un PC infetto dentro alla LAN? 2) Come mai tutti questi nomi diversi? Avast lo rilevava come ho scritto nel titolo, altri software rilevavano Conficker, Emsisoft ha rilevato Downadup (che è una versione modificata del Conficker in verità quindi torna come cosa) Mi verrebbe da pensare che Avast faccia cagare al caxxo. Qui nella rete abbiamo Sophos enterprise, ma su questo PC (che è un PC secondario temporaneo di mia proprietà) c'è Avast. E' il mio vecchio PC desktop in pratica (su quello nuovo che ho a casa invece uso Nod32)
__________________
Intel 3770 - Asrock Z77 Extreme4 - Corsair DDR3 Veng 1600CL8 8GB - Crucial M4 256GB WD WD2002FAEX - Seasonic X-560 - Asus ROG STRIX-GTX1070-8G - LG 27GN850-B - Corsair Obsidian 550D |
|
|
|
|
05-06-2014, 12:16
|
#14 | |||||
|
Bannato
Iscritto dal: Dec 2013
Messaggi: 392
|
Quote:
Codice:
sfc /scannow Quote:
Quote:
Dalla finestra che si apre -vai su avanzate e troverai spuntata la voce - netBIOS su TCP/IP -togli la spunta e la porta e chiusa . Lo stesso per la porta 445 che e per condivisione file in rete - semplicemente i stessi passi seguiti per la 139 e togli la spunta .Condivisione file e stampanti per reti Microsoft Quote:
Quote:
A questo punto ,chiama il tuo tecnico o la ditta che ti offre servizi aziendali e chiedili cortesemente di eseguirti dei pentest per verificare tutte le brecce che la tua rete la puo avere. |
|||||
|
|
|
|
07-06-2014, 17:26
|
#15 |
|
Senior Member
Iscritto dal: Nov 2013
Città: Milano
Messaggi: 5136
|
in teoria, potrebbe essere stata un'infezione veicolata da una chiavetta USB o da un hard disk USB infetti, che sono stati connessi al computer in questione?
potrebbe spiegare come siano state superate le difese della rete aziendale. |
|
|
|
|
07-06-2014, 17:57
|
#16 |
|
Senior Member
Iscritto dal: Jun 2002
Città: Siena-Firenze
Messaggi: 1276
|
Si mi è capitata una chiavetta USB infetta giusto la settimana scorsa, i tempi tornerebbero pure.
Solo che Avast! l'ha rilevata e ha detto di averla disinfettata... a quanto pare non è stato così. Il dubbio su come fosse successo ce l'avevo sopratutto per altri motivi. Quello che dice Diana è verissimo, nulla è 100% al sicuro e se bucano DB di aziende enormi figuriamoci se un hacker avrebbe problemi ad entrare nel mio PC se veramente volesse. Il punto è... perchè dovrebbe lol? So che da questo thread non traspare e sembro un niubbazzo come mille altri, ma vi asiscuro che solitamente sono una persona molto attenta e so un attimino come muovermi. Ok tutti hanno distrazioni etc, però insomma mi sembrava strano e mi faceva incaxxare di essermi fatto gabbare così senza neanche essermi accorto di nulla. Cmq grazie a tutti, siete stati utilissimi
__________________
Intel 3770 - Asrock Z77 Extreme4 - Corsair DDR3 Veng 1600CL8 8GB - Crucial M4 256GB WD WD2002FAEX - Seasonic X-560 - Asus ROG STRIX-GTX1070-8G - LG 27GN850-B - Corsair Obsidian 550D |
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 22:54.
