GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-02 20:48:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKX-001CA0 rev.15.01H15 465,76GB Running: d35rgsuh.exe; Driver: C:\Users\MRNOBO~1\AppData\Local\Temp\kxliypog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075521bb2 5 bytes JMP 000000006d7ab9fb .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2704] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075521d92 5 bytes JMP 000000006d7aba65 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000763b1465 2 bytes [3B, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763b14bb 2 bytes [3B, 76] .text ... * 2 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000763b1465 2 bytes [3B, 76] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[3836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763b14bb 2 bytes [3B, 76] .text ... * 2 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776a1490 6 bytes {JMP QWORD [RIP+0x8abfb6a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776a1810 6 bytes {JMP QWORD [RIP+0x8adf7ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\kernel32.dll!CopyFileW 00000000774392d0 6 bytes {JMP QWORD [RIP+0x8ca7d2a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007744e7b0 6 bytes {JMP QWORD [RIP+0x8bd284a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077451bb0 6 bytes {JMP QWORD [RIP+0x8c0f44a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 0000000077480d10 6 bytes {JMP QWORD [RIP+0x8cc02ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\kernel32.dll!MoveFileW 00000000774bf7f0 6 bytes {JMP QWORD [RIP+0x8be180a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\kernel32.dll!MoveFileA 00000000774bf950 6 bytes {JMP QWORD [RIP+0x8c016aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\kernel32.dll!CopyFileA 00000000774c5620 6 bytes {JMP QWORD [RIP+0x8c3b9da]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000774c7b70 6 bytes {JMP QWORD [RIP+0x8b7948a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774c8840 6 bytes {JMP QWORD [RIP+0x8bb87ba]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\kernel32.dll!WinExec 00000000774c8d80 6 bytes {JMP QWORD [RIP+0x8c5827a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd8e1950 6 bytes {JMP QWORD [RIP+0xbf6aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd8ea058 3 bytes [B2, 5F, 06] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd8eb9a1 5 bytes {JMP QWORD [RIP+0x15565a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd8f31e0 6 bytes {JMP QWORD [RIP+0xcde1a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd8f3210 6 bytes {JMP QWORD [RIP+0x10ddea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd9130c0 6 bytes {JMP QWORD [RIP+0xcdf3a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd9130f0 6 bytes {JMP QWORD [RIP+0x10df0a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe684980 6 bytes {JMP QWORD [RIP+0x134c67a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\SHELL32.dll!ShellExecuteW 000007fefe6e983c 6 bytes {JMP QWORD [RIP+0x12a77be]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\SHELL32.dll!ShellExecuteExW 000007fefe6f7c70 6 bytes {JMP QWORD [RIP+0x12b938a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefdfd3914 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefdfdba68 6 bytes {JMP QWORD [RIP+0x195592]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefdfe3b6c 6 bytes {JMP QWORD [RIP+0x46d48e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefdff355c 6 bytes {JMP QWORD [RIP+0x11da9e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefdff3910 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefdff68d8 6 bytes {JMP QWORD [RIP+0x4aa722]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefe022c74 6 bytes {JMP QWORD [RIP+0x12e386]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefe022dc1 5 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefe03f600 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefe03f694 6 bytes {JMP QWORD [RIP+0x481966]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefe2295e4 6 bytes {JMP QWORD [RIP+0x107a16]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefe2296c5 5 bytes {JMP QWORD [RIP+0x147936]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefe2298b0 6 bytes {JMP QWORD [RIP+0x1c774a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefe22999c 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefe229b10 6 bytes {JMP QWORD [RIP+0x1274ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefe229ca1 5 bytes JMP 41d50000 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefe229e10 6 bytes {JMP QWORD [RIP+0x1e71ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefe229f01 5 bytes {JMP QWORD [RIP+0x1a70fa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000776a13e0 7 bytes [48, B8, 80, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000776a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776a1490 6 bytes JMP fcfefffa .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000776a1550 7 bytes [48, B8, D8, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000776a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1570 7 bytes [48, B8, 54, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000776a1580 7 bytes [48, B8, 54, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000776a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776a1590 7 bytes [48, B8, 60, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776a15b0 7 bytes [48, B8, A4, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000776a1600 7 bytes [48, B8, FC, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000776a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000776a1610 7 bytes [48, B8, 90, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000776a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776a1640 7 bytes [48, B8, E4, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000776a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000776a16e0 7 bytes [48, B8, 2C, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000776a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776a1810 6 bytes {JMP QWORD [RIP+0x8adf7ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776a1860 7 bytes [48, B8, A8, E6, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000776a22d0 7 bytes [48, B8, 78, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000776a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a2320 7 bytes [48, B8, B4, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000776a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000776a2470 7 bytes [48, B8, 40, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000776a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\kernel32.dll!CopyFileW 00000000774392d0 6 bytes {JMP QWORD [RIP+0x8ca7d2a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007744e7b0 6 bytes JMP fcfeff6c .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077451bb0 6 bytes JMP fcfefffa .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 0000000077480d10 6 bytes {JMP QWORD [RIP+0x8cc02ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\kernel32.dll!MoveFileW 00000000774bf7f0 6 bytes JMP fcfefffa .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\kernel32.dll!MoveFileA 00000000774bf950 6 bytes JMP fcfefffa .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\kernel32.dll!CopyFileA 00000000774c5620 6 bytes JMP fcfefffa .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000774c7b70 6 bytes JMP f4f7ffef .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774c8840 6 bytes JMP f4f7ffef .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\kernel32.dll!WinExec 00000000774c8d80 6 bytes JMP 9695ffcf .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd8e1950 6 bytes {JMP QWORD [RIP+0xbf6aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd8ea058 3 bytes [B2, 5F, 06] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd8eb9a1 5 bytes {JMP QWORD [RIP+0x15565a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd8f31e0 6 bytes JMP 1000100 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd8f3210 6 bytes {JMP QWORD [RIP+0x10ddea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd9130c0 6 bytes JMP 1000100 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd9130f0 6 bytes {JMP QWORD [RIP+0x10df0a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe684980 6 bytes {JMP QWORD [RIP+0x134c67a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefdfd3914 6 bytes {JMP QWORD [RIP+0x33d6e6]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefdfdba68 6 bytes {JMP QWORD [RIP+0x195592]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefdfe3b6c 6 bytes JMP db337024 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefdff355c 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefdff3910 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefdff68d8 6 bytes {JMP QWORD [RIP+0x4aa722]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefe022c74 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefe022dc1 5 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefe03f600 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefe03f694 6 bytes {JMP QWORD [RIP+0x481966]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefe2295e4 6 bytes {JMP QWORD [RIP+0x107a16]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefe2296c5 5 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefe2298b0 6 bytes {JMP QWORD [RIP+0x1c774a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefe22999c 6 bytes {JMP QWORD [RIP+0x18765e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefe229b10 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefe229ca1 5 bytes {JMP QWORD [RIP+0x16735a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefe229e10 6 bytes {JMP QWORD [RIP+0x1e71ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefe229f01 5 bytes {JMP QWORD [RIP+0x1a70fa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000776a13e0 7 bytes [48, B8, 80, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000776a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776a1490 6 bytes {JMP QWORD [RIP+0x8abfb6a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000776a1550 7 bytes [48, B8, D8, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000776a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1570 7 bytes [48, B8, 54, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000776a1580 7 bytes [48, B8, 54, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000776a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776a1590 7 bytes [48, B8, 60, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776a15b0 7 bytes [48, B8, A4, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000776a1600 7 bytes [48, B8, FC, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000776a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000776a1610 7 bytes [48, B8, 90, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000776a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776a1640 7 bytes [48, B8, E4, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000776a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000776a16e0 7 bytes [48, B8, 2C, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000776a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776a1810 6 bytes {JMP QWORD [RIP+0x8adf7ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776a1860 7 bytes [48, B8, A8, E6, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000776a22d0 7 bytes [48, B8, 78, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000776a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a2320 7 bytes [48, B8, B4, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000776a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000776a2470 7 bytes [48, B8, 40, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000776a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\kernel32.dll!CopyFileW 00000000774392d0 6 bytes {JMP QWORD [RIP+0x8ca7d2a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007744e7b0 6 bytes {JMP QWORD [RIP+0x8bd284a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077451bb0 6 bytes {JMP QWORD [RIP+0x8c0f44a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 0000000077480d10 6 bytes {JMP QWORD [RIP+0x8cc02ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\kernel32.dll!MoveFileW 00000000774bf7f0 6 bytes {JMP QWORD [RIP+0x8be180a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\kernel32.dll!MoveFileA 00000000774bf950 6 bytes {JMP QWORD [RIP+0x8c016aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\kernel32.dll!CopyFileA 00000000774c5620 6 bytes {JMP QWORD [RIP+0x8c3b9da]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000774c7b70 6 bytes {JMP QWORD [RIP+0x8b7948a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774c8840 6 bytes {JMP QWORD [RIP+0x8bb87ba]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\kernel32.dll!WinExec 00000000774c8d80 6 bytes {JMP QWORD [RIP+0x8c5827a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd8e1950 6 bytes {JMP QWORD [RIP+0xbf6aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd8ea058 3 bytes [B2, 5F, 06] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd8eb9a1 5 bytes {JMP QWORD [RIP+0x15565a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd8f31e0 6 bytes {JMP QWORD [RIP+0xcde1a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd8f3210 6 bytes {JMP QWORD [RIP+0x10ddea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd9130c0 6 bytes {JMP QWORD [RIP+0xcdf3a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd9130f0 6 bytes {JMP QWORD [RIP+0x10df0a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe684980 6 bytes {JMP QWORD [RIP+0x134c67a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefdfd3914 6 bytes {JMP QWORD [RIP+0x33d6e6]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefdfdba68 6 bytes {JMP QWORD [RIP+0x195592]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefdfe3b6c 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefdff355c 6 bytes {JMP QWORD [RIP+0x11da9e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefdff3910 6 bytes {JMP QWORD [RIP+0x13d6ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefdff68d8 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefe022c74 6 bytes {JMP QWORD [RIP+0x12e386]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefe022dc1 5 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefe03f600 6 bytes JMP 64006e .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefe03f694 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefe2295e4 6 bytes {JMP QWORD [RIP+0x107a16]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefe2296c5 5 bytes {JMP QWORD [RIP+0x147936]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefe2298b0 6 bytes {JMP QWORD [RIP+0x1c774a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefe22999c 6 bytes {JMP QWORD [RIP+0x18765e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefe229b10 6 bytes {JMP QWORD [RIP+0x1274ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefe229ca1 5 bytes {JMP QWORD [RIP+0x16735a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefe229e10 6 bytes {JMP QWORD [RIP+0x1e71ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefe229f01 5 bytes {JMP QWORD [RIP+0x1a70fa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000776a13e0 7 bytes [48, B8, 80, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000776a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776a1490 6 bytes {JMP QWORD [RIP+0x8abfb6a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000776a1550 7 bytes [48, B8, D8, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000776a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1570 7 bytes [48, B8, 54, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000776a1580 7 bytes [48, B8, 54, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000776a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776a1590 7 bytes [48, B8, 60, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776a15b0 7 bytes [48, B8, A4, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000776a1600 7 bytes [48, B8, FC, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000776a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000776a1610 7 bytes [48, B8, 90, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000776a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776a1640 7 bytes [48, B8, E4, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000776a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000776a16e0 7 bytes [48, B8, 2C, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000776a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776a1810 6 bytes {JMP QWORD [RIP+0x8adf7ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776a1860 7 bytes [48, B8, A8, E6, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000776a22d0 7 bytes [48, B8, 78, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000776a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a2320 7 bytes [48, B8, B4, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000776a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000776a2470 7 bytes [48, B8, 40, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000776a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\kernel32.dll!CopyFileW 00000000774392d0 6 bytes {JMP QWORD [RIP+0x8ca7d2a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007744e7b0 6 bytes {JMP QWORD [RIP+0x8bd284a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077451bb0 6 bytes {JMP QWORD [RIP+0x8c0f44a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 0000000077480d10 6 bytes {JMP QWORD [RIP+0x8cc02ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\kernel32.dll!MoveFileW 00000000774bf7f0 6 bytes {JMP QWORD [RIP+0x8be180a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\kernel32.dll!MoveFileA 00000000774bf950 6 bytes {JMP QWORD [RIP+0x8c016aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\kernel32.dll!CopyFileA 00000000774c5620 6 bytes {JMP QWORD [RIP+0x8c3b9da]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000774c7b70 6 bytes {JMP QWORD [RIP+0x8b7948a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774c8840 6 bytes {JMP QWORD [RIP+0x8bb87ba]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\kernel32.dll!WinExec 00000000774c8d80 6 bytes {JMP QWORD [RIP+0x8c5827a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd8e1950 6 bytes {JMP QWORD [RIP+0xbf6aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd8ea058 3 bytes [B2, 5F, 06] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd8eb9a1 5 bytes {JMP QWORD [RIP+0x15565a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd8f31e0 6 bytes {JMP QWORD [RIP+0xcde1a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd8f3210 6 bytes {JMP QWORD [RIP+0x10ddea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd9130c0 6 bytes {JMP QWORD [RIP+0xcdf3a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd9130f0 6 bytes {JMP QWORD [RIP+0x10df0a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe684980 6 bytes {JMP QWORD [RIP+0x134c67a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefdfd3914 6 bytes {JMP QWORD [RIP+0x33d6e6]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefdfdba68 6 bytes JMP 1e1b0000 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefdfe3b6c 6 bytes {JMP QWORD [RIP+0x46d48e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefdff355c 6 bytes {JMP QWORD [RIP+0x11da9e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefdff3910 6 bytes {JMP QWORD [RIP+0x13d6ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefdff68d8 6 bytes {JMP QWORD [RIP+0x4aa722]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefe022c74 6 bytes {JMP QWORD [RIP+0x12e386]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefe022dc1 5 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefe03f600 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefe03f694 6 bytes JMP 860fffff .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefe2295e4 6 bytes {JMP QWORD [RIP+0x107a16]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefe2296c5 5 bytes {JMP QWORD [RIP+0x147936]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefe2298b0 6 bytes {JMP QWORD [RIP+0x1c774a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefe22999c 6 bytes JMP 76600000 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefe229b10 6 bytes {JMP QWORD [RIP+0x1274ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefe229ca1 5 bytes {JMP QWORD [RIP+0x16735a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefe229e10 6 bytes {JMP QWORD [RIP+0x1e71ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefe229f01 5 bytes JMP 6eb0000 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000776a13e0 7 bytes [48, B8, 80, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000776a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776a1490 6 bytes {JMP QWORD [RIP+0x8abfb6a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000776a1550 7 bytes [48, B8, D8, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000776a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1570 7 bytes [48, B8, 54, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000776a1580 7 bytes [48, B8, 54, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000776a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776a1590 7 bytes [48, B8, 60, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776a15b0 7 bytes [48, B8, A4, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000776a1600 7 bytes [48, B8, FC, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000776a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000776a1610 7 bytes [48, B8, 90, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000776a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776a1640 7 bytes [48, B8, E4, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000776a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000776a16e0 7 bytes [48, B8, 2C, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000776a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776a1810 6 bytes {JMP QWORD [RIP+0x8adf7ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776a1860 7 bytes [48, B8, A8, E6, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000776a22d0 7 bytes [48, B8, 78, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000776a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a2320 7 bytes [48, B8, B4, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000776a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000776a2470 7 bytes [48, B8, 40, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000776a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\kernel32.dll!CopyFileW 00000000774392d0 6 bytes {JMP QWORD [RIP+0x8ca7d2a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007744e7b0 6 bytes {JMP QWORD [RIP+0x8bd284a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077451bb0 6 bytes {JMP QWORD [RIP+0x8c0f44a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 0000000077480d10 6 bytes {JMP QWORD [RIP+0x8cc02ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\kernel32.dll!MoveFileW 00000000774bf7f0 6 bytes {JMP QWORD [RIP+0x8be180a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\kernel32.dll!MoveFileA 00000000774bf950 6 bytes {JMP QWORD [RIP+0x8c016aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\kernel32.dll!CopyFileA 00000000774c5620 6 bytes {JMP QWORD [RIP+0x8c3b9da]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000774c7b70 6 bytes {JMP QWORD [RIP+0x8b7948a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774c8840 6 bytes {JMP QWORD [RIP+0x8bb87ba]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\kernel32.dll!WinExec 00000000774c8d80 6 bytes {JMP QWORD [RIP+0x8c5827a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd8e1950 6 bytes {JMP QWORD [RIP+0xbf6aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd8ea058 3 bytes [B2, 5F, 06] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd8eb9a1 5 bytes {JMP QWORD [RIP+0x15565a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd8f31e0 6 bytes {JMP QWORD [RIP+0xcde1a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd8f3210 6 bytes {JMP QWORD [RIP+0x10ddea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd9130c0 6 bytes {JMP QWORD [RIP+0xcdf3a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd9130f0 6 bytes {JMP QWORD [RIP+0x10df0a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe684980 6 bytes {JMP QWORD [RIP+0x134c67a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefdfd3914 6 bytes {JMP QWORD [RIP+0x33d6e6]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefdfdba68 6 bytes {JMP QWORD [RIP+0x195592]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefdfe3b6c 6 bytes JMP 8800 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefdff355c 6 bytes {JMP QWORD [RIP+0x11da9e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefdff3910 6 bytes {JMP QWORD [RIP+0x13d6ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefdff68d8 6 bytes {JMP QWORD [RIP+0x4aa722]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefe022c74 6 bytes JMP 84c36333 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefe022dc1 5 bytes JMP 40 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefe03f600 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefe03f694 6 bytes JMP 6740000 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefe2295e4 6 bytes {JMP QWORD [RIP+0x107a16]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefe2296c5 5 bytes {JMP QWORD [RIP+0x147936]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefe2298b0 6 bytes {JMP QWORD [RIP+0x1c774a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefe22999c 6 bytes {JMP QWORD [RIP+0x18765e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefe229b10 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefe229ca1 5 bytes {JMP QWORD [RIP+0x16735a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefe229e10 6 bytes {JMP QWORD [RIP+0x1e71ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefe229f01 5 bytes {JMP QWORD [RIP+0x1a70fa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000776a13e0 7 bytes [48, B8, 80, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000776a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776a1490 6 bytes {JMP QWORD [RIP+0x8abfb6a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000776a1550 7 bytes [48, B8, D8, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000776a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1570 7 bytes [48, B8, 54, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000776a1580 7 bytes [48, B8, 54, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000776a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776a1590 7 bytes [48, B8, 60, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776a15b0 7 bytes [48, B8, A4, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000776a1600 7 bytes [48, B8, FC, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000776a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000776a1610 7 bytes [48, B8, 90, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000776a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776a1640 7 bytes [48, B8, E4, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000776a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000776a16e0 7 bytes [48, B8, 2C, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000776a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776a1810 6 bytes {JMP QWORD [RIP+0x8adf7ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776a1860 7 bytes [48, B8, A8, E6, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000776a22d0 7 bytes [48, B8, 78, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000776a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a2320 7 bytes [48, B8, B4, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000776a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000776a2470 7 bytes [48, B8, 40, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000776a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\kernel32.dll!CopyFileW 00000000774392d0 6 bytes {JMP QWORD [RIP+0x8ca7d2a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007744e7b0 6 bytes {JMP QWORD [RIP+0x8bd284a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077451bb0 6 bytes {JMP QWORD [RIP+0x8c0f44a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 0000000077480d10 6 bytes {JMP QWORD [RIP+0x8cc02ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\kernel32.dll!MoveFileW 00000000774bf7f0 6 bytes {JMP QWORD [RIP+0x8be180a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\kernel32.dll!MoveFileA 00000000774bf950 6 bytes {JMP QWORD [RIP+0x8c016aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\kernel32.dll!CopyFileA 00000000774c5620 6 bytes {JMP QWORD [RIP+0x8c3b9da]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000774c7b70 6 bytes {JMP QWORD [RIP+0x8b7948a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774c8840 6 bytes {JMP QWORD [RIP+0x8bb87ba]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\kernel32.dll!WinExec 00000000774c8d80 6 bytes {JMP QWORD [RIP+0x8c5827a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd8e1950 6 bytes {JMP QWORD [RIP+0xbf6aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd8ea058 3 bytes [B2, 5F, 06] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd8eb9a1 5 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd8f31e0 6 bytes {JMP QWORD [RIP+0xcde1a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd8f3210 6 bytes {JMP QWORD [RIP+0x10ddea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd9130c0 6 bytes {JMP QWORD [RIP+0xcdf3a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd9130f0 6 bytes {JMP QWORD [RIP+0x10df0a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe684980 6 bytes {JMP QWORD [RIP+0x134c67a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefdfd3914 6 bytes {JMP QWORD [RIP+0x33d6e6]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefdfdba68 6 bytes {JMP QWORD [RIP+0x195592]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefdfe3b6c 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefdff355c 6 bytes {JMP QWORD [RIP+0x11da9e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefdff3910 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefdff68d8 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefe022c74 6 bytes {JMP QWORD [RIP+0x12e386]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefe022dc1 5 bytes {JMP QWORD [RIP+0x40e23a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefe03f600 6 bytes {JMP QWORD [RIP+0x4319fa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefe03f694 6 bytes JMP 52004f .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefe2295e4 6 bytes {JMP QWORD [RIP+0x107a16]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefe2296c5 5 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefe2298b0 6 bytes {JMP QWORD [RIP+0x1c774a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefe22999c 6 bytes {JMP QWORD [RIP+0x18765e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefe229b10 6 bytes {JMP QWORD [RIP+0x1274ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefe229ca1 5 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefe229e10 6 bytes {JMP QWORD [RIP+0x1e71ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefe229f01 5 bytes {JMP QWORD [RIP+0x1a70fa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000776a13e0 7 bytes [48, B8, 80, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000776a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776a1490 6 bytes {JMP QWORD [RIP+0x8abfb6a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000776a1550 7 bytes [48, B8, D8, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000776a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1570 7 bytes [48, B8, 54, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000776a1580 7 bytes [48, B8, 54, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000776a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776a1590 7 bytes [48, B8, 60, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776a15b0 7 bytes [48, B8, A4, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000776a1600 7 bytes [48, B8, FC, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000776a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000776a1610 7 bytes [48, B8, 90, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000776a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776a1640 7 bytes [48, B8, E4, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000776a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000776a16e0 7 bytes [48, B8, 2C, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000776a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776a1810 6 bytes {JMP QWORD [RIP+0x8adf7ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776a1860 7 bytes [48, B8, A8, E6, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000776a22d0 7 bytes [48, B8, 78, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000776a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a2320 7 bytes [48, B8, B4, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000776a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000776a2470 7 bytes [48, B8, 40, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000776a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\kernel32.dll!CopyFileW 00000000774392d0 6 bytes {JMP QWORD [RIP+0x8ca7d2a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007744e7b0 6 bytes {JMP QWORD [RIP+0x8bd284a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077451bb0 6 bytes {JMP QWORD [RIP+0x8c0f44a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 0000000077480d10 6 bytes {JMP QWORD [RIP+0x8cc02ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\kernel32.dll!MoveFileW 00000000774bf7f0 6 bytes {JMP QWORD [RIP+0x8be180a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\kernel32.dll!MoveFileA 00000000774bf950 6 bytes {JMP QWORD [RIP+0x8c016aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\kernel32.dll!CopyFileA 00000000774c5620 6 bytes {JMP QWORD [RIP+0x8c3b9da]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000774c7b70 6 bytes {JMP QWORD [RIP+0x8b7948a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774c8840 6 bytes {JMP QWORD [RIP+0x8bb87ba]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\kernel32.dll!WinExec 00000000774c8d80 6 bytes {JMP QWORD [RIP+0x8c5827a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd8e1950 6 bytes {JMP QWORD [RIP+0xbf6aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd8ea058 3 bytes [B2, 5F, 06] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd8eb9a1 5 bytes {JMP QWORD [RIP+0x15565a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd8f31e0 6 bytes {JMP QWORD [RIP+0xcde1a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd8f3210 6 bytes {JMP QWORD [RIP+0x10ddea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd9130c0 6 bytes {JMP QWORD [RIP+0xcdf3a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd9130f0 6 bytes {JMP QWORD [RIP+0x10df0a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe684980 6 bytes {JMP QWORD [RIP+0x134c67a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefdfd3914 6 bytes {JMP QWORD [RIP+0x33d6e6]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefdfdba68 6 bytes {JMP QWORD [RIP+0x195592]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefdfe3b6c 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefdff355c 6 bytes {JMP QWORD [RIP+0x11da9e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefdff3910 6 bytes {JMP QWORD [RIP+0x13d6ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefdff68d8 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefe022c74 6 bytes {JMP QWORD [RIP+0x12e386]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefe022dc1 5 bytes {JMP QWORD [RIP+0x40e23a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefe03f600 6 bytes {JMP QWORD [RIP+0x4319fa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefe03f694 6 bytes JMP 52004f .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefe2295e4 6 bytes {JMP QWORD [RIP+0x107a16]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefe2296c5 5 bytes {JMP QWORD [RIP+0x147936]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefe2298b0 6 bytes {JMP QWORD [RIP+0x1c774a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefe22999c 6 bytes {JMP QWORD [RIP+0x18765e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefe229b10 6 bytes {JMP QWORD [RIP+0x1274ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefe229ca1 5 bytes {JMP QWORD [RIP+0x16735a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefe229e10 6 bytes {JMP QWORD [RIP+0x1e71ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefe229f01 5 bytes {JMP QWORD [RIP+0x1a70fa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000776a13e0 7 bytes [48, B8, 80, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000776a13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000776a1490 6 bytes {JMP QWORD [RIP+0x8abfb6a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000776a1550 7 bytes [48, B8, D8, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000776a1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000776a1570 7 bytes [48, B8, 54, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000776a1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000776a1580 7 bytes [48, B8, 54, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000776a1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000776a1590 7 bytes [48, B8, 60, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000776a1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000776a15b0 7 bytes [48, B8, A4, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000776a15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000776a1600 7 bytes [48, B8, FC, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000776a1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000776a1610 7 bytes [48, B8, 90, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000776a1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000776a1640 7 bytes [48, B8, E4, E7, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000776a1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000776a16e0 7 bytes [48, B8, 2C, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000776a16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000776a1810 6 bytes {JMP QWORD [RIP+0x8adf7ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000776a1860 7 bytes [48, B8, A8, E6, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000776a1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000776a22d0 7 bytes [48, B8, 78, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000776a22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776a2320 7 bytes [48, B8, B4, E8, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000776a2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000776a2470 7 bytes [48, B8, 40, E9, 4A, 3F, 01] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000776a2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\kernel32.dll!CopyFileW 00000000774392d0 6 bytes {JMP QWORD [RIP+0x8ca7d2a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007744e7b0 6 bytes {JMP QWORD [RIP+0x8bd284a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077451bb0 6 bytes {JMP QWORD [RIP+0x8c0f44a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 0000000077480d10 6 bytes {JMP QWORD [RIP+0x8cc02ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\kernel32.dll!MoveFileW 00000000774bf7f0 6 bytes {JMP QWORD [RIP+0x8be180a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\kernel32.dll!MoveFileA 00000000774bf950 6 bytes {JMP QWORD [RIP+0x8c016aa]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\kernel32.dll!CopyFileA 00000000774c5620 6 bytes {JMP QWORD [RIP+0x8c3b9da]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 00000000774c7b70 6 bytes {JMP QWORD [RIP+0x8b7948a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000774c8840 6 bytes {JMP QWORD [RIP+0x8bb87ba]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\kernel32.dll!WinExec 00000000774c8d80 6 bytes {JMP QWORD [RIP+0x8c5827a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd8e1950 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd8ea058 3 bytes [B2, 5F, 06] .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd8eb9a1 5 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd8f31e0 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd8f3210 6 bytes JMP 10 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd9130c0 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd9130f0 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe684980 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefdfd3914 6 bytes JMP 6d006f .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefdfdba68 6 bytes {JMP QWORD [RIP+0x195592]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefdfe3b6c 6 bytes {JMP QWORD [RIP+0x46d48e]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefdff355c 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefdff3910 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefdff68d8 6 bytes {JMP QWORD [RIP+0x4aa722]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefe022c74 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefe022dc1 5 bytes {JMP QWORD [RIP+0x40e23a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefe03f600 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefe03f694 6 bytes {JMP QWORD [RIP+0x481966]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefe2295e4 6 bytes JMP 7a280000 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefe2296c5 5 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefe2298b0 6 bytes {JMP QWORD [RIP+0x1c774a]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefe22999c 6 bytes JMP 61630000 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefe229b10 6 bytes JMP 0 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefe229ca1 5 bytes JMP 16 .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefe229e10 6 bytes {JMP QWORD [RIP+0x1e71ea]} .text C:\Program Files\Opera\44.0.2510.1449\opera.exe[6452] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefe229f01 5 bytes JMP 0 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880018bce94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880018bcc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880018bd654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880018bda50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880018bd8ac] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff880048bd948] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[4620] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[GDI32.dll!GetFontData] [7fedd961aa8] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[GDI32.dll!GetFontData] [7fedd961aa8] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[3628] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[KERNEL32.dll!CreateNamedPipeW] [7755002c] IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[GDI32.dll!GetFontData] [7fedd961aa8] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[KERNEL32.dll!CreateNamedPipeW] [7755002c] IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fedd1dc460] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fedd1dcc88] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fedd1dd0c0] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fedd1dcca0] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[5440] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fedd1dcc80] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[GDI32.dll!GetFontData] [7fedd961aa8] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[KERNEL32.dll!CreateNamedPipeW] [7755002c] IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fedd1dc460] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fedd1dcc88] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fedd1dd0c0] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fedd1dcca0] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[3588] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fedd1dcc80] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[GDI32.dll!GetFontData] [7fedd961aa8] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[KERNEL32.dll!CreateNamedPipeW] [7755002c] IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fedd1dc460] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fedd1dcc88] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fedd1dd0c0] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fedd1dcca0] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2460] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fedd1dcc80] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[GDI32.dll!GetFontData] [7fedd961aa8] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[KERNEL32.dll!CreateNamedPipeW] [7755002c] IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fedd1dc460] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fedd1dcc88] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fedd1dd0c0] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fedd1dcca0] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[2652] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fedd1dcc80] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[GDI32.dll!GetFontData] [7fedd961aa8] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] @ C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll[KERNEL32.dll!CreateNamedPipeW] [7755002c] IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fedd1dc460] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fedd1dcc88] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7fedd1dd0c0] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7fedd1dcca0] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll IAT C:\Program Files\Opera\44.0.2510.1449\opera.exe[1312] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7fedd1dcc80] C:\Program Files\Opera\44.0.2510.1449\opera_browser.dll ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800d06c2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800d06c2c0 Device \FileSystem\Ntfs \Ntfs fffffa800d0742c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{10DF8DFB-3C2D-4AE8-9C23-51A84412DE53} fffffa800da112c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800e5252c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{4ED964A2-7FD8-4DC4-9B41-FB97BF4F2A74} fffffa800da112c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800e5252c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800e5252c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800da112c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800d06c2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800e5252c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800d06c2c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa800d06c2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800d96b060] fffffa800d96b060 Trace 3 CLASSPNP.SYS[fffff88000d9e43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800d4cc060] fffffa800d4cc060 Trace \Driver\atapi[0xfffffa800d108700] -> IRP_MJ_CREATE -> 0xfffffa800d06c2c0 fffffa800d06c2c0 ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3744:2988] 000007fefbb82ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3744:4576] 000007fee541d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3744:2160] 000007fef8ff5124 Thread C:\Windows\System32\svchost.exe [5368:4436] 000007fee38f9688 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\KLIF\Parameters@CheckVersion 34 ---- EOF - GMER 2.2 ----