GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-03 12:42:43 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000034 WDC_WD10JPVX-08JC3T5 rev.05.01A05 931,51GB Running: ml04sdti.exe; Driver: C:\Users\LENOVO~1\AppData\Local\Temp\ffadyfog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\WinRAR\WinRAR.exe[6176] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ffa4de365c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ffa4de365c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ffa4de963c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ffa4de96ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffa4d5dddc0 6 bytes {JMP QWORD [RIP+0x2a323a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffa4d5e1800 6 bytes {JMP QWORD [RIP+0x58f7fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffa4d5e4a33 2 bytes [C5, 2D] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffa4d61c1c0 6 bytes {JMP QWORD [RIP+0x2c4e3a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffa4d61d620 6 bytes {JMP QWORD [RIP+0x2839da]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffa4d620860 6 bytes {JMP QWORD [RIP+0x2e079a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 00007ffa4c0a6580 6 bytes {JMP QWORD [RIP+0x189aa7a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\System32\SHELL32.dll!ShellExecuteW 00007ffa4c132aa0 6 bytes {JMP QWORD [RIP+0x17ee55a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffa4daa2630 6 bytes {JMP QWORD [RIP+0xee9ca]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffa3963d360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffa39648a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffa39693370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffa39693c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffa3969c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ffa3969c7f4 2 bytes [32, 00] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffa396ce240 6 bytes {JMP QWORD [RIP+0x352dba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffa396d5170 6 bytes {JMP QWORD [RIP+0x32be8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffa3973ce00 6 bytes {JMP QWORD [RIP+0x2441fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffa3973d6f0 6 bytes {JMP QWORD [RIP+0x22390a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffa39765c00 6 bytes {JMP QWORD [RIP+0x1db3fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ffa3dd42240 6 bytes {JMP QWORD [RIP+0x18edba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ffa3dd422d0 6 bytes {JMP QWORD [RIP+0x1ded2a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ffa3ddcf710 6 bytes {JMP QWORD [RIP+0x1718ea]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ffa3ddcf890 6 bytes {JMP QWORD [RIP+0x12176a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ffa3ddcf9e0 6 bytes {JMP QWORD [RIP+0x23161a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ffa3ddcfac0 6 bytes {JMP QWORD [RIP+0x20153a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ffa3ddcfd50 6 bytes {JMP QWORD [RIP+0x1d12aa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[4956] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ffa3ddcfe20 6 bytes {JMP QWORD [RIP+0x1a11da]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 00007ffa4c0a6580 6 bytes {JMP QWORD [RIP+0x16baa7a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\System32\SHELL32.dll!ShellExecuteW 00007ffa4c132aa0 6 bytes {JMP QWORD [RIP+0x160e55a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffa4daa2630 6 bytes {JMP QWORD [RIP+0xee9ca]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffa3963d360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffa39648a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffa39693370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffa39693c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffa3969c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ffa3969c7f4 2 bytes [32, 00] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffa396ce240 6 bytes {JMP QWORD [RIP+0x352dba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffa396d5170 6 bytes {JMP QWORD [RIP+0x32be8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffa3973ce00 6 bytes {JMP QWORD [RIP+0x2441fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffa3973d6f0 6 bytes {JMP QWORD [RIP+0x22390a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffa39765c00 6 bytes {JMP QWORD [RIP+0x1db3fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ffa3dd42240 6 bytes {JMP QWORD [RIP+0x18edba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ffa3dd422d0 6 bytes {JMP QWORD [RIP+0x1ded2a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ffa3ddcf710 6 bytes {JMP QWORD [RIP+0x1718ea]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ffa3ddcf890 6 bytes {JMP QWORD [RIP+0x12176a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ffa3ddcf9e0 6 bytes {JMP QWORD [RIP+0x23161a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ffa3ddcfac0 6 bytes {JMP QWORD [RIP+0x20153a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ffa3ddcfd50 6 bytes {JMP QWORD [RIP+0x1d12aa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2300] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ffa3ddcfe20 6 bytes {JMP QWORD [RIP+0x1a11da]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ffa4de365c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffa4de96260 16 bytes {MOV RAX, 0x7ff61ac2e9a8; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ffa4de963c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ffa4de96540 16 bytes {MOV RAX, 0x7ff61ac2e900; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffa4de96580 16 bytes {MOV RAX, 0x7ff61ac2e87c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ffa4de965a0 16 bytes {MOV RAX, 0x7ff61ac2e97c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa4de965c0 16 bytes {MOV RAX, 0x7ff61ac2e788; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffa4de96600 16 bytes {MOV RAX, 0x7ff61ac2e9cc; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ffa4de966a0 16 bytes {MOV RAX, 0x7ff61ac2e924; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007ffa4de966c0 16 bytes {MOV RAX, 0x7ff61ac2e8b8; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffa4de96720 16 bytes {MOV RAX, 0x7ff61ac2e80c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ffa4de96860 16 bytes {MOV RAX, 0x7ff61ac2e954; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ffa4de96ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffa4de96b60 16 bytes {MOV RAX, 0x7ff61ac2e6d0; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ffa4de983d0 16 bytes {MOV RAX, 0x7ff61ac2e8a0; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffa4de98490 16 bytes {MOV RAX, 0x7ff61ac2e8dc; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ffa4de98730 16 bytes {MOV RAX, 0x7ff61ac2e968; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffa4d5dddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffa4d5e1800 6 bytes {JMP QWORD [RIP+0x19f7fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffa4d5e4a33 2 bytes [C5, 0F] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffa4d61c1c0 6 bytes {JMP QWORD [RIP+0xe4e3a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffa4d61d620 6 bytes {JMP QWORD [RIP+0xa39da]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffa4d620860 4 bytes [FF, 25, 9A, 07] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\System32\KERNEL32.DLL!WinExec + 5 00007ffa4d620865 1 byte [00] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 00007ffa4c0a6580 6 bytes {JMP QWORD [RIP+0x16baa7a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\System32\SHELL32.dll!ShellExecuteW 00007ffa4c132aa0 6 bytes {JMP QWORD [RIP+0x160e55a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffa4daa2630 6 bytes {JMP QWORD [RIP+0xee9ca]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffa3963d360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffa39648a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffa39693370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffa39693c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffa3969c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ffa3969c7f4 2 bytes [32, 00] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffa396ce240 6 bytes {JMP QWORD [RIP+0x352dba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffa396d5170 6 bytes {JMP QWORD [RIP+0x32be8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffa3973ce00 6 bytes {JMP QWORD [RIP+0x2441fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffa3973d6f0 6 bytes {JMP QWORD [RIP+0x22390a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffa39765c00 6 bytes {JMP QWORD [RIP+0x1db3fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ffa3dd42240 6 bytes {JMP QWORD [RIP+0x18edba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ffa3dd422d0 6 bytes {JMP QWORD [RIP+0x1ded2a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ffa3ddcf710 6 bytes {JMP QWORD [RIP+0x1718ea]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ffa3ddcf890 6 bytes {JMP QWORD [RIP+0x12176a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ffa3ddcf9e0 6 bytes {JMP QWORD [RIP+0x23161a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ffa3ddcfac0 6 bytes {JMP QWORD [RIP+0x20153a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ffa3ddcfd50 6 bytes {JMP QWORD [RIP+0x1d12aa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ffa3ddcfe20 6 bytes {JMP QWORD [RIP+0x1a11da]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ffa4de365c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffa4de96260 16 bytes {MOV RAX, 0x7ff61ac2e9a8; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ffa4de963c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ffa4de96540 16 bytes {MOV RAX, 0x7ff61ac2e900; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffa4de96580 16 bytes {MOV RAX, 0x7ff61ac2e87c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ffa4de965a0 16 bytes {MOV RAX, 0x7ff61ac2e97c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa4de965c0 16 bytes {MOV RAX, 0x7ff61ac2e788; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffa4de96600 16 bytes {MOV RAX, 0x7ff61ac2e9cc; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ffa4de966a0 16 bytes {MOV RAX, 0x7ff61ac2e924; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007ffa4de966c0 16 bytes {MOV RAX, 0x7ff61ac2e8b8; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffa4de96720 16 bytes {MOV RAX, 0x7ff61ac2e80c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ffa4de96860 16 bytes {MOV RAX, 0x7ff61ac2e954; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ffa4de96ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffa4de96b60 16 bytes {MOV RAX, 0x7ff61ac2e6d0; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ffa4de983d0 16 bytes {MOV RAX, 0x7ff61ac2e8a0; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffa4de98490 16 bytes {MOV RAX, 0x7ff61ac2e8dc; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ffa4de98730 16 bytes {MOV RAX, 0x7ff61ac2e968; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffa4d5dddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffa4d5e1800 6 bytes {JMP QWORD [RIP+0x19f7fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffa4d5e4a33 2 bytes [C5, 0F] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffa4d61c1c0 6 bytes {JMP QWORD [RIP+0xe4e3a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffa4d61d620 6 bytes {JMP QWORD [RIP+0xa39da]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffa4d620860 4 bytes [FF, 25, 9A, 07] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\System32\KERNEL32.DLL!WinExec + 5 00007ffa4d620865 1 byte [00] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 00007ffa4c0a6580 6 bytes {JMP QWORD [RIP+0x16baa7a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\System32\SHELL32.dll!ShellExecuteW 00007ffa4c132aa0 6 bytes {JMP QWORD [RIP+0x160e55a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffa4daa2630 6 bytes {JMP QWORD [RIP+0xee9ca]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffa3963d360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffa39648a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffa39693370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffa39693c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffa3969c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ffa3969c7f4 2 bytes [32, 00] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffa396ce240 6 bytes {JMP QWORD [RIP+0x352dba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffa396d5170 6 bytes {JMP QWORD [RIP+0x32be8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffa3973ce00 6 bytes {JMP QWORD [RIP+0x2441fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffa3973d6f0 6 bytes {JMP QWORD [RIP+0x22390a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffa39765c00 6 bytes {JMP QWORD [RIP+0x1db3fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ffa3dd42240 6 bytes {JMP QWORD [RIP+0x18edba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ffa3dd422d0 6 bytes {JMP QWORD [RIP+0x1ded2a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ffa3ddcf710 6 bytes {JMP QWORD [RIP+0x1718ea]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ffa3ddcf890 6 bytes {JMP QWORD [RIP+0x12176a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ffa3ddcf9e0 6 bytes {JMP QWORD [RIP+0x23161a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ffa3ddcfac0 6 bytes {JMP QWORD [RIP+0x20153a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ffa3ddcfd50 6 bytes {JMP QWORD [RIP+0x1d12aa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ffa3ddcfe20 6 bytes {JMP QWORD [RIP+0x1a11da]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ffa4de365c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffa4de96260 16 bytes {MOV RAX, 0x7ff61ac2e9a8; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ffa4de963c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ffa4de96540 16 bytes {MOV RAX, 0x7ff61ac2e900; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffa4de96580 16 bytes {MOV RAX, 0x7ff61ac2e87c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ffa4de965a0 16 bytes {MOV RAX, 0x7ff61ac2e97c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa4de965c0 16 bytes {MOV RAX, 0x7ff61ac2e788; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffa4de96600 16 bytes {MOV RAX, 0x7ff61ac2e9cc; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ffa4de966a0 16 bytes {MOV RAX, 0x7ff61ac2e924; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007ffa4de966c0 16 bytes {MOV RAX, 0x7ff61ac2e8b8; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffa4de96720 16 bytes {MOV RAX, 0x7ff61ac2e80c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ffa4de96860 16 bytes {MOV RAX, 0x7ff61ac2e954; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ffa4de96ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffa4de96b60 16 bytes {MOV RAX, 0x7ff61ac2e6d0; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ffa4de983d0 16 bytes {MOV RAX, 0x7ff61ac2e8a0; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffa4de98490 16 bytes {MOV RAX, 0x7ff61ac2e8dc; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ffa4de98730 16 bytes {MOV RAX, 0x7ff61ac2e968; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffa4d5dddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffa4d5e1800 6 bytes {JMP QWORD [RIP+0x19f7fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffa4d5e4a33 2 bytes [C5, 0F] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffa4d61c1c0 6 bytes {JMP QWORD [RIP+0xe4e3a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffa4d61d620 6 bytes {JMP QWORD [RIP+0xa39da]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffa4d620860 4 bytes [FF, 25, 9A, 07] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\System32\KERNEL32.DLL!WinExec + 5 00007ffa4d620865 1 byte [00] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 00007ffa4c0a6580 6 bytes {JMP QWORD [RIP+0x16baa7a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\System32\SHELL32.dll!ShellExecuteW 00007ffa4c132aa0 6 bytes {JMP QWORD [RIP+0x160e55a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffa4daa2630 6 bytes {JMP QWORD [RIP+0xee9ca]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffa3963d360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffa39648a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffa39693370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffa39693c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffa3969c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ffa3969c7f4 2 bytes [32, 00] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffa396ce240 6 bytes {JMP QWORD [RIP+0x352dba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffa396d5170 6 bytes {JMP QWORD [RIP+0x32be8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffa3973ce00 6 bytes {JMP QWORD [RIP+0x2441fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffa3973d6f0 6 bytes {JMP QWORD [RIP+0x22390a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffa39765c00 6 bytes {JMP QWORD [RIP+0x1db3fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ffa3dd42240 6 bytes {JMP QWORD [RIP+0x18edba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ffa3dd422d0 6 bytes {JMP QWORD [RIP+0x1ded2a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ffa3ddcf710 6 bytes {JMP QWORD [RIP+0x1718ea]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ffa3ddcf890 6 bytes {JMP QWORD [RIP+0x12176a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ffa3ddcf9e0 6 bytes {JMP QWORD [RIP+0x23161a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ffa3ddcfac0 6 bytes {JMP QWORD [RIP+0x20153a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ffa3ddcfd50 6 bytes {JMP QWORD [RIP+0x1d12aa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ffa3ddcfe20 6 bytes {JMP QWORD [RIP+0x1a11da]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI 00007ffa4de365c0 6 bytes {JMP QWORD [RIP+0x1baa3a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffa4de96260 16 bytes {MOV RAX, 0x7ff61ac2e9a8; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ffa4de963c0 5 bytes [FF, 25, 3A, AC, 17] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ffa4de96540 16 bytes {MOV RAX, 0x7ff61ac2e900; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffa4de96580 16 bytes {MOV RAX, 0x7ff61ac2e87c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00007ffa4de965a0 16 bytes {MOV RAX, 0x7ff61ac2e97c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa4de965c0 16 bytes {MOV RAX, 0x7ff61ac2e788; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffa4de96600 16 bytes {MOV RAX, 0x7ff61ac2e9cc; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ffa4de966a0 16 bytes {MOV RAX, 0x7ff61ac2e924; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00007ffa4de966c0 16 bytes {MOV RAX, 0x7ff61ac2e8b8; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffa4de96720 16 bytes {MOV RAX, 0x7ff61ac2e80c; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ffa4de96860 16 bytes {MOV RAX, 0x7ff61ac2e954; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ffa4de96ac0 5 bytes [FF, 25, 3A, A5, 19] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffa4de96b60 16 bytes {MOV RAX, 0x7ff61ac2e6d0; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ffa4de983d0 16 bytes {MOV RAX, 0x7ff61ac2e8a0; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffa4de98490 16 bytes {MOV RAX, 0x7ff61ac2e8dc; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ffa4de98730 16 bytes {MOV RAX, 0x7ff61ac2e968; JMP RAX} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\System32\KERNEL32.DLL!MoveFileW 00007ffa4d5dddc0 6 bytes {JMP QWORD [RIP+0xc323a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\System32\KERNEL32.DLL!SetProcessDEPPolicy 00007ffa4d5e1800 6 bytes {JMP QWORD [RIP+0x19f7fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\System32\KERNEL32.DLL!CopyFileW + 3 00007ffa4d5e4a33 2 bytes [C5, 0F] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\System32\KERNEL32.DLL!CopyFileA 00007ffa4d61c1c0 6 bytes {JMP QWORD [RIP+0xe4e3a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\System32\KERNEL32.DLL!MoveFileA 00007ffa4d61d620 6 bytes {JMP QWORD [RIP+0xa39da]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\System32\KERNEL32.DLL!WinExec 00007ffa4d620860 4 bytes [FF, 25, 9A, 07] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\System32\KERNEL32.DLL!WinExec + 5 00007ffa4d620865 1 byte [00] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\System32\SHELL32.dll!ShellExecuteExW 00007ffa4c0a6580 6 bytes {JMP QWORD [RIP+0x16baa7a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\System32\SHELL32.dll!ShellExecuteW 00007ffa4c132aa0 6 bytes {JMP QWORD [RIP+0x160e55a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\System32\WS2_32.dll!WSAStartup 00007ffa4daa2630 6 bytes {JMP QWORD [RIP+0xee9ca]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffa3963d360 6 bytes {JMP QWORD [RIP+0x403c9a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\WININET.dll!InternetReadFile 00007ffa39648a80 6 bytes {JMP QWORD [RIP+0x35857a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffa39693370 6 bytes {JMP QWORD [RIP+0x34dc8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffa39693c60 6 bytes {JMP QWORD [RIP+0x28d39a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW 00007ffa3969c7f0 3 bytes [FF, 25, 0A] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\WININET.dll!InternetReadFileExW + 4 00007ffa3969c7f4 2 bytes [32, 00] .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffa396ce240 6 bytes {JMP QWORD [RIP+0x352dba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffa396d5170 6 bytes {JMP QWORD [RIP+0x32be8a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlA 00007ffa3973ce00 6 bytes {JMP QWORD [RIP+0x2441fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\WININET.dll!InternetOpenUrlW 00007ffa3973d6f0 6 bytes {JMP QWORD [RIP+0x22390a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffa39765c00 6 bytes {JMP QWORD [RIP+0x1db3fa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileW 00007ffa3dd42240 6 bytes {JMP QWORD [RIP+0x18edba]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileW 00007ffa3dd422d0 6 bytes {JMP QWORD [RIP+0x1ded2a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToCacheFileA 00007ffa3ddcf710 6 bytes {JMP QWORD [RIP+0x1718ea]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\urlmon.dll!URLDownloadToFileA 00007ffa3ddcf890 6 bytes {JMP QWORD [RIP+0x12176a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamA 00007ffa3ddcf9e0 6 bytes {JMP QWORD [RIP+0x23161a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\urlmon.dll!URLOpenBlockingStreamW 00007ffa3ddcfac0 6 bytes {JMP QWORD [RIP+0x20153a]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamA 00007ffa3ddcfd50 6 bytes {JMP QWORD [RIP+0x1d12aa]} .text C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] C:\Windows\SYSTEM32\urlmon.dll!URLOpenStreamW 00007ffa3ddcfe20 6 bytes {JMP QWORD [RIP+0x1a11da]} ? C:\Windows\system32\apphelp.dll [2568] entry point in ".rdata" section 000000007164f7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\System32\USER32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffa4bf9002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\System32\ole32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\System32\ole32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\SYSTEM32\dwmapi.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\SYSTEM32\OLEACC.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7948] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [24dbe0f9ae8] C:\Program Files\Opera\44.0.0.251024253\opera_browser.dll IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\System32\USER32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffa4bf9002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\System32\ole32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\System32\ole32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\SYSTEM32\dwmapi.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\SYSTEM32\OLEACC.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[8076] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [1d5d4389ae8] C:\Program Files\Opera\44.0.0.251024253\opera_browser.dll IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\System32\USER32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffa4bf9002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\System32\ole32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\System32\ole32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\SYSTEM32\dwmapi.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\SYSTEM32\OLEACC.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[2128] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [1da02b69ae8] C:\Program Files\Opera\44.0.0.251024253\opera_browser.dll IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\System32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\System32\USER32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\System32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffa4bf9002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\System32\ole32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\System32\ole32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\System32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\System32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\System32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\System32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.953_none_42151e83c686086b\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\SYSTEM32\dwmapi.dll[GDI32.dll!GetStockObject] [7ffa4bf9006c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\SYSTEM32\OLEACC.dll[USER32.dll!RegisterClassW] [7ffa4bcf002c] IAT C:\Program Files\Opera\44.0.0.251024253\opera.exe[7116] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [19804809ae8] C:\Program Files\Opera\44.0.0.251024253\opera_browser.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [696:748] ffff94add7f36c20 ---- Services - GMER 2.2 ---- Service C:\Windows\system32\drivers\MBAMSwissArmy.sys (*** hidden *** ) [BOOT] MBAMSwissArmy <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xE1 0x96 0x56 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x4A 0x79 0xBA 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xE1 0x96 0x56 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x4A 0x79 0xBA 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 15 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LEN40B00_00_07DB_63^5D21EF1C057C78D36A16D1B17CFAE297@Timestamp 0xC2 0x33 0x38 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\LENOVO~1\AppData\Local\Temp\_iu14D2N.tmp?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -660960945 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 7e972663-3259-4936-b377-14bc288 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS3d2ef7cf-df06-41cd-b42c-4e6cb5489217 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\5cc5d497df82 Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{24d2c96f-6966-47ce-9396-e97e705e9c5d}@LastProbeTime 1493812741 Reg HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\IBMPMSVC\Parameters\Notification@Type2 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{3C0E775A-21AD-4DF5-BDA4-C95261146502}@InterfaceName Reusable ISATAP Interface {3C0E775A-21AD-4DF5-BDA4-C95261146502} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{3C0E775A-21AD-4DF5-BDA4-C95261146502}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\18-a6-f7-fd-a0-04@AddressCreationTimestamp 0x5E 0x3B 0x1A 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ImagePath system32\drivers\MBAMSwissArmy.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\DOR Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\DOR@FFD0-0000016EDF9B8C80 0x2A 0x01 0x5C 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\DOR@FFD1-0000016EDF9B8C80 0x2A 0x01 0x5C 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ??r.?, ?maj ?03 ?17, 12:00:21 PM??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 27 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2133 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 223 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 15 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1079 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{05eac8b9-bce0-426c-9c1a-6db9023e922a}@LeaseObtainedTime 1493805812 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{05eac8b9-bce0-426c-9c1a-6db9023e922a}@T1 1493809412 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{05eac8b9-bce0-426c-9c1a-6db9023e922a}@T2 1493812112 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{05eac8b9-bce0-426c-9c1a-6db9023e922a}@LeaseTerminatesTime 1493813012 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config@LastKnownGoodTime 0x62 0x20 0x50 0x87 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x6F 0x35 0xBF 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x6F 0x9D 0x83 0xF9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x6F 0xCD 0xFA 0x35 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,7d4baf8??????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 11748 11754 11766 11776 11786 11806 11850 11860 11898 11904 11920 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 11926 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 11927 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 11748 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 11749 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\0018BFFE255B6234@LastMsgIdForDataConnection 0x1B 0xBD 0xA2 0x20 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@01 0x00 0x30 0x8F 0x8F ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@07 0x00 0xC0 0xDF 0x4E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@10 0x00 0x20 0x18 0x02 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@16 0x00 0x60 0x16 0x02 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@18 0x00 0x70 0xCD 0x30 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@21 0x00 0xC0 0xD4 0x02 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@22 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@24 0x00 0x00 0x00 0x84 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@26 0x00 0x40 0xA0 0xB3 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@28 0x00 0x70 0x92 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@29 0x00 0x80 0x6B 0x50 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-63E1-B1A0086059BE}@00 0x00 0xC0 0xF5 0x4B ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-B8DE-8C9808015127}@09 0x00 0xF0 0x56 0x66 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-5720-2D44-B8DE-8C9808015127}@00 0x00 0x80 0xD8 0x87 ... ---- EOF - GMER 2.2 ----