GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-19 18:11:59 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\00000069 ST1000LM rev.2BA3 931,51GB Running: hslipjhz.exe; Driver: C:\Users\Bartek\AppData\Local\Temp\kwrdipob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8F4E7AC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x8F5A30BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8F4E85A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8F4F463C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8F4F4688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8F4F4822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8F4F45AA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8F5A3494] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8F4F45F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8F5A3724] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8F5A380E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8F4F47DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8F4E9390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8F4E7B2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8F4ECB86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8F4E7716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8F5A3574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8F4E7B90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8F4ECF7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8F4E9E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8F4F4666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8F4F46AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8F4F4846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8F4F45D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8F4EC47E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8F4F475A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8F4F461A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8F4EC86A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8F4F4800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8F5A3312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8F4E9CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8F4E99FA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8F4E7BF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8F4E7C5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8F5A3670] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8F4E77B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8F4E7982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8F4E7910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8F4E955A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8F4E96BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8F4E7A0A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8F5A33E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8F4E91EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8F4E7CC2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8F5A3244] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C8F579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CB3F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 214 82CBB714 4 Bytes [C4, 7A, 4E, 8F] .text ntkrnlpa.exe!RtlSidHashLookup + 23C 82CBB73C 4 Bytes [BA, 30, 5A, 8F] .text ntkrnlpa.exe!RtlSidHashLookup + 29C 82CBB79C 4 Bytes [A2, 85, 4E, 8F] .text ntkrnlpa.exe!RtlSidHashLookup + 2F0 82CBB7F0 8 Bytes [3C, 46, 4F, 8F, 88, 46, 4F, ...] .text ntkrnlpa.exe!RtlSidHashLookup + 2FC 82CBB7FC 4 Bytes JMP D213DA83 .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82EB90EA 4 Bytes CALL 8F4EA55F \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82EC11C5 4 Bytes CALL 8F4EA575 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Opera\27.0.1689.69\opera.exe[496] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 000F03FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[496] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 000F01F8 .text C:\Program Files\AVAST Software\Avast\avastui.exe[548] kernel32.dll!SetUnhandledExceptionFilter 75D93142 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1424] kernel32.dll!SetUnhandledExceptionFilter 75D93142 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtCreateFile + 6 77364A16 4 Bytes [28, 84, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtCreateFile + B 77364A1B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtMapViewOfSection + 6 77365076 4 Bytes [28, 87, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtMapViewOfSection + B 7736507B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenFile + 6 77365126 4 Bytes [68, 84, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenFile + B 7736512B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenProcess + 6 773651D6 4 Bytes [A8, 85, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenProcess + B 773651DB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenProcessToken + 6 773651E6 4 Bytes CALL 7639FC70 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenProcessToken + B 773651EB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenProcessTokenEx + 6 773651F6 4 Bytes [A8, 86, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenProcessTokenEx + B 773651FB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenThread + 6 77365256 4 Bytes [68, 85, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenThread + B 7736525B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenThreadToken + 6 77365266 4 Bytes [68, 86, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenThreadToken + B 7736526B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenThreadTokenEx + 6 77365276 4 Bytes CALL 7639FD01 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtOpenThreadTokenEx + B 7736527B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtQueryAttributesFile + 6 77365386 4 Bytes [A8, 84, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtQueryAttributesFile + B 7736538B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtQueryFullAttributesFile + 6 77365436 4 Bytes CALL 7639FEBF C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtQueryFullAttributesFile + B 7736543B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtSetInformationFile + 6 77365A86 4 Bytes [28, 85, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtSetInformationFile + B 77365A8B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtSetInformationThread + 6 77365AE6 4 Bytes [28, 86, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtSetInformationThread + B 77365AEB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtUnmapViewOfSection + 6 77365E06 4 Bytes [68, 87, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!NtUnmapViewOfSection + B 77365E0B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 03B703FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1776] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 03B701F8 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtCreateFile + 6 77364A16 4 Bytes [28, 08, 0B, 00] {SUB [EAX], CL; OR EAX, [EAX]} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtCreateFile + B 77364A1B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtMapViewOfSection + 6 77365076 4 Bytes [28, 0B, 0B, 00] {SUB [EBX], CL; OR EAX, [EAX]} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtMapViewOfSection + B 7736507B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenFile + 6 77365126 4 Bytes [68, 08, 0B, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenFile + B 7736512B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenProcess + 6 773651D6 4 Bytes [A8, 09, 0B, 00] {TEST AL, 0x9; OR EAX, [EAX]} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenProcess + B 773651DB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenProcessToken + B 773651EB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenProcessTokenEx + 6 773651F6 4 Bytes [A8, 0A, 0B, 00] {TEST AL, 0xa; OR EAX, [EAX]} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenProcessTokenEx + B 773651FB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenThread + 6 77365256 4 Bytes [68, 09, 0B, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenThread + B 7736525B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenThreadToken + 6 77365266 4 Bytes [68, 0A, 0B, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenThreadToken + B 7736526B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtOpenThreadTokenEx + B 7736527B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtQueryAttributesFile + 6 77365386 4 Bytes [A8, 08, 0B, 00] {TEST AL, 0x8; OR EAX, [EAX]} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtQueryAttributesFile + B 7736538B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtQueryFullAttributesFile + B 7736543B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtSetInformationFile + 6 77365A86 4 Bytes [28, 09, 0B, 00] {SUB [ECX], CL; OR EAX, [EAX]} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtSetInformationFile + B 77365A8B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtSetInformationThread + 6 77365AE6 4 Bytes [28, 0A, 0B, 00] {SUB [EDX], CL; OR EAX, [EAX]} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtSetInformationThread + B 77365AEB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtUnmapViewOfSection + 6 77365E06 4 Bytes [68, 0B, 0B, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!NtUnmapViewOfSection + B 77365E0B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 002103FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[1816] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 002101F8 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtCreateFile + 6 77364A16 4 Bytes [28, A4, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtCreateFile + B 77364A1B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtMapViewOfSection + 6 77365076 4 Bytes [28, A7, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtMapViewOfSection + B 7736507B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenFile + 6 77365126 4 Bytes [68, A4, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenFile + B 7736512B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenProcess + 6 773651D6 4 Bytes [A8, A5, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenProcess + B 773651DB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenProcessToken + 6 773651E6 4 Bytes CALL 7639FC90 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenProcessToken + B 773651EB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenProcessTokenEx + 6 773651F6 4 Bytes [A8, A6, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenProcessTokenEx + B 773651FB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenThread + 6 77365256 4 Bytes [68, A5, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenThread + B 7736525B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenThreadToken + 6 77365266 4 Bytes [68, A6, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenThreadToken + B 7736526B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenThreadTokenEx + 6 77365276 4 Bytes CALL 7639FD21 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtOpenThreadTokenEx + B 7736527B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtQueryAttributesFile + 6 77365386 4 Bytes [A8, A4, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtQueryAttributesFile + B 7736538B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtQueryFullAttributesFile + 6 77365436 4 Bytes CALL 7639FEDF C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtQueryFullAttributesFile + B 7736543B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtSetInformationFile + 6 77365A86 4 Bytes [28, A5, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtSetInformationFile + B 77365A8B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtSetInformationThread + 6 77365AE6 4 Bytes [28, A6, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtSetInformationThread + B 77365AEB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtUnmapViewOfSection + 6 77365E06 4 Bytes [68, A7, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!NtUnmapViewOfSection + B 77365E0B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 03B703FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[2788] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 03B701F8 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtCreateFile + 6 77364A16 4 Bytes [28, 44, 47, 00] {SUB [EDI+EAX*2+0x0], AL} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtCreateFile + B 77364A1B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtMapViewOfSection + 6 77365076 4 Bytes [28, 47, 47, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtMapViewOfSection + B 7736507B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenFile + 6 77365126 4 Bytes [68, 44, 47, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenFile + B 7736512B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenProcess + 6 773651D6 4 Bytes [A8, 45, 47, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenProcess + B 773651DB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenProcessToken + B 773651EB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenProcessTokenEx + 6 773651F6 4 Bytes [A8, 46, 47, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenProcessTokenEx + B 773651FB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenThread + 6 77365256 4 Bytes [68, 45, 47, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenThread + B 7736525B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenThreadToken + 6 77365266 4 Bytes [68, 46, 47, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenThreadToken + B 7736526B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtOpenThreadTokenEx + B 7736527B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtQueryAttributesFile + 6 77365386 4 Bytes [A8, 44, 47, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtQueryAttributesFile + B 7736538B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtQueryFullAttributesFile + B 7736543B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtSetInformationFile + 6 77365A86 4 Bytes [28, 45, 47, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtSetInformationFile + B 77365A8B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtSetInformationThread + 6 77365AE6 4 Bytes [28, 46, 47, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtSetInformationThread + B 77365AEB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtUnmapViewOfSection + 6 77365E06 4 Bytes [68, 47, 47, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!NtUnmapViewOfSection + B 77365E0B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 005403FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[3792] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 005401F8 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtCreateFile + 6 77364A16 4 Bytes [28, 40, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtCreateFile + B 77364A1B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtMapViewOfSection + 6 77365076 4 Bytes [28, 43, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtMapViewOfSection + B 7736507B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenFile + 6 77365126 4 Bytes [68, 40, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenFile + B 7736512B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenProcess + 6 773651D6 4 Bytes [A8, 41, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenProcess + B 773651DB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenProcessToken + 6 773651E6 4 Bytes CALL 7639FC2C C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenProcessToken + B 773651EB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenProcessTokenEx + 6 773651F6 4 Bytes [A8, 42, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenProcessTokenEx + B 773651FB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenThread + 6 77365256 4 Bytes [68, 41, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenThread + B 7736525B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenThreadToken + 6 77365266 4 Bytes [68, 42, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenThreadToken + B 7736526B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenThreadTokenEx + 6 77365276 4 Bytes CALL 7639FCBD C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtOpenThreadTokenEx + B 7736527B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtQueryAttributesFile + 6 77365386 4 Bytes [A8, 40, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtQueryAttributesFile + B 7736538B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtQueryFullAttributesFile + 6 77365436 4 Bytes CALL 7639FE7B C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtQueryFullAttributesFile + B 7736543B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtSetInformationFile + 6 77365A86 4 Bytes [28, 41, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtSetInformationFile + B 77365A8B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtSetInformationThread + 6 77365AE6 4 Bytes [28, 42, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtSetInformationThread + B 77365AEB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtUnmapViewOfSection + 6 77365E06 4 Bytes [68, 43, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!NtUnmapViewOfSection + B 77365E0B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 03B703FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4136] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 03B701F8 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4384] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 000F03FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4384] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 000F01F8 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtCreateFile + 6 77364A16 4 Bytes CALL 5A354DC5 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtCreateFile + B 77364A1B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtMapViewOfSection + 6 77365076 4 Bytes [28, EB, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtMapViewOfSection + B 7736507B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenFile + 6 77365126 4 Bytes CALL 5A3554D5 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenFile + B 7736512B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenProcess + 6 773651D6 4 Bytes JMP 5A355585 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenProcess + B 773651DB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenProcessToken + 6 773651E6 4 Bytes CALL 7639FCD4 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenProcessToken + B 773651EB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenProcessTokenEx + 6 773651F6 4 Bytes JMP E2FF03AA .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenProcessTokenEx + B 773651FB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenThread + 6 77365256 4 Bytes JMP 5A355605 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenThread + B 7736525B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenThreadToken + 6 77365266 4 Bytes JMP E2FF03AA .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenThreadToken + B 7736526B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenThreadTokenEx + 6 77365276 4 Bytes CALL 7639FD65 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtOpenThreadTokenEx + B 7736527B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtQueryAttributesFile + 6 77365386 4 Bytes CALL 5A355735 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtQueryAttributesFile + B 7736538B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtQueryFullAttributesFile + 6 77365436 4 Bytes CALL 7639FF23 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtQueryFullAttributesFile + B 7736543B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtSetInformationFile + 6 77365A86 4 Bytes JMP 5A355E35 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtSetInformationFile + B 77365A8B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtSetInformationThread + 6 77365AE6 4 Bytes JMP E2FF03AA .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtSetInformationThread + B 77365AEB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtUnmapViewOfSection + 6 77365E06 4 Bytes [68, EB, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!NtUnmapViewOfSection + B 77365E0B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 03C703FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4832] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 03C701F8 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtCreateFile + 6 77364A16 4 Bytes [28, 44, AA, 03] {SUB [EDX+EBP*4+0x3], AL} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtCreateFile + B 77364A1B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtMapViewOfSection + 6 77365076 4 Bytes [28, 47, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtMapViewOfSection + B 7736507B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenFile + 6 77365126 4 Bytes [68, 44, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenFile + B 7736512B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenProcess + 6 773651D6 4 Bytes [A8, 45, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenProcess + B 773651DB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenProcessToken + 6 773651E6 4 Bytes CALL 7639FC30 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenProcessToken + B 773651EB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenProcessTokenEx + 6 773651F6 4 Bytes [A8, 46, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenProcessTokenEx + B 773651FB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenThread + 6 77365256 4 Bytes [68, 45, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenThread + B 7736525B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenThreadToken + 6 77365266 4 Bytes [68, 46, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenThreadToken + B 7736526B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenThreadTokenEx + 6 77365276 4 Bytes CALL 7639FCC1 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtOpenThreadTokenEx + B 7736527B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtQueryAttributesFile + 6 77365386 4 Bytes [A8, 44, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtQueryAttributesFile + B 7736538B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtQueryFullAttributesFile + 6 77365436 4 Bytes CALL 7639FE7F C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtQueryFullAttributesFile + B 7736543B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtSetInformationFile + 6 77365A86 4 Bytes [28, 45, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtSetInformationFile + B 77365A8B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtSetInformationThread + 6 77365AE6 4 Bytes [28, 46, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtSetInformationThread + B 77365AEB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtUnmapViewOfSection + 6 77365E06 4 Bytes [68, 47, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!NtUnmapViewOfSection + B 77365E0B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 03AF03FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[4924] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 03AF01F8 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtCreateFile + 6 77364A16 4 Bytes [28, F0, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtCreateFile + B 77364A1B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtMapViewOfSection + 6 77365076 4 Bytes [28, F3, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtMapViewOfSection + B 7736507B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenFile + 6 77365126 4 Bytes [68, F0, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenFile + B 7736512B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenProcess + 6 773651D6 4 Bytes [A8, F1, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenProcess + B 773651DB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenProcessToken + 6 773651E6 4 Bytes CALL 7639FCDC C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenProcessToken + B 773651EB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenProcessTokenEx + 6 773651F6 4 Bytes [A8, F2, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenProcessTokenEx + B 773651FB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenThread + 6 77365256 4 Bytes [68, F1, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenThread + B 7736525B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenThreadToken + 6 77365266 4 Bytes [68, F2, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenThreadToken + B 7736526B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenThreadTokenEx + 6 77365276 4 Bytes CALL 7639FD6D C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtOpenThreadTokenEx + B 7736527B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtQueryAttributesFile + 6 77365386 4 Bytes [A8, F0, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtQueryAttributesFile + B 7736538B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtQueryFullAttributesFile + 6 77365436 4 Bytes CALL 7639FF2B C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtQueryFullAttributesFile + B 7736543B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtSetInformationFile + 6 77365A86 4 Bytes [28, F1, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtSetInformationFile + B 77365A8B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtSetInformationThread + 6 77365AE6 4 Bytes [28, F2, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtSetInformationThread + B 77365AEB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtUnmapViewOfSection + 6 77365E06 4 Bytes [68, F3, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!NtUnmapViewOfSection + B 77365E0B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 03C703FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5260] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 03C701F8 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtCreateFile + 6 77364A16 4 Bytes [28, 88, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtCreateFile + B 77364A1B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtMapViewOfSection + 6 77365076 4 Bytes [28, 8B, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtMapViewOfSection + B 7736507B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenFile + 6 77365126 4 Bytes [68, 88, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenFile + B 7736512B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenProcess + 6 773651D6 4 Bytes [A8, 89, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenProcess + B 773651DB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenProcessToken + 6 773651E6 4 Bytes CALL 7639FC74 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenProcessToken + B 773651EB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenProcessTokenEx + 6 773651F6 4 Bytes [A8, 8A, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenProcessTokenEx + B 773651FB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenThread + 6 77365256 4 Bytes [68, 89, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenThread + B 7736525B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenThreadToken + 6 77365266 4 Bytes [68, 8A, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenThreadToken + B 7736526B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenThreadTokenEx + 6 77365276 4 Bytes CALL 7639FD05 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtOpenThreadTokenEx + B 7736527B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtQueryAttributesFile + 6 77365386 4 Bytes [A8, 88, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtQueryAttributesFile + B 7736538B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtQueryFullAttributesFile + 6 77365436 4 Bytes CALL 7639FEC3 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtQueryFullAttributesFile + B 7736543B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtSetInformationFile + 6 77365A86 4 Bytes [28, 89, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtSetInformationFile + B 77365A8B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtSetInformationThread + 6 77365AE6 4 Bytes [28, 8A, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtSetInformationThread + B 77365AEB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtUnmapViewOfSection + 6 77365E06 4 Bytes [68, 8B, AA, 03] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!NtUnmapViewOfSection + B 77365E0B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 03B703FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[5864] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 03B701F8 .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtCreateFile + 6 77364A16 4 Bytes [28, 84, 6A, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtCreateFile + B 77364A1B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtMapViewOfSection + 6 77365076 4 Bytes [28, 87, 6A, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtMapViewOfSection + B 7736507B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenFile + 6 77365126 4 Bytes [68, 84, 6A, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenFile + B 7736512B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenProcess + 6 773651D6 4 Bytes [A8, 85, 6A, 00] {TEST AL, 0x85; PUSH 0x0} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenProcess + B 773651DB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenProcessToken + B 773651EB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenProcessTokenEx + 6 773651F6 4 Bytes [A8, 86, 6A, 00] {TEST AL, 0x86; PUSH 0x0} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenProcessTokenEx + B 773651FB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenThread + 6 77365256 4 Bytes [68, 85, 6A, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenThread + B 7736525B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenThreadToken + 6 77365266 4 Bytes [68, 86, 6A, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenThreadToken + B 7736526B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtOpenThreadTokenEx + B 7736527B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtQueryAttributesFile + 6 77365386 4 Bytes [A8, 84, 6A, 00] {TEST AL, 0x84; PUSH 0x0} .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtQueryAttributesFile + B 7736538B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtQueryFullAttributesFile + B 7736543B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtSetInformationFile + 6 77365A86 4 Bytes [28, 85, 6A, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtSetInformationFile + B 77365A8B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtSetInformationThread + 6 77365AE6 4 Bytes [28, 86, 6A, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtSetInformationThread + B 77365AEB 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtUnmapViewOfSection + 6 77365E06 4 Bytes [68, 87, 6A, 00] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!NtUnmapViewOfSection + B 77365E0B 1 Byte [E2] .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!LdrUnloadDll 7737BE7F 5 Bytes JMP 007003FC .text C:\Program Files\Opera\27.0.1689.69\opera.exe[6020] ntdll.dll!LdrLoadDll 7737F585 5 Bytes JMP 007001F8 ---- Devices - GMER 2.1 ---- Device \Driver\BTHUSB \Device\00000080 bthport.sys Device \Driver\BTHUSB \Device\0000007e bthport.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0071cc916884 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0071cc916884@bc20a4a4ba04 0x43 0xE9 0xB2 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 347 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{9D7C0F1A-D1DC-4CC8-A8AF-2D6433131678}@LeaseObtainedTime 1424363697 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{9D7C0F1A-D1DC-4CC8-A8AF-2D6433131678}@T1 1424367297 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{9D7C0F1A-D1DC-4CC8-A8AF-2D6433131678}@T2 1424369997 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{9D7C0F1A-D1DC-4CC8-A8AF-2D6433131678}@LeaseTerminatesTime 1424370897 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0071cc916884 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0071cc916884@bc20a4a4ba04 0x43 0xE9 0xB2 0x84 ... Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\1CB5A9A1-E325-4097-ADCE-01B1E0F4BFE1@IPAddress 127.0.0.1 ---- EOF - GMER 2.1 ----