GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-22 18:16:09 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BD142 rev.KC45 465,76GB Running: 5o2nsmzh.exe; Driver: C:\Users\Helf\AppData\Local\Temp\aftciaob.sys ---- User code sections - GMER 2.1 ---- .text E:\Gry\Steam\Steam.exe[2212] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 00000000760b1dd5 5 bytes JMP 00000001725d1fe0 .text E:\Gry\Steam\Steam.exe[2212] C:\Windows\syswow64\kernel32.dll!FreeLibrary 00000000760b1de2 5 bytes JMP 00000001725d2170 .text E:\Gry\Steam\Steam.exe[2212] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 00000000760b1e12 5 bytes JMP 00000001725d1f20 .text E:\Gry\Steam\Steam.exe[2212] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 00000000760b1e2c 5 bytes JMP 00000001725d20a0 .text E:\Gry\Steam\Steam.exe[2212] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000760b4bc6 5 bytes JMP 00000001725d1e70 .text E:\Gry\Steam\Steam.exe[2212] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate 00000000762b4516 5 bytes JMP 0000000100170800 .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075941401 2 bytes JMP 760ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075941419 2 bytes JMP 760db513 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075941431 2 bytes JMP 76158609 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007594144a 2 bytes CALL 760b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759414dd 2 bytes JMP 76157efe C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759414f5 2 bytes JMP 761580d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007594150d 2 bytes JMP 76157df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075941525 2 bytes JMP 761581c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007594153d 2 bytes JMP 760cf088 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075941555 2 bytes JMP 760db885 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007594156d 2 bytes JMP 761586c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075941585 2 bytes JMP 76158222 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007594159d 2 bytes JMP 76157db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759415b5 2 bytes JMP 760cf121 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759415cd 2 bytes JMP 760db29f C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759416b2 2 bytes JMP 76158584 C:\Windows\syswow64\kernel32.dll .text C:\Users\Helf\AppData\Local\Lollipop\Lollipop.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759416bd 2 bytes JMP 76157d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate 00000000762b4516 5 bytes JMP 0000000100210800 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075941401 2 bytes JMP 760ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075941419 2 bytes JMP 760db513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075941431 2 bytes JMP 76158609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007594144a 2 bytes CALL 760b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759414dd 2 bytes JMP 76157efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759414f5 2 bytes JMP 761580d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007594150d 2 bytes JMP 76157df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075941525 2 bytes JMP 761581c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007594153d 2 bytes JMP 760cf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075941555 2 bytes JMP 760db885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007594156d 2 bytes JMP 761586c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075941585 2 bytes JMP 76158222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007594159d 2 bytes JMP 76157db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759415b5 2 bytes JMP 760cf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759415cd 2 bytes JMP 760db29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759416b2 2 bytes JMP 76158584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759416bd 2 bytes JMP 76157d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\WS2_32.dll!closesocket 0000000077893bed 5 bytes JMP 0000000110002ed8 .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\WS2_32.dll!recv 00000000778947df 5 bytes JMP 0000000110002aec .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000778968a7 5 bytes JMP 0000000110002a6c .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\WS2_32.dll!WSARecv 000000007789c29f 5 bytes JMP 0000000110002c0f .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\WS2_32.dll!send 000000007789c4c8 5 bytes JMP 00000001100029ff .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\WS2_32.dll!WSAGetOverlappedResult 000000007789e860 5 bytes JMP 0000000110002d84 .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075941401 2 bytes JMP 760ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075941419 2 bytes JMP 760db513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075941431 2 bytes JMP 76158609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007594144a 2 bytes CALL 760b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759414dd 2 bytes JMP 76157efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759414f5 2 bytes JMP 761580d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007594150d 2 bytes JMP 76157df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075941525 2 bytes JMP 761581c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007594153d 2 bytes JMP 760cf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075941555 2 bytes JMP 760db885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007594156d 2 bytes JMP 761586c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075941585 2 bytes JMP 76158222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007594159d 2 bytes JMP 76157db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759415b5 2 bytes JMP 760cf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759415cd 2 bytes JMP 760db29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759416b2 2 bytes JMP 76158584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759416bd 2 bytes JMP 76157d4d C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [3256] entry point in ".rdata" section 000000006b3c71e6 .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075941401 2 bytes JMP 760ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075941419 2 bytes JMP 760db513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075941431 2 bytes JMP 76158609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007594144a 2 bytes CALL 760b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759414dd 2 bytes JMP 76157efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759414f5 2 bytes JMP 761580d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007594150d 2 bytes JMP 76157df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075941525 2 bytes JMP 761581c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007594153d 2 bytes JMP 760cf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075941555 2 bytes JMP 760db885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007594156d 2 bytes JMP 761586c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075941585 2 bytes JMP 76158222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007594159d 2 bytes JMP 76157db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759415b5 2 bytes JMP 760cf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759415cd 2 bytes JMP 760db29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759416b2 2 bytes JMP 76158584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera_crashreporter.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759416bd 2 bytes JMP 76157d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d8f951 7 bytes {MOV EDX, 0x1eae28; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d8fb95 7 bytes {MOV EDX, 0x1eae68; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d8fbc5 7 bytes {MOV EDX, 0x1eada8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d8fbdd 7 bytes {MOV EDX, 0x1ead28; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d8fbf5 7 bytes {MOV EDX, 0x1eaf28; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d8fc25 7 bytes {MOV EDX, 0x1eaf68; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d8fca5 7 bytes {MOV EDX, 0x1eaee8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d8fcbd 7 bytes {MOV EDX, 0x1eaea8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d8fd09 7 bytes {MOV EDX, 0x1eac68; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d8fe01 7 bytes {MOV EDX, 0x1eaca8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d90059 7 bytes {MOV EDX, 0x1eac28; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d91065 7 bytes {MOV EDX, 0x1eade8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d910dd 7 bytes {MOV EDX, 0x1ead68; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d912e1 7 bytes {MOV EDX, 0x1eace8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075941401 2 bytes JMP 760ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075941419 2 bytes JMP 760db513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075941431 2 bytes JMP 76158609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007594144a 2 bytes CALL 760b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759414dd 2 bytes JMP 76157efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759414f5 2 bytes JMP 761580d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007594150d 2 bytes JMP 76157df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075941525 2 bytes JMP 761581c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007594153d 2 bytes JMP 760cf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075941555 2 bytes JMP 760db885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007594156d 2 bytes JMP 761586c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075941585 2 bytes JMP 76158222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007594159d 2 bytes JMP 76157db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759415b5 2 bytes JMP 760cf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759415cd 2 bytes JMP 760db29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759416b2 2 bytes JMP 76158584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[628] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759416bd 2 bytes JMP 76157d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d8f951 7 bytes {MOV EDX, 0x28fd228; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d8fb95 7 bytes {MOV EDX, 0x28fd268; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d8fbc5 7 bytes {MOV EDX, 0x28fd1a8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d8fbdd 7 bytes {MOV EDX, 0x28fd128; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d8fbf5 7 bytes {MOV EDX, 0x28fd328; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d8fc25 7 bytes {MOV EDX, 0x28fd368; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d8fca5 7 bytes {MOV EDX, 0x28fd2e8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d8fcbd 7 bytes {MOV EDX, 0x28fd2a8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d8fd09 7 bytes {MOV EDX, 0x28fd068; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d8fe01 7 bytes {MOV EDX, 0x28fd0a8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d90059 7 bytes {MOV EDX, 0x28fd028; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d91065 7 bytes {MOV EDX, 0x28fd1e8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d910dd 7 bytes {MOV EDX, 0x28fd168; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d912e1 7 bytes {MOV EDX, 0x28fd0e8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075941401 2 bytes JMP 760ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075941419 2 bytes JMP 760db513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075941431 2 bytes JMP 76158609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007594144a 2 bytes CALL 760b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759414dd 2 bytes JMP 76157efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759414f5 2 bytes JMP 761580d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007594150d 2 bytes JMP 76157df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075941525 2 bytes JMP 761581c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007594153d 2 bytes JMP 760cf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075941555 2 bytes JMP 760db885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007594156d 2 bytes JMP 761586c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075941585 2 bytes JMP 76158222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007594159d 2 bytes JMP 76157db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759415b5 2 bytes JMP 760cf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759415cd 2 bytes JMP 760db29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759416b2 2 bytes JMP 76158584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759416bd 2 bytes JMP 76157d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d8f951 7 bytes {MOV EDX, 0x28fe228; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d8fb95 7 bytes {MOV EDX, 0x28fe268; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d8fbc5 7 bytes {MOV EDX, 0x28fe1a8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d8fbdd 7 bytes {MOV EDX, 0x28fe128; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d8fbf5 7 bytes {MOV EDX, 0x28fe328; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d8fc25 7 bytes {MOV EDX, 0x28fe368; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d8fca5 7 bytes {MOV EDX, 0x28fe2e8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d8fcbd 7 bytes {MOV EDX, 0x28fe2a8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d8fd09 7 bytes {MOV EDX, 0x28fe068; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d8fe01 7 bytes {MOV EDX, 0x28fe0a8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d90059 7 bytes {MOV EDX, 0x28fe028; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d91065 7 bytes {MOV EDX, 0x28fe1e8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d910dd 7 bytes {MOV EDX, 0x28fe168; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d912e1 7 bytes {MOV EDX, 0x28fe0e8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075941401 2 bytes JMP 760ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075941419 2 bytes JMP 760db513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075941431 2 bytes JMP 76158609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007594144a 2 bytes CALL 760b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759414dd 2 bytes JMP 76157efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759414f5 2 bytes JMP 761580d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007594150d 2 bytes JMP 76157df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075941525 2 bytes JMP 761581c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007594153d 2 bytes JMP 760cf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075941555 2 bytes JMP 760db885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007594156d 2 bytes JMP 761586c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075941585 2 bytes JMP 76158222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007594159d 2 bytes JMP 76157db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759415b5 2 bytes JMP 760cf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759415cd 2 bytes JMP 760db29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759416b2 2 bytes JMP 76158584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759416bd 2 bytes JMP 76157d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d8f951 7 bytes {MOV EDX, 0x28f6628; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d8fb95 7 bytes {MOV EDX, 0x28f6668; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d8fbc5 7 bytes {MOV EDX, 0x28f65a8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d8fbdd 7 bytes {MOV EDX, 0x28f6528; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d8fbf5 7 bytes {MOV EDX, 0x28f6728; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d8fc25 7 bytes {MOV EDX, 0x28f6768; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d8fca5 7 bytes {MOV EDX, 0x28f66e8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d8fcbd 7 bytes {MOV EDX, 0x28f66a8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d8fd09 7 bytes {MOV EDX, 0x28f6468; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d8fe01 7 bytes {MOV EDX, 0x28f64a8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d90059 7 bytes {MOV EDX, 0x28f6428; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d91065 7 bytes {MOV EDX, 0x28f65e8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d910dd 7 bytes {MOV EDX, 0x28f6568; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d912e1 7 bytes {MOV EDX, 0x28f64e8; JMP RDX} .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075941401 2 bytes JMP 760ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075941419 2 bytes JMP 760db513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075941431 2 bytes JMP 76158609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007594144a 2 bytes CALL 760b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759414dd 2 bytes JMP 76157efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759414f5 2 bytes JMP 761580d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007594150d 2 bytes JMP 76157df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075941525 2 bytes JMP 761581c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007594153d 2 bytes JMP 760cf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075941555 2 bytes JMP 760db885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007594156d 2 bytes JMP 761586c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075941585 2 bytes JMP 76158222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007594159d 2 bytes JMP 76157db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759415b5 2 bytes JMP 760cf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759415cd 2 bytes JMP 760db29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759416b2 2 bytes JMP 76158584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Opera\15.0.1147.153\opera.exe[772] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759416bd 2 bytes JMP 76157d4d C:\Windows\syswow64\kernel32.dll ---- EOF - GMER 2.1 ----