GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-05 22:33:10 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 PLEXTOR_PX-128M5S rev.1.05 119,24GB Running: y8z8k2zp.exe; Driver: C:\Users\Test\AppData\Local\Temp\pgddapow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\kernel32.dll!UnhandledExceptionFilter 00000000752d773f 5 bytes JMP 00000000016407d0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cb1401 2 bytes JMP 752db263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cb1419 2 bytes JMP 752db38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cb1431 2 bytes JMP 753590f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cb144a 2 bytes CALL 752b48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cb14dd 2 bytes JMP 753589ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cb14f5 2 bytes JMP 75358bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cb150d 2 bytes JMP 753588e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cb1525 2 bytes JMP 75358caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cb153d 2 bytes JMP 752cfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cb1555 2 bytes JMP 752d6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cb156d 2 bytes JMP 753591a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cb1585 2 bytes JMP 75358d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cb159d 2 bytes JMP 753588a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cb15b5 2 bytes JMP 752cfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cb15cd 2 bytes JMP 752db324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cb16b2 2 bytes JMP 7535906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cb16bd 2 bytes JMP 75358839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender Antivirus Free\vsserv.exe[2392] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007715baa1 11 bytes [B8, F0, 12, 10, 01, 00, 00, ...] .text C:\Program Files\Bitdefender Antivirus Free\vsservppl.exe[2452] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007715baa1 11 bytes [B8, F0, 12, 8B, 00, 00, 00, ...] .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000773df900 5 bytes JMP 000000007ef20920 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000773df938 5 bytes JMP 000000007ef20a52 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000773df9f0 5 bytes JMP 000000007ef20700 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfad0 5 bytes JMP 000000007ef208ba .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000773dfb38 1 byte JMP 000000007ef20656 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 2 00000000773dfb3a 3 bytes {JMP 0x7b40b1e} .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 00000000773dfbb8 5 bytes JMP 000000007ef209ec .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000773dfc30 5 bytes JMP 000000007ef203f2 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000773dfc60 5 bytes JMP 000000007ef20018 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000773dfc90 5 bytes JMP 000000007ef2003a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfcc0 5 bytes JMP 000000007ef20634 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000773dfdd8 5 bytes JMP 000000007ef20a30 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773dfe24 5 bytes JMP 000000007ef203ae .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000773dfe54 5 bytes JMP 000000007ef20436 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773dfeb8 5 bytes JMP 000000007ef20876 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000773dfed0 5 bytes JMP 000000007ef20810 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000773dff34 5 bytes JMP 000000007ef20414 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000773dfffc 5 bytes JMP 000000007ef2036a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773e0014 5 bytes JMP 000000007ef20326 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0048 5 bytes JMP 000000007ef208dc .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773e00c4 2 bytes JMP 000000007ef20128 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 00000000773e00c7 2 bytes [B4, 07] .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000773e01d4 5 bytes JMP 000000007ef201b0 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773e07ac 2 bytes JMP 000000007ef20898 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 3 00000000773e07af 2 bytes [B4, 07] .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000773e0824 5 bytes JMP 000000007ef20348 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773e08b4 5 bytes JMP 000000007ef20304 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773e0e04 5 bytes JMP 000000007ef20722 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000773e10d0 5 bytes JMP 000000007ef209ca .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000773e1614 5 bytes JMP 000000007ef205f0 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773e1930 5 bytes JMP 000000007ef203d0 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773e1bf4 5 bytes JMP 000000007ef20744 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000773e1d64 5 bytes JMP 000000007ef2047a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773e1d80 5 bytes JMP 000000007ef20458 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000773e1d9c 5 bytes JMP 000000007ef20a74 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000773f2954 5 bytes JMP 000000007ef200c2 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000773f8ee1 5 bytes JMP 000000007ef20a0e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 000000007741fffb 5 bytes JMP 000000007ef2016c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007746869b 5 bytes JMP 000000007ef20612 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007746e93b 5 bytes JMP 000000007ef2014a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000752b0e00 5 bytes JMP 000000007ef200e4 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752b1072 5 bytes JMP 000000007ef202c0 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000752b499f 5 bytes JMP 000000007ef20238 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752c3be3 5 bytes JMP 000000007ef2038c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752c9ae4 5 bytes JMP 000000007ef207ee .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000752c9b45 5 bytes JMP 000000007ef207aa .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000752d736f 5 bytes JMP 000000007ef2025a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000752d8922 5 bytes JMP 000000007ef206de .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!MoveFileExA 00000000752dccf1 5 bytes JMP 000000007ef20788 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752dcd11 5 bytes JMP 000000007ef207cc .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!WinExec 00000000753331f9 5 bytes JMP 000000007ef2029e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000753576e3 5 bytes JMP 000000007ef20568 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075357706 5 bytes JMP 000000007ef2058a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075357ab1 5 bytes JMP 000000007ef205ac .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075357b2a 5 bytes JMP 000000007ef205ce .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074fd8fa5 5 bytes JMP 000000007ef200a0 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074fdc558 5 bytes JMP 000000007ef20546 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074fdedc6 5 bytes JMP 000000007ef204e0 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074fdf329 5 bytes JMP 000000007ef201d2 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074fdfbac 5 bytes JMP 000000007ef20106 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074fdfcda 5 bytes JMP 000000007ef20766 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074fe147b 5 bytes JMP 000000007ef20524 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074fe14a2 5 bytes JMP 000000007ef20502 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074fe1e4c 5 bytes JMP 000000007ef2007e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074fe1f38 5 bytes JMP 000000007ef20216 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074fe2bdc 5 bytes JMP 000000007ef2069a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074fe2e40 5 bytes JMP 000000007ef20678 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074fe2e7e 5 bytes JMP 000000007ef206bc .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074fe2fe1 5 bytes JMP 000000007ef2005c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074fe396a 5 bytes JMP 000000007ef2049c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074fe3cd7 5 bytes JMP 000000007ef2018e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074fe3fdf 5 bytes JMP 000000007ef208fe .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074fe45fd 5 bytes JMP 000000007ef201f4 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074fe476f 5 bytes JMP 000000007ef204be .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074fe4798 5 bytes JMP 000000007ef202e2 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074fe9dcf 5 bytes JMP 000000007ef20832 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074fea11c 5 bytes JMP 000000007ef20854 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074fea37a 5 bytes JMP 000000007ef20964 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074fea589 5 bytes JMP 000000007ef20986 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074fea663 5 bytes JMP 000000007ef20942 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074fec8a8 5 bytes JMP 000000007ef2027c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074fee414 5 bytes JMP 000000007ef209a8 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074dea472 5 bytes JMP 000000007ef20ab8 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074df27ce 5 bytes JMP 000000007ef20b84 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074dfe6cf 5 bytes JMP 000000007ef20b62 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076958e69 5 bytes JMP 000000007ef20d60 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076959159 5 bytes JMP 000000007ef20d1c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076959166 5 bytes JMP 000000007ef20dc6 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007695c4b2 5 bytes JMP 000000007ef20e2c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007695c9cc 5 bytes JMP 000000007ef20bc8 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007695de94 5 bytes JMP 000000007ef20d3e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007695deb6 5 bytes JMP 000000007ef20e0a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007695dece 5 bytes JMP 000000007ef20da4 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007695defe 5 bytes JMP 000000007ef20de8 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076962b38 5 bytes JMP 000000007ef20ba6 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000769635e4 5 bytes JMP 000000007ef20cb6 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076964939 5 bytes JMP 000000007ef20ada .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000769770a4 5 bytes JMP 000000007ef20cfa .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000769770bc 5 bytes JMP 000000007ef20c2e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000769770d4 5 bytes JMP 000000007ef20c50 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 000000007697771b 5 bytes JMP 000000007ef20d82 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769933a4 5 bytes JMP 000000007ef20c72 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769933b4 5 bytes JMP 000000007ef20c94 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769933c4 5 bytes JMP 000000007ef20bea .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769933d4 5 bytes JMP 000000007ef20c0c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076993414 5 bytes JMP 000000007ef20cd8 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!GetWindowLongW 00000000766b7004 5 bytes JMP 000000007ef211c2 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000766b78f2 5 bytes JMP 000000007ef20f3c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000766b7be3 5 bytes JMP 000000007ef20f1a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000766b8342 5 bytes JMP 000000007ef21206 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000766b8a39 5 bytes JMP 000000007ef20fe6 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000766b990d 5 bytes JMP 000000007ef2115c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000766bb6fd 5 bytes JMP 000000007ef20afc .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!GetWindowLongA 00000000766bd166 5 bytes JMP 000000007ef211a0 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000766bd23e 5 bytes JMP 000000007ef21008 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee19 5 bytes JMP 000000007ef20ef8 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000766bfff6 5 bytes JMP 000000007ef21118 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000766c00e9 5 bytes JMP 000000007ef2113a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000766c05ca 5 bytes JMP 000000007ef20f80 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000766c0e0b 5 bytes JMP 000000007ef2102a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000766c20fc 5 bytes JMP 000000007ef210f6 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000766c5f84 5 bytes JMP 000000007ef20f5e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000766c6120 5 bytes JMP 000000007ef211e4 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000766c6295 5 bytes JMP 000000007ef20fa2 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7613 5 bytes JMP 000000007ef20ed6 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7678 5 bytes JMP 000000007ef2124a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000766c7afe 5 bytes JMP 000000007ef210d4 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c836c 5 bytes JMP 000000007ef20eb4 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000766dce64 5 bytes JMP 000000007ef2106e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df54b 5 bytes JMP 000000007ef20fc4 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000766df5a8 5 bytes JMP 000000007ef2117e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000766e10c0 5 bytes JMP 000000007ef2104c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007670fd9e 5 bytes JMP 000000007ef21090 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007670fdc2 5 bytes JMP 000000007ef210b2 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716e25 5 bytes JMP 000000007ef21228 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000074f0633b 5 bytes JMP 000000007ef20b1e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000074f28735 5 bytes JMP 000000007ef20e4e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000074f28754 5 bytes JMP 000000007ef20e70 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000074f3422a 5 bytes JMP 000000007ef20e92 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075800199 5 bytes JMP 000000007ef2126c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000767a3918 5 bytes JMP 000000007ef2146a .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!WSASocketW 00000000767a3cd3 5 bytes JMP 000000007ef21448 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!socket 00000000767a3eb8 5 bytes JMP 000000007ef2148c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000767a4406 5 bytes JMP 000000007ef2139e .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 00000000767a4889 5 bytes JMP 000000007ef213e2 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!recv 00000000767a6826 5 bytes JMP 000000007ef214d0 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!connect 00000000767a68f5 5 bytes JMP 000000007ef213c0 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!send 00000000767a6c19 5 bytes JMP 000000007ef2137c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000767a6da1 5 bytes JMP 000000007ef214f2 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 00000000767aa6db 5 bytes JMP 000000007ef21404 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000767abcd5 5 bytes JMP 000000007ef214ae .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000767b771b 5 bytes JMP 000000007ef21426 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\urlmon.dll!CreateUri + 128 0000000076cc2b50 5 bytes JMP 000000007ef2159c .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW 0000000076d011b0 5 bytes JMP 000000007ef21602 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000076d01970 5 bytes JMP 000000007ef215be .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 0000000076d7e750 5 bytes JMP 000000007ef215e0 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cb1401 2 bytes JMP 752db263 C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cb1419 2 bytes JMP 752db38e C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cb1431 2 bytes JMP 753590f1 C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cb144a 2 bytes CALL 752b48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cb14dd 2 bytes JMP 753589ea C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cb14f5 2 bytes JMP 75358bc0 C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cb150d 2 bytes JMP 753588e0 C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cb1525 2 bytes JMP 75358caa C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cb153d 2 bytes JMP 752cfce8 C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cb1555 2 bytes JMP 752d6937 C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cb156d 2 bytes JMP 753591a9 C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cb1585 2 bytes JMP 75358d0a C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cb159d 2 bytes JMP 753588a4 C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cb15b5 2 bytes JMP 752cfd81 C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cb15cd 2 bytes JMP 752db324 C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cb16b2 2 bytes JMP 7535906c C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\TeamViewer.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cb16bd 2 bytes JMP 75358839 C:\Windows\syswow64\kernel32.dll .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000773df900 5 bytes JMP 000000007ef20920 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000773df938 5 bytes JMP 000000007ef20a52 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000773df9f0 5 bytes JMP 000000007ef20700 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfad0 5 bytes JMP 000000007ef208ba .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000773dfb38 1 byte JMP 000000007ef20656 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 2 00000000773dfb3a 3 bytes {JMP 0x7b40b1e} .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 00000000773dfbb8 5 bytes JMP 000000007ef209ec .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000773dfc30 5 bytes JMP 000000007ef203f2 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000773dfc60 5 bytes JMP 000000007ef20018 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000773dfc90 5 bytes JMP 000000007ef2003a .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfcc0 5 bytes JMP 000000007ef20634 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000773dfdd8 5 bytes JMP 000000007ef20a30 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773dfe24 5 bytes JMP 000000007ef203ae .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000773dfe54 5 bytes JMP 000000007ef20436 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773dfeb8 5 bytes JMP 000000007ef20876 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000773dfed0 5 bytes JMP 000000007ef20810 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000773dff34 5 bytes JMP 000000007ef20414 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000773dfffc 5 bytes JMP 000000007ef2036a .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773e0014 5 bytes JMP 000000007ef20326 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0048 5 bytes JMP 000000007ef208dc .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773e00c4 2 bytes JMP 000000007ef20128 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 00000000773e00c7 2 bytes [B4, 07] .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000773e01d4 5 bytes JMP 000000007ef201b0 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773e07ac 2 bytes JMP 000000007ef20898 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 3 00000000773e07af 2 bytes [B4, 07] .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000773e0824 5 bytes JMP 000000007ef20348 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773e08b4 5 bytes JMP 000000007ef20304 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773e0e04 5 bytes JMP 000000007ef20722 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000773e10d0 5 bytes JMP 000000007ef209ca .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000773e1614 5 bytes JMP 000000007ef205f0 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773e1930 5 bytes JMP 000000007ef203d0 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773e1bf4 5 bytes JMP 000000007ef20744 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000773e1d64 5 bytes JMP 000000007ef2047a .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773e1d80 5 bytes JMP 000000007ef20458 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000773e1d9c 5 bytes JMP 000000007ef20a74 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000773f2954 5 bytes JMP 000000007ef200c2 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000773f8ee1 5 bytes JMP 000000007ef20a0e .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 000000007741fffb 5 bytes JMP 000000007ef2016c .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007746869b 5 bytes JMP 000000007ef20612 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007746e93b 5 bytes JMP 000000007ef2014a .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000752b0e00 5 bytes JMP 000000007ef200e4 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752b1072 5 bytes JMP 000000007ef202c0 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000752b499f 5 bytes JMP 000000007ef20238 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752c3be3 5 bytes JMP 000000007ef2038c .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752c9ae4 5 bytes JMP 000000007ef207ee .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000752c9b45 5 bytes JMP 000000007ef207aa .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000752d736f 5 bytes JMP 000000007ef2025a .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000752d8922 5 bytes JMP 000000007ef206de .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!MoveFileExA 00000000752dccf1 5 bytes JMP 000000007ef20788 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752dcd11 5 bytes JMP 000000007ef207cc .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!WinExec 00000000753331f9 5 bytes JMP 000000007ef2029e .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000753576e3 5 bytes JMP 000000007ef20568 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075357706 5 bytes JMP 000000007ef2058a .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075357ab1 5 bytes JMP 000000007ef205ac .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075357b2a 5 bytes JMP 000000007ef205ce .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074fd8fa5 5 bytes JMP 000000007ef200a0 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074fdc558 5 bytes JMP 000000007ef20546 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074fdedc6 5 bytes JMP 000000007ef204e0 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074fdf329 5 bytes JMP 000000007ef201d2 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074fdfbac 5 bytes JMP 000000007ef20106 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074fdfcda 5 bytes JMP 000000007ef20766 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074fe147b 5 bytes JMP 000000007ef20524 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074fe14a2 5 bytes JMP 000000007ef20502 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074fe1e4c 5 bytes JMP 000000007ef2007e .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074fe1f38 5 bytes JMP 000000007ef20216 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074fe2bdc 5 bytes JMP 000000007ef2069a .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074fe2e40 5 bytes JMP 000000007ef20678 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074fe2e7e 5 bytes JMP 000000007ef206bc .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074fe2fe1 5 bytes JMP 000000007ef2005c .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074fe396a 5 bytes JMP 000000007ef2049c .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074fe3cd7 5 bytes JMP 000000007ef2018e .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074fe3fdf 5 bytes JMP 000000007ef208fe .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074fe45fd 5 bytes JMP 000000007ef201f4 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074fe476f 5 bytes JMP 000000007ef204be .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074fe4798 5 bytes JMP 000000007ef202e2 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074fe9dcf 5 bytes JMP 000000007ef20832 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074fea11c 5 bytes JMP 000000007ef20854 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074fea37a 5 bytes JMP 000000007ef20964 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074fea589 5 bytes JMP 000000007ef20986 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074fea663 5 bytes JMP 000000007ef20942 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074fec8a8 5 bytes JMP 000000007ef2027c .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074fee414 5 bytes JMP 000000007ef209a8 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076958e69 5 bytes JMP 000000007ef20cd8 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076959159 5 bytes JMP 000000007ef20c94 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076959166 5 bytes JMP 000000007ef20d3e .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007695c4b2 5 bytes JMP 000000007ef20da4 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007695c9cc 5 bytes JMP 000000007ef20b40 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007695de94 5 bytes JMP 000000007ef20cb6 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007695deb6 5 bytes JMP 000000007ef20d82 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007695dece 5 bytes JMP 000000007ef20d1c .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007695defe 5 bytes JMP 000000007ef20d60 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076962b38 5 bytes JMP 000000007ef20b1e .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000769635e4 5 bytes JMP 000000007ef20c2e .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076964939 5 bytes JMP 000000007ef20a96 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000769770a4 5 bytes JMP 000000007ef20c72 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000769770bc 5 bytes JMP 000000007ef20ba6 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000769770d4 5 bytes JMP 000000007ef20bc8 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 000000007697771b 5 bytes JMP 000000007ef20cfa .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769933a4 5 bytes JMP 000000007ef20bea .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769933b4 5 bytes JMP 000000007ef20c0c .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769933c4 5 bytes JMP 000000007ef20b62 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769933d4 5 bytes JMP 000000007ef20b84 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076993414 5 bytes JMP 000000007ef20c50 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074dea472 5 bytes JMP 000000007ef20ab8 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074df27ce 5 bytes JMP 000000007ef20afc .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074dfe6cf 5 bytes JMP 000000007ef20ada .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000074f0633b 5 bytes JMP 000000007ef20dc6 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000074f28735 5 bytes JMP 000000007ef211c2 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000074f28754 5 bytes JMP 000000007ef211e4 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000074f3422a 5 bytes JMP 000000007ef21206 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!GetWindowLongW 00000000766b7004 5 bytes JMP 000000007ef21118 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000766b78f2 5 bytes JMP 000000007ef20e92 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000766b7be3 5 bytes JMP 000000007ef20e70 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000766b8342 5 bytes JMP 000000007ef2115c .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000766b8a39 5 bytes JMP 000000007ef20f3c .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000766b990d 5 bytes JMP 000000007ef210b2 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000766bb6fd 5 bytes JMP 000000007ef20de8 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!GetWindowLongA 00000000766bd166 5 bytes JMP 000000007ef210f6 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000766bd23e 5 bytes JMP 000000007ef20f5e .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee19 5 bytes JMP 000000007ef20e4e .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000766bfff6 5 bytes JMP 000000007ef2106e .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000766c00e9 5 bytes JMP 000000007ef21090 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000766c05ca 5 bytes JMP 000000007ef20ed6 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000766c0e0b 5 bytes JMP 000000007ef20f80 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000766c20fc 5 bytes JMP 000000007ef2104c .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000766c5f84 5 bytes JMP 000000007ef20eb4 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000766c6120 5 bytes JMP 000000007ef2113a .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000766c6295 5 bytes JMP 000000007ef20ef8 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7613 5 bytes JMP 000000007ef20e2c .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7678 5 bytes JMP 000000007ef211a0 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000766c7afe 5 bytes JMP 000000007ef2102a .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c836c 5 bytes JMP 000000007ef20e0a .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000766dce64 5 bytes JMP 000000007ef20fc4 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df54b 5 bytes JMP 000000007ef20f1a .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000766df5a8 5 bytes JMP 000000007ef210d4 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000766e10c0 5 bytes JMP 000000007ef20fa2 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007670fd9e 5 bytes JMP 000000007ef20fe6 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007670fdc2 5 bytes JMP 000000007ef21008 .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716e25 5 bytes JMP 000000007ef2117e .text C:\Programy\TeamViewer\tv_w32.exe[3236] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW 0000000075800199 5 bytes JMP 000000007ef2124a .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077207411 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000077214f51 7 bytes [B8, 64, 0D, F2, FF, FF, 07] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000077214f5a 2 bytes [50, C3] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 000000007722bb90 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 000000007722bbb0 12 bytes [48, B8, 6A, 25, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007722bc20 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007722bcb0 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007722bcf0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 000000007722bd40 12 bytes [48, B8, 7C, 22, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007722bd90 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007722bdb0 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007722bdd0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007722bdf0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007722bea0 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007722bed0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007722bef0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007722bf30 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007722bf40 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007722bf80 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007722c000 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007722c010 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007722c030 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007722c080 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007722c130 12 bytes [48, B8, 96, 26, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007722c500 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007722c550 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007722c5b0 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007722c920 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007722caf0 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007722ce60 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007722d060 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007722d220 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007722d300 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007722d310 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007722d320 12 bytes [48, B8, 00, 26, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007729e211 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000770c1b21 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000770c1c10 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000770c2b61 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000770c2b6a 2 bytes [50, C3] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000770ddbf0 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000770e08c1 11 bytes [B8, A8, 23, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077115461 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077115481 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007712a820 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007712a930 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007714f6d1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007714f8d1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007714f901 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007714f90a 2 bytes [50, C3] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcfd1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcfd3371 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcfd6401 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcfd6620 12 bytes [48, B8, 8E, 1F, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcfd7901 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcfd8750 9 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefcfd875a 2 bytes [50, C3] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcfda5c1 11 bytes [B8, 50, 21, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcfdaa61 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefcfdacb0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcfdc751 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefcfdef51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcfe1c41 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefcfe3291 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefcfe35a1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcfe9ac0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd0038a0 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd00ff01 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd0122c1 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd0122ca 2 bytes [50, C3] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd012301 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff41ac21 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff41ac7d 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff41e415 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007feff41e514 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff4201bd 11 bytes [B8, 88, 2E, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff420291 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff4202bd 11 bytes [B8, 60, 31, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007feff42a830 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff434291 11 bytes [B8, 2C, 27, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4349b0 12 bytes [48, B8, 5C, 2D, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff44a409 7 bytes [B8, 9E, 2F, F2, FF, FF, 07] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff44a412 2 bytes [50, C3] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff44a490 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007feff44a5e8 36 bytes [48, B8, 6E, 29, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff44a66c 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe79af25 11 bytes [B8, 0C, 33, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe7b4965 11 bytes [B8, E2, 46, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe7b4985 11 bytes [B8, 78, 47, F2, FF, FF, 07, ...] .text C:\Programy\TeamViewer\tv_x64.exe[3232] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe7c9281 11 bytes [B8, 0E, 48, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077207411 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000077214f51 7 bytes [B8, 64, 0D, F2, FF, FF, 07] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000077214f5a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007722bc20 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007722bcb0 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007722bcf0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 000000007722bd40 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007722bd90 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007722bdb0 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007722bdd0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007722bdf0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007722bea0 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007722bed0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007722bef0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007722bf30 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007722bf40 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007722bf80 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007722c000 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007722c010 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007722c030 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007722c130 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007722c500 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007722c550 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007722c5b0 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007722c920 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007722caf0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007722ce60 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007722d060 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007722d220 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007722d300 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007722d310 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007722d320 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007729e211 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcfd1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcfd3371 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcfd6401 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcfd6620 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcfd7901 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcfd8750 9 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefcfd875a 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcfda5c1 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcfdaa61 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefcfdacb0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcfdc751 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefcfdef51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcfe1c41 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefcfe3291 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefcfe35a1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcfe9ac0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd0038a0 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd00ff01 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd0122c1 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd0122ca 2 bytes [50, C3] .text C:\Windows\system32\SearchIndexer.exe[4416] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd012301 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077207411 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000077214f51 7 bytes [B8, 64, 0D, F2, FF, FF, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000077214f5a 2 bytes [50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007722bc20 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007722bcb0 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007722bcf0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 000000007722bd40 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007722bd90 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007722bdb0 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007722bdd0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007722bdf0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007722bea0 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007722bed0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007722bef0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007722bf30 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007722bf40 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007722bf80 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007722c000 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007722c010 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007722c030 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007722c130 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007722c500 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007722c550 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007722c5b0 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007722c920 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007722caf0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007722ce60 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007722d060 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007722d220 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007722d300 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007722d310 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007722d320 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007729e211 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000770c1b21 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000770c1c10 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000770c2b61 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000770c2b6a 2 bytes [50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000770ddbf0 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000770e08c1 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077115461 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077115481 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007712a820 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007712a930 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007714f6d1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007714f8d1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007714f901 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007714f90a 2 bytes [50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcfd1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcfd3371 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcfd6401 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcfd6620 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcfd7901 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcfd8750 9 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefcfd875a 2 bytes [50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcfda5c1 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcfdaa61 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefcfdacb0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcfdc751 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefcfdef51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcfe1c41 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefcfe3291 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefcfe35a1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcfe9ac0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd0038a0 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd00ff01 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd0122c1 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd0122ca 2 bytes [50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd012301 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff41ac21 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff41ac7d 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff41e415 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007feff41e514 12 bytes [48, B8, 42, 28, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff4201bd 11 bytes [B8, 88, 2E, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff420291 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff4202bd 11 bytes [B8, 60, 31, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007feff42a830 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff434291 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4349b0 12 bytes [48, B8, 5C, 2D, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff44a409 7 bytes [B8, 9E, 2F, F2, FF, FF, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff44a412 2 bytes [50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff44a490 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007feff44a5e8 36 bytes [48, B8, 6E, 29, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff44a66c 12 bytes [48, B8, 04, 2B, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe79af25 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe7b4965 11 bytes [B8, 0C, 33, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe7b4985 11 bytes [B8, A2, 33, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe7c9281 11 bytes [B8, 38, 34, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1113b1 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1118e0 12 bytes [48, B8, FC, 4A, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff111bd1 11 bytes [B8, 66, 4A, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff112201 11 bytes [B8, EA, 4D, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1123c0 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!connect 000007feff1142f0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!send + 1 000007feff117cd1 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff118ac0 8 bytes [48, B8, 3A, 49, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff118ac9 3 bytes [00, 50, C3] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff11be40 12 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff11d911 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff11d9c1 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff13e081 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fef8fd22d0 12 bytes [48, B8, D8, 50, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fef8fd45f0 12 bytes [48, B8, 42, 50, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\WINHTTP.dll!WinHttpConnect 000007fef8fe3e68 12 bytes [48, B8, 6E, 51, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW 000007fefe5a8c80 12 bytes [48, B8, 30, 53, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1 000007fefe5c4001 11 bytes [B8, 9A, 52, F2, FF, FF, 07, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 000007fefc5a56e0 12 bytes [48, B8, 88, 55, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 000007fefc5b010c 12 bytes [48, B8, F2, 54, F2, FF, FF, ...] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4552] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 000007fefc5cdaa0 12 bytes [48, B8, 5C, 54, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077207411 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000077214f51 7 bytes [B8, 64, 0D, F2, FF, FF, 07] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000077214f5a 2 bytes [50, C3] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007722bc20 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007722bcb0 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007722bcf0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 000000007722bd40 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007722bd90 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007722bdb0 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007722bdd0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007722bdf0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007722bea0 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007722bed0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007722bef0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007722bf30 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007722bf40 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007722bf80 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007722c000 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007722c010 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007722c030 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007722c130 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007722c500 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007722c550 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007722c5b0 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007722c920 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007722caf0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007722ce60 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007722d060 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007722d220 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007722d300 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007722d310 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007722d320 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007729e211 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000770c1b21 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000770c1c10 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000770c2b61 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000770c2b6a 2 bytes [50, C3] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000770ddbf0 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000770e08c1 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077115461 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077115481 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007712a820 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007712a930 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007714f6d1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007714f8d1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007714f901 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007714f90a 2 bytes [50, C3] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcfd1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcfd3371 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcfd6401 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcfd6620 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcfd7901 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcfd8750 9 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefcfd875a 2 bytes [50, C3] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcfda5c1 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcfdaa61 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefcfdacb0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcfdc751 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefcfdef51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcfe1c41 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefcfe3291 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefcfe35a1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcfe9ac0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd0038a0 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd00ff01 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd0122c1 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd0122ca 2 bytes [50, C3] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd012301 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff41ac21 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff41ac7d 11 bytes [B8, 5C, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff41e415 11 bytes [B8, E0, 31, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007feff41e514 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff4201bd 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff420291 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff4202bd 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007feff42a830 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff434291 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4349b0 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff44a409 7 bytes [B8, 08, 2F, F2, FF, FF, 07] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff44a412 2 bytes [50, C3] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff44a490 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007feff44a5e8 36 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff44a66c 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe79af25 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe7b4965 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe7b4985 11 bytes [B8, 0C, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchProtocolHost.exe[4616] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe7c9281 11 bytes [B8, A2, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077207411 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000077214f51 7 bytes [B8, 64, 0D, F2, FF, FF, 07] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000077214f5a 2 bytes [50, C3] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007722bc20 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007722bcb0 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007722bcf0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 000000007722bd40 12 bytes [48, B8, E6, 21, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007722bd90 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007722bdb0 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007722bdd0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007722bdf0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007722bea0 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007722bed0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007722bef0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007722bf30 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 000000007722bf40 12 bytes [48, B8, 48, 1A, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007722bf80 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007722c000 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007722c010 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007722c030 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007722c130 12 bytes [48, B8, D4, 24, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007722c500 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007722c550 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007722c5b0 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007722c920 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007722caf0 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007722ce60 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007722d060 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007722d220 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007722d300 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007722d310 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007722d320 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007729e211 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000770c1b21 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000770c1c10 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000770c2b61 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000770c2b6a 2 bytes [50, C3] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000770ddbf0 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000770e08c1 11 bytes [B8, 12, 23, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077115461 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077115481 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007712a820 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007712a930 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007714f6d1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007714f8d1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007714f901 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007714f90a 2 bytes [50, C3] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcfd1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcfd3371 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcfd6401 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcfd6620 12 bytes [48, B8, F8, 1E, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcfd7901 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcfd8750 9 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefcfd875a 2 bytes [50, C3] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcfda5c1 11 bytes [B8, BA, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcfdaa61 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefcfdacb0 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcfdc751 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefcfdef51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcfe1c41 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefcfe3291 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefcfe35a1 11 bytes [B8, 74, 1B, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcfe9ac0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd0038a0 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd00ff01 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd0122c1 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd0122ca 2 bytes [50, C3] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd012301 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff41ac21 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff41ac7d 11 bytes [B8, 5C, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff41e415 11 bytes [B8, E0, 31, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007feff41e514 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff4201bd 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff420291 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff4202bd 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007feff42a830 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff434291 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4349b0 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff44a409 7 bytes [B8, 08, 2F, F2, FF, FF, 07] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff44a412 2 bytes [50, C3] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff44a490 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007feff44a5e8 36 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff44a66c 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe79af25 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe7b4965 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe7b4985 11 bytes [B8, 0C, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\SearchFilterHost.exe[4636] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe7c9281 11 bytes [B8, A2, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077207411 11 bytes [B8, E6, 21, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000077214f51 7 bytes [B8, 64, 0D, F2, FF, FF, 07] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000077214f5a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007722bc20 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007722bcb0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007722bcf0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 000000007722bd40 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007722bd90 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007722bdb0 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007722bdd0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007722bdf0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007722bea0 12 bytes [48, B8, 12, 23, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007722bed0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007722bef0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007722bf30 12 bytes [48, B8, 74, 1B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007722bf80 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007722c000 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007722c010 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007722c030 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007722c130 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007722c500 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007722c550 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007722c5b0 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007722c920 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007722caf0 12 bytes [48, B8, BA, 20, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007722ce60 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007722d060 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007722d220 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007722d300 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007722d310 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007722d320 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007729e211 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000770c1b21 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000770c1c10 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000770c2b61 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000770c2b6a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000770ddbf0 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000770e08c1 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077115461 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077115481 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007712a820 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007712a930 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007714f6d1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007714f8d1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007714f901 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007714f90a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcfd1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcfd3371 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcfd6401 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcfd6620 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcfd7901 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcfd8750 9 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefcfd875a 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcfda5c1 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcfdaa61 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefcfdacb0 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcfdc751 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefcfdef51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcfe1c41 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefcfe3291 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefcfe35a1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcfe9ac0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd0038a0 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd00ff01 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd0122c1 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd0122ca 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd012301 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe79af25 11 bytes [B8, D4, 24, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe7b4965 11 bytes [B8, AA, 38, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe7b4985 11 bytes [B8, 40, 39, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe7c9281 11 bytes [B8, D6, 39, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff41ac21 11 bytes [B8, 0A, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff41ac7d 11 bytes [B8, 32, 41, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff41e415 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007feff41e514 12 bytes [48, B8, 82, 3B, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff4201bd 11 bytes [B8, C8, 41, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff420291 11 bytes [B8, 74, 43, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff4202bd 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007feff42a830 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff434291 11 bytes [B8, 6C, 3A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4349b0 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff44a409 7 bytes [B8, DE, 42, F2, FF, FF, 07] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff44a412 2 bytes [50, C3] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff44a490 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007feff44a5e8 36 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff44a66c 12 bytes [48, B8, 44, 3E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1113b1 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1118e0 12 bytes [48, B8, 66, 4A, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff111bd1 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff112201 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1123c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!connect 000007feff1142f0 12 bytes [48, B8, E2, 46, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!send + 1 000007feff117cd1 11 bytes [B8, 3A, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff118ac0 8 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff118ac9 3 bytes [00, 50, C3] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff11be40 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff11d911 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff11d9c1 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff13e081 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WINHTTP.dll!WinHttpCloseHandle 000007fef8fd22d0 12 bytes [48, B8, 16, 4F, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WINHTTP.dll!WinHttpOpenRequest 000007fef8fd45f0 12 bytes [48, B8, 80, 4E, F2, FF, FF, ...] .text C:\Windows\system32\svchost.exe[4692] C:\Windows\system32\WINHTTP.dll!WinHttpConnect 000007fef8fe3e68 12 bytes [48, B8, AC, 4F, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077207411 11 bytes [B8, E6, 21, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000077214f51 7 bytes [B8, 64, 0D, F2, FF, FF, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000077214f5a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007722bc20 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007722bcb0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007722bcf0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 000000007722bd40 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007722bd90 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007722bdb0 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007722bdd0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007722bdf0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007722bea0 12 bytes [48, B8, 12, 23, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007722bed0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007722bef0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007722bf30 12 bytes [48, B8, 74, 1B, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007722bf80 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007722c000 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007722c010 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007722c030 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007722c130 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007722c500 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007722c550 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007722c5b0 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007722c920 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007722caf0 12 bytes [48, B8, BA, 20, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007722ce60 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007722d060 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007722d220 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007722d300 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007722d310 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007722d320 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007729e211 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000770c1b21 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000770c1c10 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000770c2b61 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000770c2b6a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000770ddbf0 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000770e08c1 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077115461 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077115481 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007712a820 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007712a930 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007714f6d1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007714f8d1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007714f901 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007714f90a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcfd1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcfd3371 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcfd6401 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcfd6620 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcfd7901 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcfd8750 9 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefcfd875a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcfda5c1 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcfdaa61 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefcfdacb0 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcfdc751 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefcfdef51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcfe1c41 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefcfe3291 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefcfe35a1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcfe9ac0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd0038a0 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd00ff01 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd0122c1 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd0122ca 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd012301 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff41ac21 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff41ac7d 11 bytes [B8, 5C, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff41e415 11 bytes [B8, E0, 31, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007feff41e514 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff4201bd 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff420291 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff4202bd 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007feff42a830 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff434291 2 bytes [B8, D4] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 52 000007feff434294 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4349b0 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff44a409 7 bytes [B8, 08, 2F, F2, FF, FF, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff44a412 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff44a490 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007feff44a5e8 36 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff44a66c 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe79af25 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe7b4965 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe7b4985 11 bytes [B8, 0C, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe7c9281 11 bytes [B8, A2, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1113b1 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1118e0 12 bytes [48, B8, 66, 4A, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff111bd1 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff112201 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1123c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!connect 000007feff1142f0 12 bytes [48, B8, E2, 46, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!send + 1 000007feff117cd1 11 bytes [B8, 3A, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff118ac0 8 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff118ac9 3 bytes [00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff11be40 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff11d911 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff11d9c1 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4932] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff13e081 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077207411 11 bytes [B8, E6, 21, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000077214f51 7 bytes [B8, 64, 0D, F2, FF, FF, 07] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000077214f5a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007722bc20 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007722bcb0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007722bcf0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 000000007722bd40 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007722bd90 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007722bdb0 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007722bdd0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007722bdf0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007722bea0 12 bytes [48, B8, 12, 23, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007722bed0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007722bef0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007722bf30 12 bytes [48, B8, 74, 1B, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007722bf80 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007722c000 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007722c010 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007722c030 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007722c130 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007722c500 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007722c550 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007722c5b0 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007722c920 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007722caf0 12 bytes [48, B8, BA, 20, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007722ce60 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007722d060 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007722d220 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007722d300 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007722d310 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007722d320 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007729e211 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000770c1b21 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000770c1c10 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000770c2b61 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000770c2b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000770ddbf0 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000770e08c1 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077115461 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077115481 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007712a820 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007712a930 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007714f6d1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007714f8d1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007714f901 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007714f90a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcfd1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcfd3371 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcfd6401 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcfd6620 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcfd7901 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcfd8750 9 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefcfd875a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcfda5c1 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcfdaa61 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefcfdacb0 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcfdc751 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefcfdef51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcfe1c41 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefcfe3291 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefcfe35a1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcfe9ac0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd0038a0 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd00ff01 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd0122c1 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd0122ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd012301 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1113b1 11 bytes [B8, 84, 29, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1118e0 12 bytes [48, B8, EE, 28, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff111bd1 11 bytes [B8, 58, 28, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff112201 11 bytes [B8, DC, 2B, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1123c0 12 bytes [48, B8, 00, 26, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!connect 000007feff1142f0 12 bytes [48, B8, 6A, 25, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!send + 1 000007feff117cd1 11 bytes [B8, C2, 27, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff118ac0 8 bytes [48, B8, 2C, 27, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff118ac9 3 bytes [00, 50, C3] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff11be40 12 bytes [48, B8, 96, 26, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff11d911 11 bytes [B8, 1A, 2A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff11d9c1 11 bytes [B8, 46, 2B, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff13e081 11 bytes [B8, B0, 2A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe79af25 11 bytes [B8, 08, 2D, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe7b4965 11 bytes [B8, 9E, 2D, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe7b4985 11 bytes [B8, 34, 2E, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe7c9281 11 bytes [B8, CA, 2E, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff41ac21 11 bytes [B8, A8, 4B, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff41ac7d 11 bytes [B8, D0, 48, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff41e415 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007feff41e514 12 bytes [48, B8, 20, 43, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff4201bd 11 bytes [B8, 66, 49, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff420291 11 bytes [B8, 12, 4B, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff4202bd 11 bytes [B8, 3E, 4C, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007feff42a830 12 bytes [48, B8, 0E, 47, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff434291 11 bytes [B8, 0A, 42, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4349b0 3 bytes [48, B8, 3A] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CreateServiceW + 4 000007feff4349b4 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff44a409 7 bytes [B8, 7C, 4A, F2, FF, FF, 07] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff44a412 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff44a490 12 bytes [48, B8, A4, 47, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007feff44a5e8 36 bytes [48, B8, 4C, 44, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[4940] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff44a66c 12 bytes [48, B8, E2, 45, F2, FF, FF, ...] .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000773df900 5 bytes JMP 000000007ef20920 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000773df938 5 bytes JMP 000000007ef20a52 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000773df9f0 5 bytes JMP 000000007ef20700 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfad0 5 bytes JMP 000000007ef208ba .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 00000000773dfb38 1 byte JMP 000000007ef20656 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess + 2 00000000773dfb3a 3 bytes {JMP 0x7b40b1e} .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationToken 00000000773dfbb8 5 bytes JMP 000000007ef209ec .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess 00000000773dfc30 5 bytes JMP 000000007ef203f2 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000773dfc60 5 bytes JMP 000000007ef20018 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000773dfc90 5 bytes JMP 000000007ef2003a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfcc0 5 bytes JMP 000000007ef20634 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000773dfdd8 5 bytes JMP 000000007ef20a30 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000773dfe24 5 bytes JMP 000000007ef203ae .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000773dfe54 5 bytes JMP 000000007ef20436 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000773dfeb8 5 bytes JMP 000000007ef20876 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 00000000773dfed0 5 bytes JMP 000000007ef20810 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 00000000773dff34 5 bytes JMP 000000007ef20414 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000773dfffc 5 bytes JMP 000000007ef2036a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 00000000773e0014 5 bytes JMP 000000007ef20326 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0048 5 bytes JMP 000000007ef208dc .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773e00c4 2 bytes JMP 000000007ef20128 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 3 00000000773e00c7 2 bytes [B4, 07] .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000773e01d4 5 bytes JMP 000000007ef201b0 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000773e07ac 2 bytes JMP 000000007ef20898 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 3 00000000773e07af 2 bytes [B4, 07] .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000773e0824 5 bytes JMP 000000007ef20348 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773e08b4 5 bytes JMP 000000007ef20304 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 00000000773e0e04 5 bytes JMP 000000007ef20722 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken 00000000773e10d0 5 bytes JMP 000000007ef209ca .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError 00000000773e1614 5 bytes JMP 000000007ef205f0 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000773e1930 5 bytes JMP 000000007ef203d0 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 00000000773e1bf4 5 bytes JMP 000000007ef20744 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtSuspendProcess 00000000773e1d64 5 bytes JMP 000000007ef2047a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 00000000773e1d80 5 bytes JMP 000000007ef20458 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 00000000773e1d9c 5 bytes JMP 000000007ef20a74 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter 00000000773f2954 5 bytes JMP 000000007ef200c2 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!RtlEqualSid 00000000773f8ee1 5 bytes JMP 000000007ef20a0e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx 000000007741fffb 5 bytes JMP 000000007ef2016c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!RtlReportException 000000007746869b 5 bytes JMP 000000007ef20612 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters 000000007746e93b 5 bytes JMP 000000007ef2014a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA 00000000752b0e00 5 bytes JMP 000000007ef200e4 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000752b1072 5 bytes JMP 000000007ef202c0 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 00000000752b499f 5 bytes JMP 000000007ef20238 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000752c3be3 5 bytes JMP 000000007ef2038c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 00000000752c9ae4 5 bytes JMP 000000007ef207ee .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!MoveFileExW 00000000752c9b45 5 bytes JMP 000000007ef207aa .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot 00000000752d736f 5 bytes JMP 000000007ef2025a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!Process32NextW 00000000752d8922 5 bytes JMP 000000007ef206de .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!MoveFileExA 00000000752dccf1 5 bytes JMP 000000007ef20788 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 00000000752dcd11 5 bytes JMP 000000007ef207cc .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!WinExec 00000000753331f9 5 bytes JMP 000000007ef2029e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA 00000000753576e3 5 bytes JMP 000000007ef20568 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW 0000000075357706 5 bytes JMP 000000007ef2058a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!ReadConsoleA 0000000075357ab1 5 bytes JMP 000000007ef205ac .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\kernel32.dll!ReadConsoleW 0000000075357b2a 5 bytes JMP 000000007ef205ce .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime 0000000074fd8fa5 5 bytes JMP 000000007ef200a0 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle 0000000074fdc558 5 bytes JMP 000000007ef20546 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory 0000000074fdedc6 5 bytes JMP 000000007ef204e0 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess 0000000074fdf329 5 bytes JMP 000000007ef201d2 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW 0000000074fdfbac 5 bytes JMP 000000007ef20106 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 0000000074fdfcda 5 bytes JMP 000000007ef20766 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW 0000000074fe147b 5 bytes JMP 000000007ef20524 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW 0000000074fe14a2 5 bytes JMP 000000007ef20502 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000074fe1e4c 5 bytes JMP 000000007ef2007e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress 0000000074fe1f38 5 bytes JMP 000000007ef20216 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074fe2bdc 5 bytes JMP 000000007ef2069a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA 0000000074fe2e40 5 bytes JMP 000000007ef20678 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000074fe2e7e 5 bytes JMP 000000007ef206bc .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA 0000000074fe2fe1 5 bytes JMP 000000007ef2005c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!OpenThread 0000000074fe396a 5 bytes JMP 000000007ef2049c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!SleepEx 0000000074fe3cd7 5 bytes JMP 000000007ef2018e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000074fe3fdf 5 bytes JMP 000000007ef208fe .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!Sleep 0000000074fe45fd 5 bytes JMP 000000007ef201f4 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!CreateThread 0000000074fe476f 5 bytes JMP 000000007ef204be .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread 0000000074fe4798 5 bytes JMP 000000007ef202e2 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileW 0000000074fe9dcf 5 bytes JMP 000000007ef20832 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!DeleteFileA 0000000074fea11c 5 bytes JMP 000000007ef20854 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!FindNextFileW 0000000074fea37a 5 bytes JMP 000000007ef20964 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!FindClose 0000000074fea589 5 bytes JMP 000000007ef20986 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!FindFirstFileExW 0000000074fea663 5 bytes JMP 000000007ef20942 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA 0000000074fec8a8 5 bytes JMP 000000007ef2027c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\KERNELBASE.dll!CreateWellKnownSid 0000000074fee414 5 bytes JMP 000000007ef209a8 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!GetWindowLongW 00000000766b7004 5 bytes JMP 000000007ef2117e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000766b78f2 5 bytes JMP 000000007ef20ef8 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!GetMessageA 00000000766b7be3 5 bytes JMP 000000007ef20ed6 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!SetWindowLongW 00000000766b8342 5 bytes JMP 000000007ef211c2 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000766b8a39 5 bytes JMP 000000007ef20fa2 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!FindWindowW 00000000766b990d 5 bytes JMP 000000007ef21118 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize 00000000766bb6fd 5 bytes JMP 000000007ef20a96 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!GetWindowLongA 00000000766bd166 5 bytes JMP 000000007ef2115c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000766bd23e 5 bytes JMP 000000007ef20fc4 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000766bee19 5 bytes JMP 000000007ef20eb4 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!FindWindowA 00000000766bfff6 5 bytes JMP 000000007ef210d4 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!FindWindowExA 00000000766c00e9 5 bytes JMP 000000007ef210f6 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000766c05ca 5 bytes JMP 000000007ef20f3c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!ShowWindow 00000000766c0e0b 5 bytes JMP 000000007ef20fe6 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!SetWindowTextW 00000000766c20fc 5 bytes JMP 000000007ef210b2 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!PeekMessageA 00000000766c5f84 5 bytes JMP 000000007ef20f1a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!SetWindowLongA 00000000766c6120 5 bytes JMP 000000007ef211a0 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000766c6295 5 bytes JMP 000000007ef20f5e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000766c7613 5 bytes JMP 000000007ef20e92 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 00000000766c7678 5 bytes JMP 000000007ef21206 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!SetWindowTextA 00000000766c7afe 5 bytes JMP 000000007ef21090 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000766c836c 1 byte JMP 000000007ef20e70 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA + 2 00000000766c836e 3 bytes {JMP 0x8858b04} .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW 00000000766dce64 5 bytes JMP 000000007ef2102a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000766df54b 5 bytes JMP 000000007ef20f80 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!FindWindowExW 00000000766df5a8 5 bytes JMP 000000007ef2113a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW 00000000766e10c0 5 bytes JMP 000000007ef21008 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007670fd9e 5 bytes JMP 000000007ef2104c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007670fdc2 5 bytes JMP 000000007ef2106e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076716e25 5 bytes JMP 000000007ef211e4 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\GDI32.dll!TranslateCharsetInfo + 505 0000000074f0633b 5 bytes JMP 000000007ef20ab8 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\GDI32.dll!SetBrushAttributes 0000000074f28735 5 bytes JMP 000000007ef20b62 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\GDI32.dll!ClearBrushAttributes 0000000074f28754 5 bytes JMP 000000007ef20b84 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\GDI32.dll!NamedEscape 0000000074f3422a 5 bytes JMP 000000007ef20ba6 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\msvcrt.dll!_lock + 41 0000000074dea472 5 bytes JMP 000000007ef20ada .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\msvcrt.dll!__p__fmode 0000000074df27ce 5 bytes JMP 000000007ef20b40 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\msvcrt.dll!__p__environ 0000000074dfe6cf 5 bytes JMP 000000007ef20b1e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CryptGenKey 0000000076958e69 5 bytes JMP 000000007ef20d82 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextA 0000000076959159 5 bytes JMP 000000007ef20d3e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CryptExportKey 0000000076959166 5 bytes JMP 000000007ef20de8 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CryptImportKey 000000007695c4b2 5 bytes JMP 000000007ef20e4e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW 000000007695c9cc 5 bytes JMP 000000007ef20bea .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CryptAcquireContextW 000000007695de94 5 bytes JMP 000000007ef20d60 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CryptHashData 000000007695deb6 5 bytes JMP 000000007ef20e2c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CryptCreateHash 000000007695dece 5 bytes JMP 000000007ef20dc6 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CryptGetHashParam 000000007695defe 5 bytes JMP 000000007ef20e0a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA 0000000076962b38 5 bytes JMP 000000007ef20bc8 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle 00000000769635e4 5 bytes JMP 000000007ef20cd8 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222 0000000076964939 5 bytes JMP 000000007ef20afc .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 00000000769770a4 5 bytes JMP 000000007ef20d1c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!ControlService 00000000769770bc 5 bytes JMP 000000007ef20c50 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 00000000769770d4 5 bytes JMP 000000007ef20c72 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CryptEncrypt 000000007697771b 5 bytes JMP 000000007ef20da4 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000769933a4 5 bytes JMP 000000007ef20c94 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000769933b4 5 bytes JMP 000000007ef20cb6 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA 00000000769933c4 5 bytes JMP 000000007ef20c0c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW 00000000769933d4 5 bytes JMP 000000007ef20c2e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 0000000076993414 5 bytes JMP 000000007ef20cfa .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!closesocket 00000000767a3918 5 bytes JMP 000000007ef21338 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!WSASocketW 00000000767a3cd3 5 bytes JMP 000000007ef21316 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!socket 00000000767a3eb8 5 bytes JMP 000000007ef2135a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!WSASend 00000000767a4406 5 bytes JMP 000000007ef2126c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 00000000767a4889 5 bytes JMP 000000007ef212b0 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!recv 00000000767a6826 5 bytes JMP 000000007ef2139e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!connect 00000000767a68f5 5 bytes JMP 000000007ef2128e .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!send 00000000767a6c19 5 bytes JMP 000000007ef2124a .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!WSARecv 00000000767a6da1 5 bytes JMP 000000007ef213c0 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 00000000767aa6db 5 bytes JMP 000000007ef212d2 .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!WSAConnect 00000000767abcd5 5 bytes JMP 000000007ef2137c .text c:\programy\teamviewer\TeamViewer_Desktop.exe[5056] C:\Windows\syswow64\WS2_32.dll!gethostbyname 00000000767b771b 5 bytes JMP 000000007ef212f4 .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!RtlEqualSid + 1 0000000077207411 11 bytes [B8, E6, 21, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 0000000077214f51 7 bytes [B8, 64, 0D, F2, FF, FF, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 10 0000000077214f5a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtClose 000000007722bc20 12 bytes [48, B8, 98, 15, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007722bcb0 12 bytes [48, B8, A0, 1C, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 000000007722bcf0 12 bytes [48, B8, 14, 12, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationToken 000000007722bd40 12 bytes [48, B8, 50, 21, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007722bd90 12 bytes [48, B8, 5C, 06, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007722bdb0 12 bytes [48, B8, 80, 00, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 000000007722bdd0 12 bytes [48, B8, 16, 01, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007722bdf0 12 bytes [48, B8, 7E, 11, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007722bea0 12 bytes [48, B8, 12, 23, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007722bed0 12 bytes [48, B8, 30, 05, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007722bef0 12 bytes [48, B8, 88, 07, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007722bf30 12 bytes [48, B8, 74, 1B, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007722bf80 12 bytes [48, B8, F2, 06, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007722c000 12 bytes [48, B8, 04, 04, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007722c010 12 bytes [48, B8, D8, 02, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007722c030 12 bytes [48, B8, 36, 1D, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 000000007722c130 12 bytes [48, B8, 3E, 24, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007722c500 12 bytes [48, B8, 0A, 1C, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007722c550 12 bytes [48, B8, 6E, 03, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007722c5b0 12 bytes [48, B8, 42, 02, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007722c920 12 bytes [48, B8, 2E, 16, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 000000007722caf0 12 bytes [48, B8, BA, 20, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 000000007722ce60 12 bytes [48, B8, 52, 10, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007722d060 12 bytes [48, B8, C6, 05, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007722d220 12 bytes [48, B8, C4, 16, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007722d300 12 bytes [48, B8, 4A, 09, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007722d310 12 bytes [48, B8, B4, 08, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007722d320 12 bytes [48, B8, A8, 23, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 000000007729e211 11 bytes [B8, E8, 10, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000770c1b21 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000770c1c10 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000770c2b61 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000770c2b6a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000770ddbf0 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000770e08c1 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077115461 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077115481 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007712a820 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007712a930 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007714f6d1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007714f8d1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007714f901 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007714f90a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcfd1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcfd3371 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcfd6401 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcfd6620 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcfd7901 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcfd8750 9 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefcfd875a 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcfda5c1 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcfdaa61 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefcfdacb0 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcfdc751 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefcfdef51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcfe1c41 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefcfe3291 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefcfe35a1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcfe9ac0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd0038a0 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd00ff01 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd0122c1 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd0122ca 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd012301 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff41ac21 11 bytes [B8, 34, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff41ac7d 11 bytes [B8, 5C, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff41e415 11 bytes [B8, E0, 31, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007feff41e514 12 bytes [48, B8, AC, 27, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff4201bd 11 bytes [B8, F2, 2D, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff420291 11 bytes [B8, 9E, 2F, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff4202bd 11 bytes [B8, CA, 30, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007feff42a830 12 bytes [48, B8, 9A, 2B, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff434291 2 bytes [B8, D4] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 52 000007feff434294 8 bytes [F2, FF, FF, 07, 00, 00, 50, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4349b0 12 bytes [48, B8, C6, 2C, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff44a409 7 bytes [B8, 08, 2F, F2, FF, FF, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff44a412 2 bytes [50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff44a490 12 bytes [48, B8, 30, 2C, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007feff44a5e8 36 bytes [48, B8, D8, 28, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff44a66c 12 bytes [48, B8, 6E, 2A, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe79af25 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe7b4965 11 bytes [B8, 76, 32, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe7b4985 11 bytes [B8, 0C, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe7c9281 11 bytes [B8, A2, 33, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!WSASend + 1 000007feff1113b1 11 bytes [B8, FC, 4A, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!closesocket 000007feff1118e0 12 bytes [48, B8, 66, 4A, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!WSASocketW + 1 000007feff111bd1 11 bytes [B8, D0, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!WSARecv + 1 000007feff112201 11 bytes [B8, 54, 4D, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 000007feff1123c0 12 bytes [48, B8, 78, 47, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!connect 000007feff1142f0 12 bytes [48, B8, E2, 46, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!send + 1 000007feff117cd1 11 bytes [B8, 3A, 49, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!gethostbyname 000007feff118ac0 8 bytes [48, B8, A4, 48, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!gethostbyname + 9 000007feff118ac9 3 bytes [00, 50, C3] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 000007feff11be40 12 bytes [48, B8, 0E, 48, F2, FF, FF, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!socket + 1 000007feff11d911 11 bytes [B8, 92, 4B, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!recv + 1 000007feff11d9c1 11 bytes [B8, BE, 4C, F2, FF, FF, 07, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[5852] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 000007feff13e081 11 bytes [B8, 28, 4C, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!Process32NextW + 1 00000000770c1b21 11 bytes [B8, 02, 15, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot 00000000770c1c10 12 bytes [48, B8, 1E, 08, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!MoveFileExW + 1 00000000770c2b61 8 bytes [B8, 86, 18, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!MoveFileExW + 10 00000000770c2b6a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000770ddbf0 12 bytes [48, B8, 9A, 04, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1 00000000770e08c1 11 bytes [B8, 7C, 22, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1 0000000077115461 11 bytes [B8, 90, 0E, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1 0000000077115481 11 bytes [B8, FA, 0D, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!ReadConsoleW 000000007712a820 12 bytes [48, B8, BC, 0F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!ReadConsoleA 000000007712a930 12 bytes [48, B8, 26, 0F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW + 1 000000007714f6d1 11 bytes [B8, B2, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA + 1 000000007714f8d1 11 bytes [B8, 1C, 19, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!MoveFileExA + 1 000000007714f901 8 bytes [B8, F0, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\kernel32.dll!MoveFileExA + 10 000000007714f90a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1 000007fefcfd1861 11 bytes [B8, CE, 0C, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1 000007fefcfd3371 11 bytes [B8, 6C, 14, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!FindClose + 1 000007fefcfd6401 11 bytes [B8, 8E, 1F, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!FindFirstFileExW 000007fefcfd6620 12 bytes [48, B8, 62, 1E, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!FindNextFileW + 1 000007fefcfd7901 11 bytes [B8, F8, 1E, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 000007fefcfd8750 9 bytes [48, B8, 38, 0C, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!CreateMutexW + 10 000007fefcfd875a 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!CreateWellKnownSid + 1 000007fefcfda5c1 11 bytes [B8, 24, 20, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 000007fefcfdaa61 11 bytes [B8, D6, 13, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx 000007fefcfdacb0 12 bytes [48, B8, CC, 1D, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 000007fefcfdc751 11 bytes [B8, AA, 12, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!OpenThread + 1 000007fefcfdef51 11 bytes [B8, E0, 09, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 000007fefcfe1c41 11 bytes [B8, A2, 0B, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!DeleteFileW + 1 000007fefcfe3291 11 bytes [B8, 48, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!DeleteFileA + 1 000007fefcfe35a1 11 bytes [B8, DE, 1A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcfe9ac0 12 bytes [48, B8, 40, 13, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd0038a0 12 bytes [48, B8, 0C, 0B, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW + 1 000007fefd00ff01 11 bytes [B8, 5A, 17, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1 000007fefd0122c1 8 bytes [B8, AC, 01, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10 000007fefd0122ca 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1 000007fefd012301 11 bytes [B8, 76, 0A, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\GDI32.dll!GdiDllInitialize + 349 000007fefe79af25 11 bytes [B8, 6A, 25, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\GDI32.dll!SetBrushAttributes + 1 000007fefe7b4965 11 bytes [B8, 96, 26, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\GDI32.dll!ClearBrushAttributes + 1 000007fefe7b4985 11 bytes [B8, 2C, 27, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\GDI32.dll!NamedEscape + 1 000007fefe7c9281 11 bytes [B8, C2, 27, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!CryptExportKey + 1 000007feff41ac21 11 bytes [B8, 0A, 44, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextA + 1 000007feff41ac7d 11 bytes [B8, 32, 41, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!CryptImportKey + 1 000007feff41e415 11 bytes [B8, B6, 45, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!OpenServiceW 000007feff41e514 12 bytes [48, B8, 82, 3B, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!CryptAcquireContextW + 1 000007feff4201bd 11 bytes [B8, C8, 41, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!CryptCreateHash + 1 000007feff420291 11 bytes [B8, 74, 43, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!CryptGetHashParam + 1 000007feff4202bd 11 bytes [B8, A0, 44, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle 000007feff42a830 12 bytes [48, B8, 70, 3F, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 49 000007feff434291 11 bytes [B8, 00, 26, F2, FF, FF, 07, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 000007feff4349b0 12 bytes [48, B8, 9C, 40, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 1 000007feff44a409 7 bytes [B8, DE, 42, F2, FF, FF, 07] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!CryptEncrypt + 10 000007feff44a412 2 bytes [50, C3] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 000007feff44a490 12 bytes [48, B8, 06, 40, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW 000007feff44a5e8 36 bytes [48, B8, AE, 3C, F2, FF, FF, ...] .text C:\Windows\System32\svchost.exe[5960] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 000007feff44a66c 12 bytes [48, B8, 44, 3E, F2, FF, FF, ...] ---- Registry - GMER 2.2 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AVG\xa0\AVG AntiVirus FREE.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG\xa0\AVG AntiVirus FREE.lnk 1 ---- EOF - GMER 2.2 ----