|
[分享]滴水双机VT调试器升级版V1.2支持AMD 3000+以上即可安装
晕死,这个似乎好像需要Visual SoftICE啊?对不对? 没自己的调试界面吗? |
|
[原创]也玩木马分析——从小偷家里偷东西o_0
用工具跑了一下,流程如下~~ 比较奇怪~ 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"kernel32.dll"<Addr:0x00415328> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"DeleteCriticalSection"<Addr:0x00415338> EntryPoint:0x7c93135a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LeaveCriticalSection"<Addr:0x00415350> EntryPoint:0x7c9210e0) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"EnterCriticalSection"<Addr:0x00415368> EntryPoint:0x7c921000) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"InitializeCriticalSection"<Addr:0x00415380> EntryPoint:0x7c809f81) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"VirtualFree"<Addr:0x0041539c> EntryPoint:0x7c809b74) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"VirtualAlloc"<Addr:0x004153aa> EntryPoint:0x7c809ae1) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LocalFree"<Addr:0x004153ba> EntryPoint:0x7c8099bf) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LocalAlloc"<Addr:0x004153c6> EntryPoint:0x7c809a1d) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetTickCount"<Addr:0x004153d4> EntryPoint:0x7c80932e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"QueryPerformanceCounter"<Addr:0x004153e4> EntryPoint:0x7c80a4b7) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetVersion"<Addr:0x004153fe> EntryPoint:0x7c81126a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCurrentThreadId"<Addr:0x0041540c> EntryPoint:0x7c8097b8) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetThreadLocale"<Addr:0x00415422> EntryPoint:0x7c80a4a5) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetStartupInfoA"<Addr:0x00415434> EntryPoint:0x7c801ef2) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleFileNameA"<Addr:0x00415446> EntryPoint:0x7c80b55f) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetLocaleInfoA"<Addr:0x0041545c> EntryPoint:0x7c80d2f2) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetLastError"<Addr:0x0041546e> EntryPoint:0x7c92fe01) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCommandLineA"<Addr:0x0041547e> EntryPoint:0x7c812fad) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FreeLibrary"<Addr:0x00415490> EntryPoint:0x7c80ac6e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"ExitProcess"<Addr:0x0041549e> EntryPoint:0x7c81cafa) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"WriteFile"<Addr:0x004154ac> EntryPoint:0x7c810e17) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"UnhandledExceptionFilter"<Addr:0x004154b8> EntryPoint:0x7c863e6a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetFilePointer"<Addr:0x004154d4> EntryPoint:0x7c810c1e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetEndOfFile"<Addr:0x004154e6> EntryPoint:0x7c83205e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"RtlUnwind"<Addr:0x004154f6> EntryPoint:0x7c94aba5) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"ReadFile"<Addr:0x00415502> EntryPoint:0x7c801812) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"RaiseException"<Addr:0x0041550e> EntryPoint:0x7c812a99) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetStdHandle"<Addr:0x00415520> EntryPoint:0x7c812fc9) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileSize"<Addr:0x00415530> EntryPoint:0x7c810b07) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileType"<Addr:0x0041553e> EntryPoint:0x7c810ee1) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateFileA"<Addr:0x0041554c> EntryPoint:0x7c801a28) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CloseHandle"<Addr:0x0041555a> EntryPoint:0x7c809bd7) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"user32.dll"<Addr:0x00415566> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetKeyboardType"<Addr:0x00415574> EntryPoint:0x77d311db) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"MessageBoxA"<Addr:0x00415586> EntryPoint:0x77d507ea) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CharNextA"<Addr:0x00415594> EntryPoint:0x77d2c8b0) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"advapi32.dll"<Addr:0x0041559e> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegQueryValueExA"<Addr:0x004155ae> EntryPoint:0x77da7aab) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegOpenKeyExA"<Addr:0x004155c2> EntryPoint:0x77da7842) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegCloseKey"<Addr:0x004155d2> EntryPoint:0x77da6c17) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"oleaut32.dll"<Addr:0x004155de> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x770f0000, SymName:"SysFreeString"<Addr:0x004155ee> EntryPoint:0x770f4880) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"kernel32.dll"<Addr:0x004155fc> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"TlsSetValue"<Addr:0x0041560c> EntryPoint:0x7c809c55) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"TlsGetValue"<Addr:0x0041561a> EntryPoint:0x7c8097d0) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LocalAlloc"<Addr:0x00415628> EntryPoint:0x7c809a1d) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleHandleA"<Addr:0x00415636> EntryPoint:0x7c80b731) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"advapi32.dll"<Addr:0x00415648> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegSetValueExA"<Addr:0x00415658> EntryPoint:0x77daead7) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegQueryValueExA"<Addr:0x0041566a> EntryPoint:0x77da7aab) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegOpenKeyExA"<Addr:0x0041567e> EntryPoint:0x77da7842) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegOpenKeyA"<Addr:0x0041568e> EntryPoint:0x77daefb8) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegDeleteValueA"<Addr:0x0041569c> EntryPoint:0x77daecd5) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegDeleteKeyA"<Addr:0x004156ae> EntryPoint:0x77db4280) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegCreateKeyExA"<Addr:0x004156be> EntryPoint:0x77dae9e4) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegCloseKey"<Addr:0x004156d0> EntryPoint:0x77da6c17) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"OpenProcessToken"<Addr:0x004156de> EntryPoint:0x77da797b) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"LookupPrivilegeValueA"<Addr:0x004156f2> EntryPoint:0x77dcc208) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"AdjustTokenPrivileges"<Addr:0x0041570a> EntryPoint:0x77daeffc) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"kernel32.dll"<Addr:0x00415720> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"WinExec"<Addr:0x00415730> EntryPoint:0x7c8623ad) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"UnmapViewOfFile"<Addr:0x0041573a> EntryPoint:0x7c80ba04) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"TerminateProcess"<Addr:0x0041574c> EntryPoint:0x7c801e1a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Sleep"<Addr:0x00415760> EntryPoint:0x7c802446) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetFileTime"<Addr:0x00415768> EntryPoint:0x7c831ca8) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetFileAttributesA"<Addr:0x00415776> EntryPoint:0x7c812812) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetErrorMode"<Addr:0x0041578c> EntryPoint:0x7c80ac9f) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"RemoveDirectoryA"<Addr:0x0041579c> EntryPoint:0x7c85c121) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"ReleaseMutex"<Addr:0x004157b0> EntryPoint:0x7c8024b7) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"OpenProcess"<Addr:0x004157c0> EntryPoint:0x7c8309d1) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"OpenMutexA"<Addr:0x004157ce> EntryPoint:0x7c80eaab) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"MoveFileExA"<Addr:0x004157dc> EntryPoint:0x7c85e3cb) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"MoveFileA"<Addr:0x004157ea> EntryPoint:0x7c835ea7) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"MapViewOfFile"<Addr:0x004157f6> EntryPoint:0x7c80b995) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LoadLibraryA"<Addr:0x00415806> EntryPoint:0x7c801d7b) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetWindowsDirectoryA"<Addr:0x00415816> EntryPoint:0x7c82134b) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetVolumeInformationA"<Addr:0x0041582e> EntryPoint:0x7c821b8d) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetVersionExA"<Addr:0x00415846> EntryPoint:0x7c812b6e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetSystemDirectoryA"<Addr:0x00415856> EntryPoint:0x7c814f7a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetShortPathNameA"<Addr:0x0041586c> EntryPoint:0x7c835bc8) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetProcAddress"<Addr:0x00415880> EntryPoint:0x7c80ae30) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleHandleA"<Addr:0x00415892> EntryPoint:0x7c80b731) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleFileNameA"<Addr:0x004158a6> EntryPoint:0x7c80b55f) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetLastError"<Addr:0x004158bc> EntryPoint:0x7c92fe01) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileTime"<Addr:0x004158cc> EntryPoint:0x7c831c35) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileSize"<Addr:0x004158da> EntryPoint:0x7c810b07) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileAttributesA"<Addr:0x004158e8> EntryPoint:0x7c8115cc) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetEnvironmentVariableA"<Addr:0x004158fe> EntryPoint:0x7c814b82) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetDriveTypeA"<Addr:0x00415918> EntryPoint:0x7c8214cb) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCurrentProcessId"<Addr:0x00415928> EntryPoint:0x7c8099b0) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCurrentProcess"<Addr:0x0041593e> EntryPoint:0x7c80de85) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetComputerNameA"<Addr:0x00415952> EntryPoint:0x7c82168c) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FreeLibrary"<Addr:0x00415966> EntryPoint:0x7c80ac6e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FindNextFileA"<Addr:0x00415974> EntryPoint:0x7c834ec9) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FindFirstFileA"<Addr:0x00415984> EntryPoint:0x7c813869) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FindClose"<Addr:0x00415996> EntryPoint:0x7c80ee67) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FileTimeToLocalFileTime"<Addr:0x004159a2> EntryPoint:0x7c80e8f6) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FileTimeToDosDateTime"<Addr:0x004159bc> EntryPoint:0x7c83064d) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"DeleteFileA"<Addr:0x004159d4> EntryPoint:0x7c831ec5) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateThread"<Addr:0x004159e2> EntryPoint:0x7c8106c7) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateMutexA"<Addr:0x004159f2> EntryPoint:0x7c80e9cf) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateFileMappingA"<Addr:0x00415a02> EntryPoint:0x7c8094ee) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateFileA"<Addr:0x00415a18> EntryPoint:0x7c801a28) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CopyFileA"<Addr:0x00415a26> EntryPoint:0x7c8286d6) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CloseHandle"<Addr:0x00415a32> EntryPoint:0x7c809bd7) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"user32.dll"<Addr:0x00415a3e> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CreateWindowExA"<Addr:0x00415a4c> EntryPoint:0x77d2e4a9) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"mouse_event"<Addr:0x00415a5e> EntryPoint:0x77d6673f) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"keybd_event"<Addr:0x00415a6c> EntryPoint:0x77d66783) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"TranslateMessage"<Addr:0x00415a7a> EntryPoint:0x77d18bf6) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"ShowWindow"<Addr:0x00415a8e> EntryPoint:0x77d2af56) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetTimer"<Addr:0x00415a9c> EntryPoint:0x77d18c2e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetForegroundWindow"<Addr:0x00415aa8> EntryPoint:0x77d242ed) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetCursorPos"<Addr:0x00415abe> EntryPoint:0x77d561b3) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SendMessageA"<Addr:0x00415ace> EntryPoint:0x77d2f3c2) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"RegisterClassA"<Addr:0x00415ade> EntryPoint:0x77d2ea5e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"PostQuitMessage"<Addr:0x00415af0> EntryPoint:0x77d2ca5a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"PostMessageA"<Addr:0x00415b02> EntryPoint:0x77d2aafd) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"MapVirtualKeyA"<Addr:0x00415b12> EntryPoint:0x77d2feea) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"LoadIconA"<Addr:0x00415b24> EntryPoint:0x77d2e8f6) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"LoadCursorA"<Addr:0x00415b30> EntryPoint:0x77d2d33e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"KillTimer"<Addr:0x00415b3e> EntryPoint:0x77d18c42) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetWindowThreadProcessId"<Addr:0x00415b4a> EntryPoint:0x77d18a80) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetWindowTextA"<Addr:0x00415b66> EntryPoint:0x77d3216b) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetWindowRect"<Addr:0x00415b78> EntryPoint:0x77d290b4) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetMessageA"<Addr:0x00415b88> EntryPoint:0x77d2772b) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetDesktopWindow"<Addr:0x00415b96> EntryPoint:0x77d2d1d2) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetClassNameA"<Addr:0x00415baa> EntryPoint:0x77d2f45f) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"FindWindowExA"<Addr:0x00415bba> EntryPoint:0x77d3214a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"FindWindowA"<Addr:0x00415bca> EntryPoint:0x77d282e1) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"DispatchMessageA"<Addr:0x00415bd8> EntryPoint:0x77d196b8) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"DefWindowProcA"<Addr:0x00415bec> EntryPoint:0x77d2c17e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CharLowerBuffA"<Addr:0x00415bfe> EntryPoint:0x77d28845) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CharUpperBuffA"<Addr:0x00415c10> EntryPoint:0x77d1ae3f) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"shell32.dll"<Addr:0x00415c20> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7d590000, SymName:"ShellExecuteA"<Addr:0x00415c2e> EntryPoint:0x7d6111e0) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"wininet.dll"<Addr:0x00415c3c> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x41fd0000, SymName:"DeleteUrlCacheEntry"<Addr:0x00415c4a> EntryPoint:0x420047ee) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"shell32.dll"<Addr:0x00415c5e> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7d590000, SymName:"SHGetSpecialFolderLocation"<Addr:0x00415c6c> EntryPoint:0x7d5bf7e3) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7d590000, SymName:"SHGetPathFromIDListA"<Addr:0x00415c8a> EntryPoint:0x7d604cc1) 0x00404612 ----> Call Kernel32.GetModuleHandleA ( ModuleName:0x00000000 ) 0x0040333a ----> Call User32.GetKeyboardType ( TypeFlag:0 ,Return : 0x00000004) 0x00401092 ----> Call Kernel32.GetCommandLineA ("C:\Matrix\bin\uoyx.ex_.mxe") 0x004010b2 ----> Call Kernel32.GetStartupInfoA ( StartupInfo:0x0012fba8 ) 0x004010ea ----> Call Kernel32.GetVersion ( Version:0x0a280105 ) 0x004010ea ----> Call Kernel32.GetVersion ( Version:0x0a280105 ) 0x004010e2 ----> Call Kernel32.GetCurrentThreadId ( TID:23628 [0x00005c4c] ) 0x004048ba ----> Call Kernel32.GetModuleHandleA ( ModuleName:"kernel32.dll"(0x00404cb8) ) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateToolhelp32Snapshot"<Addr:0x00404cc8> EntryPoint:0x7c865b1f) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32ListFirst"<Addr:0x00404ce4> EntryPoint:0x7c864971) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32ListNext"<Addr:0x00404cf4> EntryPoint:0x7c864a1f) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32First"<Addr:0x00404d04> EntryPoint:0x7c864ab6) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32Next"<Addr:0x00404d10> EntryPoint:0x7c864bd0) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Toolhelp32ReadProcessMemory"<Addr:0x00404d1c> EntryPoint:0x7c864cfc) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32First"<Addr:0x00404d38> EntryPoint:0x7c864df5) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32Next"<Addr:0x00404d48> EntryPoint:0x7c864f68) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32FirstW"<Addr:0x00404d58> EntryPoint:0x7c864d3c) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32NextW"<Addr:0x00404d68> EntryPoint:0x7c864ec7) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Thread32First"<Addr:0x00404d78> EntryPoint:0x7c86503a) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Thread32Next"<Addr:0x00404d88> EntryPoint:0x7c8650ee) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32First"<Addr:0x00404d98> EntryPoint:0x7c865240) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32Next"<Addr:0x00404da8> EntryPoint:0x7c8653c5) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32FirstW"<Addr:0x00404db8> EntryPoint:0x7c865187) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32NextW"<Addr:0x00404dc8> EntryPoint:0x7c865324) 0x00404def ----> Call Kernel32.CreateToolhelp32Snapshot ( "" ) 0x00404e0f ----> Call Kernel32.Process32First ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x00401146 ----> Call Kernel32.InitializeCriticalSection ( CriticalSection:0x004145b4 ) 0x00401126 ----> Call Kernel32.LocalAlloc ( Flags:0x00000000 Bytes:0x00000ff8 Ret:0x00147ed0 ) 0x00401136 ----> Call Kernel32.VirtualAlloc ( lpAddress:0x00000000, dwSize:0x00100000, flAllocationType:0x00002000, flProtect:0x00000001) Ret:0x05140000 0x00401126 ----> Call Kernel32.LocalAlloc ( Flags:0x00000000 Bytes:0x00000644 Ret:0x001497e0 ) 0x00401136 ----> Call Kernel32.VirtualAlloc ( lpAddress:0x05140000, dwSize:0x00004000, flAllocationType:0x00001000, flProtect:0x00000004) Ret:0x05140000 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x004047e2 ----> Call Kernel32.CloseHandle ( hObject:0x00000090 ) 0x0040113e ----> Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00004000, dwFreeType:0x00004000) 0x0040113e ----> Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00000000, dwFreeType:0x00008000) 0x004010f2 ----> Call Kernel32.QueryPerformanceCounter ( PerformanceCount:0x0012fc0c ) 0x00401136 ----> Call Kernel32.VirtualAlloc ( lpAddress:0x00000000, dwSize:0x00100000, flAllocationType:0x00002000, flProtect:0x00000001) Ret:0x05140000 0x00401136 ----> Call Kernel32.VirtualAlloc ( lpAddress:0x05140000, dwSize:0x00004000, flAllocationType:0x00001000, flProtect:0x00000004) Ret:0x05140000 0x004048b2 ----> Call Kernel32.GetModuleFileNameA ( Return Module Name:"C:\Matrix\bin\uoyx.ex_.mxe" ) 0x0040101a ----> Call Kernel32.CreateFileA (FileName:"C:\Matrix\bin\uoyx.ex_.mxe" , Ret hFile:0x00000090 {NewName:"C:\Matrix\bin\uoyx.ex_.mxe"}) 0x0040102a ----> Call Kernel32.GetFileSize (hFile:0x00000090, lpFileSizeHigh:0x00000000, FileSize:0x000098b6(39094)) 0x0040105a ----> Call Kernel32.SetFilePointer ( hFile:0x00000090, DistanceToMove:0x0000989d, DistanceToMoveHigh:0x00000000, MoveMethod:FILE_BEGIN ) 0x00402b3e ----> Call Kernel32.ReadFile (ReadBuffer:0x0012faa7, NumberOfBytesToRead:0x00000019) 0x0040102a ----> Call Kernel32.GetFileSize (hFile:0x00000090, lpFileSizeHigh:0x00000000, FileSize:0x000098b6(39094)) 0x0040105a ----> Call Kernel32.SetFilePointer ( hFile:0x00000090, DistanceToMove:0x000097d9, DistanceToMoveHigh:0x00000000, MoveMethod:FILE_BEGIN ) 0x00402b3e ----> Call Kernel32.ReadFile (ReadBuffer:0x0012d398, NumberOfBytesToRead:0x000000c4) 0x00401012 ----> Call Kernel32.CloseHandle ( hObject:0x00000090 ) 0x00404872 ----> Call Kernel32.GetCurrentProcess ( hObject:0xffffffff ) 0x0040479a ----> Call Advapi32.OpenProcessToken (Result:SUCCESS) 0x00404792 ----> Call Advapi32.LookupPrivilegeValueA (SystemName:(null), Name:SeDebugPrivilege, Result:SUCCESS) 0x0040478a ----> Call Advapi32.AdjustTokenPrivileges (DisableAllPrivileges:FALSE NewState:0x0012fc00 Result:FAILD ) 0x0040478a ----> Call Advapi32.AdjustTokenPrivileges (DisableAllPrivileges:FALSE NewState:0x0012fbf0 Result:SUCCESS ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x0040498a ----> Call User32.FindWindowA [Real] ( ClassName:"(null)", WindowName:"(null)", hWnd:0x00210046 ) 0x004053a2 ----> Call Shell32.SHGetSpecialFolderLocation ( "" ) 0x0040539a ----> Call Shell32.SHGetPathFromIDListA ( "" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\DOCUMENTS AND SETTINGS\KENDIV\「开始」菜单\程序\启动\JAFXSC.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x0040498a ----> Call User32.FindWindowA [Real] ( ClassName:"(null)", WindowName:"(null)", hWnd:0x00210046 ) 0x004053a2 ----> Call Shell32.SHGetSpecialFolderLocation ( "" ) 0x0040539a ----> Call Shell32.SHGetPathFromIDListA ( "" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\DOCUMENTS AND SETTINGS\ALL USERS\「开始」菜单\程序\启动\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\WINDOWS\SYSTEM32\MUTEMP.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "D:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "D:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "D:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "D:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "E:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "E:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "E:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "E:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "F:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "F:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "F:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "F:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "G:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "G:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "G:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "G:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "H:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "H:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "H:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "H:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "I:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "I:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "I:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "I:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "J:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "J:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "J:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "J:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "K:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "K:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "K:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "K:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "L:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "L:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "L:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "L:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "M:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "M:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "M:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "M:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "N:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "N:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "N:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "N:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "O:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "O:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "O:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "O:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "P:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "P:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "P:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "P:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Q:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Q:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Q:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Q:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "R:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "R:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "R:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "R:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "S:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "S:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "S:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "S:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "T:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "T:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "T:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "T:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "U:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "U:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "U:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "U:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "V:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "V:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "V:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "V:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "W:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "W:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "W:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "W:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "X:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "X:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "X:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "X:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Y:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Y:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Y:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Y:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Z:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Z:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Z:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Z:\.EXE" ) 0x0040486a ----> Call Kernel32.GetComputerNameA ( "ICE-4COREMX" ) 0x0040486a ----> Call Kernel32.GetComputerNameA ( "ICE-4COREMX" ) 0x0040498a ----> Call User32.FindWindowA [Real] ( ClassName:"IAG/", WindowName:"KAE/", hWnd:0x00000000 ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\WINDOWS\SYSTEM32\JAFXSC.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\WINDOWS\SYSTEM32\XNGGXD.EXE" ) 0x0040486a ----> Call Kernel32.GetComputerNameA ( "ICE-4COREMX" ) 0x00404912 ----> Call Kernel32.OpenMutexA (DesiredAccess:0x001f0001, InheritHandle:"FALSE", Name:"IAG/", hMutex::0x00000000) 0x0040486a ----> Call Kernel32.GetComputerNameA ( "ICE-4COREMX" ) 0x00404912 ----> Call Kernel32.OpenMutexA (DesiredAccess:0x001f0001, InheritHandle:"FALSE", Name:"KAE/", hMutex::0x00000000) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x004047ea ----> Call Kernel32.CopyFileA (ExistingFileName:C:\Matrix\bin\uoyx.ex_.mxe, NewFileName:C:\WINDOWS\system32\jafxsc.exe, FailIfExists:0) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x004047ea ----> Call Kernel32.CopyFileA (ExistingFileName:C:\Matrix\bin\uoyx.ex_.mxe, NewFileName:C:\WINDOWS\system32\xnggxd.exe, FailIfExists:0) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x0040493a ----> Call Kernel32.SetFileAttributesA ( FileName:"C:\WINDOWS\system32\jafxsc.exe", FileAttributes:0x00000006 ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x0040493a ----> Call Kernel32.SetFileAttributesA ( FileName:"C:\WINDOWS\system32\xnggxd.exe", FileAttributes:0x00000006 ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404962 ----> Call Kernel32.WinExec [Fake] ( CmdLine:"C:\WINDOWS\system32\jafxsc.exe", CmdShow:0x00000001(1) ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404962 ----> Call Kernel32.WinExec [Fake] ( CmdLine:"C:\WINDOWS\system32\xnggxd.exe", CmdShow:0x00000001(1) ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\" ) 0x004048ea ----> Call Kernel32.GetWindowsDirectoryA ( OutBuffer:"C:\WINDOWS"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\WINDOWS\" ) 0x00404def ----> Call Kernel32.CreateToolhelp32Snapshot ( "" ) 0x00404e0f ----> Call Kernel32.Process32First ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040491a ----> Call Kernel32.OpenProcess [Real] ( DesiredAccess:0x00000001, InheritHandle:0x00000000, ProcessId:0x00005244(21060)(QQ.exe), Result:Success) 0x00404952 ----> Call Kernel32.TerminateProcess [Fake] ( hProcess:0x0000012c, uExitCode:0x00000000, Result:Success) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404def ----> Call Kernel32.CreateToolhelp32Snapshot ( "" ) 0x00404e0f ----> Call Kernel32.Process32First ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404def ----> Call Kernel32.CreateToolhelp32Snapshot ( "" ) 0x00404e0f ----> Call Kernel32.Process32First ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "我的相片.JPG.EXE" ) 0x0040488a ----> Call Kernel32.GetEnvironmentVariableA ( Name:"Comspec", Buffer:"C:\WINDOWS\system32\cmd.exe" nSize:0x00000104) 0x004010aa ----> Call Kernel32.GetModuleFileNameA ( Return Module Name:"C:\Matrix\bin\uoyx.ex_.mxe" ) 0x00404962 ----> Call Kernel32.WinExec [Fake] ( CmdLine:"C:\WINDOWS\system32\cmd.exe /c del "C:\Matrix\bin\uoyx.ex_.mxe"", CmdShow:0x00000000(0) ) 0x0040113e ----> Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00004000, dwFreeType:0x00004000) 0x0040113e ----> Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00000000, dwFreeType:0x00008000) 0x0040112e ----> Call Kernel32.LocalFree ( hMem:0x00147ed0 ) 0x0040112e ----> Call Kernel32.LocalFree ( hMem:0x001497e0 ) 0x0040115e ----> Call ntdll.RtlDeleteCriticalSection (Ret:0x00000000) 0x0040107a ----> Call Kernel32.ExitProcess ( ExitCode:0x00000000) |
|
[原创]Storm worm & botnet analysis
没人看~~ 寒~ |
|
|
|
[求助]为什么有的病毒或者木马需要从cmd.exe来启动程序
使用cmd.exe可避开一些高级的分析软件。有些分析器可以自动跟踪的,通过cmd.exe启动,可避开分析器对进程创建的跟踪,cmd.exe启动的进程,其父进程是explorer.exe。 |
|
|
|
《Windows编程循序渐进》已经上市,敬请关注(附样章)
恩~~ 可能对初学者还有所帮助,市面上同类的书太多了。 |
|
[推荐]汇编与反汇编之小技巧
~~~ WinDbg还是要用滴~~ 莫要小看WinDbg~~ 呵呵 |
|
|
|
[讨论]关于精华9中“类的逆向分析”
嗯,类的逆向~~ 如果原始程序使用了模板或者某种设计模式(单一模式、类厂等)以及类的继承,那么你如何逆向还原? 或者在发布时,采用不同的编译器处理不同的模块,在分析时又如何进行? 逆向OO的东东,~~~ 呵呵 |
|
[原创]NT内核下的inline hook,附完整的代码和工程文件
嗯,不错~~ 呵呵 |
|
|
|
[原创]ECC+AES加解密的源码
不错,支持共享~~ |
|
[推荐]Peter Fierre关于虚拟机攻击和检测的文章
楼上的有道理~~ 呵呵 |
|
[原创]有没有分析过Wsyscheck?
这个逆向~~~,IDA+F5,呵呵。 |
|
[原创]菜鸟啄硬壳(之二)――玩转PE文件头
不错,楼主努力,呵呵~~ |
|
《0day安全:软件漏洞分析技术》封面及目录
shellcode/heap_stack overfollow/Win32 SEH 已经没啥价值了,打开DEP,只要EIP指向不具备可执行属性的页,程序就会被自动终止(0xC0000005)。难不成你溢出后再将heap/stack所在page的属性加上可执行属性? 漏洞挖掘、代码审计、Fuzz倒是不错,不过内容太少,估计就是扫盲而已。 实际的说,很怀疑这本书的内容有多少是原创的? 不会是Google资料的汇总吧? |
|
[原创]成功解密Kaspersky病毒库
Can you extract the x86 emulator from the AVC files? or unpacking engine form them? well, I think the signature not the most valuable part in AVC files, the obj files embed in it are the only important things. I can got the enrire signature from AVC files ( include packer/virus/archive etc) it's easy, but useless also. |
|
[讨论]有杀毒软件就一定不会中毒吗?
说的等于没说 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值