[原创]也玩木马分析——从小偷家里偷东西o_0-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (88) ◀ 1 2 3 4 ▶
lixupeng 雪币： 563 活跃值： (101) 能力值： ( LV2，RANK：10 ) 在线值：发帖 31 回帖 1636 粉丝 0 关注私信	lixupeng 51 楼收藏了慢慢看 2009-3-1 17:27 0
rizhaoren 雪币： 210 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 33 粉丝 0 关注私信	rizhaoren 52 楼久仰FLY老大,如何也让你给我布置作业?嘿嘿 2009-3-1 20:56 0
recnad 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 36 粉丝 0 关注私信	recnad 53 楼好文章，mark了，现在早上脑子混混的看不进，晚上研究 2009-3-2 09:28 0
Kendiv 雪币： 230 活跃值： (149) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 106 粉丝 0 关注私信	Kendiv 54 楼用工具跑了一下，流程如下～～比较奇怪～ 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"kernel32.dll"<Addr:0x00415328> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"DeleteCriticalSection"<Addr:0x00415338> EntryPoint:0x7c93135a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LeaveCriticalSection"<Addr:0x00415350> EntryPoint:0x7c9210e0) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"EnterCriticalSection"<Addr:0x00415368> EntryPoint:0x7c921000) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"InitializeCriticalSection"<Addr:0x00415380> EntryPoint:0x7c809f81) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"VirtualFree"<Addr:0x0041539c> EntryPoint:0x7c809b74) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"VirtualAlloc"<Addr:0x004153aa> EntryPoint:0x7c809ae1) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LocalFree"<Addr:0x004153ba> EntryPoint:0x7c8099bf) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LocalAlloc"<Addr:0x004153c6> EntryPoint:0x7c809a1d) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetTickCount"<Addr:0x004153d4> EntryPoint:0x7c80932e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"QueryPerformanceCounter"<Addr:0x004153e4> EntryPoint:0x7c80a4b7) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetVersion"<Addr:0x004153fe> EntryPoint:0x7c81126a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCurrentThreadId"<Addr:0x0041540c> EntryPoint:0x7c8097b8) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetThreadLocale"<Addr:0x00415422> EntryPoint:0x7c80a4a5) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetStartupInfoA"<Addr:0x00415434> EntryPoint:0x7c801ef2) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleFileNameA"<Addr:0x00415446> EntryPoint:0x7c80b55f) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetLocaleInfoA"<Addr:0x0041545c> EntryPoint:0x7c80d2f2) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetLastError"<Addr:0x0041546e> EntryPoint:0x7c92fe01) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCommandLineA"<Addr:0x0041547e> EntryPoint:0x7c812fad) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FreeLibrary"<Addr:0x00415490> EntryPoint:0x7c80ac6e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"ExitProcess"<Addr:0x0041549e> EntryPoint:0x7c81cafa) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"WriteFile"<Addr:0x004154ac> EntryPoint:0x7c810e17) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"UnhandledExceptionFilter"<Addr:0x004154b8> EntryPoint:0x7c863e6a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetFilePointer"<Addr:0x004154d4> EntryPoint:0x7c810c1e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetEndOfFile"<Addr:0x004154e6> EntryPoint:0x7c83205e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"RtlUnwind"<Addr:0x004154f6> EntryPoint:0x7c94aba5) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"ReadFile"<Addr:0x00415502> EntryPoint:0x7c801812) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"RaiseException"<Addr:0x0041550e> EntryPoint:0x7c812a99) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetStdHandle"<Addr:0x00415520> EntryPoint:0x7c812fc9) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileSize"<Addr:0x00415530> EntryPoint:0x7c810b07) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileType"<Addr:0x0041553e> EntryPoint:0x7c810ee1) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateFileA"<Addr:0x0041554c> EntryPoint:0x7c801a28) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CloseHandle"<Addr:0x0041555a> EntryPoint:0x7c809bd7) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"user32.dll"<Addr:0x00415566> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetKeyboardType"<Addr:0x00415574> EntryPoint:0x77d311db) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"MessageBoxA"<Addr:0x00415586> EntryPoint:0x77d507ea) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CharNextA"<Addr:0x00415594> EntryPoint:0x77d2c8b0) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"advapi32.dll"<Addr:0x0041559e> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegQueryValueExA"<Addr:0x004155ae> EntryPoint:0x77da7aab) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegOpenKeyExA"<Addr:0x004155c2> EntryPoint:0x77da7842) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegCloseKey"<Addr:0x004155d2> EntryPoint:0x77da6c17) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"oleaut32.dll"<Addr:0x004155de> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x770f0000, SymName:"SysFreeString"<Addr:0x004155ee> EntryPoint:0x770f4880) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"kernel32.dll"<Addr:0x004155fc> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"TlsSetValue"<Addr:0x0041560c> EntryPoint:0x7c809c55) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"TlsGetValue"<Addr:0x0041561a> EntryPoint:0x7c8097d0) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LocalAlloc"<Addr:0x00415628> EntryPoint:0x7c809a1d) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleHandleA"<Addr:0x00415636> EntryPoint:0x7c80b731) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"advapi32.dll"<Addr:0x00415648> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegSetValueExA"<Addr:0x00415658> EntryPoint:0x77daead7) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegQueryValueExA"<Addr:0x0041566a> EntryPoint:0x77da7aab) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegOpenKeyExA"<Addr:0x0041567e> EntryPoint:0x77da7842) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegOpenKeyA"<Addr:0x0041568e> EntryPoint:0x77daefb8) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegDeleteValueA"<Addr:0x0041569c> EntryPoint:0x77daecd5) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegDeleteKeyA"<Addr:0x004156ae> EntryPoint:0x77db4280) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegCreateKeyExA"<Addr:0x004156be> EntryPoint:0x77dae9e4) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegCloseKey"<Addr:0x004156d0> EntryPoint:0x77da6c17) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"OpenProcessToken"<Addr:0x004156de> EntryPoint:0x77da797b) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"LookupPrivilegeValueA"<Addr:0x004156f2> EntryPoint:0x77dcc208) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"AdjustTokenPrivileges"<Addr:0x0041570a> EntryPoint:0x77daeffc) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"kernel32.dll"<Addr:0x00415720> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"WinExec"<Addr:0x00415730> EntryPoint:0x7c8623ad) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"UnmapViewOfFile"<Addr:0x0041573a> EntryPoint:0x7c80ba04) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"TerminateProcess"<Addr:0x0041574c> EntryPoint:0x7c801e1a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Sleep"<Addr:0x00415760> EntryPoint:0x7c802446) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetFileTime"<Addr:0x00415768> EntryPoint:0x7c831ca8) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetFileAttributesA"<Addr:0x00415776> EntryPoint:0x7c812812) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetErrorMode"<Addr:0x0041578c> EntryPoint:0x7c80ac9f) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"RemoveDirectoryA"<Addr:0x0041579c> EntryPoint:0x7c85c121) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"ReleaseMutex"<Addr:0x004157b0> EntryPoint:0x7c8024b7) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"OpenProcess"<Addr:0x004157c0> EntryPoint:0x7c8309d1) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"OpenMutexA"<Addr:0x004157ce> EntryPoint:0x7c80eaab) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"MoveFileExA"<Addr:0x004157dc> EntryPoint:0x7c85e3cb) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"MoveFileA"<Addr:0x004157ea> EntryPoint:0x7c835ea7) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"MapViewOfFile"<Addr:0x004157f6> EntryPoint:0x7c80b995) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LoadLibraryA"<Addr:0x00415806> EntryPoint:0x7c801d7b) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetWindowsDirectoryA"<Addr:0x00415816> EntryPoint:0x7c82134b) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetVolumeInformationA"<Addr:0x0041582e> EntryPoint:0x7c821b8d) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetVersionExA"<Addr:0x00415846> EntryPoint:0x7c812b6e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetSystemDirectoryA"<Addr:0x00415856> EntryPoint:0x7c814f7a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetShortPathNameA"<Addr:0x0041586c> EntryPoint:0x7c835bc8) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetProcAddress"<Addr:0x00415880> EntryPoint:0x7c80ae30) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleHandleA"<Addr:0x00415892> EntryPoint:0x7c80b731) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleFileNameA"<Addr:0x004158a6> EntryPoint:0x7c80b55f) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetLastError"<Addr:0x004158bc> EntryPoint:0x7c92fe01) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileTime"<Addr:0x004158cc> EntryPoint:0x7c831c35) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileSize"<Addr:0x004158da> EntryPoint:0x7c810b07) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileAttributesA"<Addr:0x004158e8> EntryPoint:0x7c8115cc) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetEnvironmentVariableA"<Addr:0x004158fe> EntryPoint:0x7c814b82) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetDriveTypeA"<Addr:0x00415918> EntryPoint:0x7c8214cb) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCurrentProcessId"<Addr:0x00415928> EntryPoint:0x7c8099b0) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCurrentProcess"<Addr:0x0041593e> EntryPoint:0x7c80de85) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetComputerNameA"<Addr:0x00415952> EntryPoint:0x7c82168c) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FreeLibrary"<Addr:0x00415966> EntryPoint:0x7c80ac6e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FindNextFileA"<Addr:0x00415974> EntryPoint:0x7c834ec9) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FindFirstFileA"<Addr:0x00415984> EntryPoint:0x7c813869) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FindClose"<Addr:0x00415996> EntryPoint:0x7c80ee67) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FileTimeToLocalFileTime"<Addr:0x004159a2> EntryPoint:0x7c80e8f6) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FileTimeToDosDateTime"<Addr:0x004159bc> EntryPoint:0x7c83064d) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"DeleteFileA"<Addr:0x004159d4> EntryPoint:0x7c831ec5) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateThread"<Addr:0x004159e2> EntryPoint:0x7c8106c7) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateMutexA"<Addr:0x004159f2> EntryPoint:0x7c80e9cf) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateFileMappingA"<Addr:0x00415a02> EntryPoint:0x7c8094ee) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateFileA"<Addr:0x00415a18> EntryPoint:0x7c801a28) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CopyFileA"<Addr:0x00415a26> EntryPoint:0x7c8286d6) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CloseHandle"<Addr:0x00415a32> EntryPoint:0x7c809bd7) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"user32.dll"<Addr:0x00415a3e> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CreateWindowExA"<Addr:0x00415a4c> EntryPoint:0x77d2e4a9) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"mouse_event"<Addr:0x00415a5e> EntryPoint:0x77d6673f) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"keybd_event"<Addr:0x00415a6c> EntryPoint:0x77d66783) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"TranslateMessage"<Addr:0x00415a7a> EntryPoint:0x77d18bf6) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"ShowWindow"<Addr:0x00415a8e> EntryPoint:0x77d2af56) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetTimer"<Addr:0x00415a9c> EntryPoint:0x77d18c2e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetForegroundWindow"<Addr:0x00415aa8> EntryPoint:0x77d242ed) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetCursorPos"<Addr:0x00415abe> EntryPoint:0x77d561b3) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SendMessageA"<Addr:0x00415ace> EntryPoint:0x77d2f3c2) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"RegisterClassA"<Addr:0x00415ade> EntryPoint:0x77d2ea5e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"PostQuitMessage"<Addr:0x00415af0> EntryPoint:0x77d2ca5a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"PostMessageA"<Addr:0x00415b02> EntryPoint:0x77d2aafd) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"MapVirtualKeyA"<Addr:0x00415b12> EntryPoint:0x77d2feea) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"LoadIconA"<Addr:0x00415b24> EntryPoint:0x77d2e8f6) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"LoadCursorA"<Addr:0x00415b30> EntryPoint:0x77d2d33e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"KillTimer"<Addr:0x00415b3e> EntryPoint:0x77d18c42) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetWindowThreadProcessId"<Addr:0x00415b4a> EntryPoint:0x77d18a80) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetWindowTextA"<Addr:0x00415b66> EntryPoint:0x77d3216b) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetWindowRect"<Addr:0x00415b78> EntryPoint:0x77d290b4) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetMessageA"<Addr:0x00415b88> EntryPoint:0x77d2772b) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetDesktopWindow"<Addr:0x00415b96> EntryPoint:0x77d2d1d2) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetClassNameA"<Addr:0x00415baa> EntryPoint:0x77d2f45f) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"FindWindowExA"<Addr:0x00415bba> EntryPoint:0x77d3214a) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"FindWindowA"<Addr:0x00415bca> EntryPoint:0x77d282e1) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"DispatchMessageA"<Addr:0x00415bd8> EntryPoint:0x77d196b8) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"DefWindowProcA"<Addr:0x00415bec> EntryPoint:0x77d2c17e) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CharLowerBuffA"<Addr:0x00415bfe> EntryPoint:0x77d28845) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CharUpperBuffA"<Addr:0x00415c10> EntryPoint:0x77d1ae3f) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"shell32.dll"<Addr:0x00415c20> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7d590000, SymName:"ShellExecuteA"<Addr:0x00415c2e> EntryPoint:0x7d6111e0) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"wininet.dll"<Addr:0x00415c3c> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x41fd0000, SymName:"DeleteUrlCacheEntry"<Addr:0x00415c4a> EntryPoint:0x420047ee) 0x004001c9 ----> Call Kernel32.LoadLibraryA ( FileName:"shell32.dll"<Addr:0x00415c5e> ) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7d590000, SymName:"SHGetSpecialFolderLocation"<Addr:0x00415c6c> EntryPoint:0x7d5bf7e3) 0x004001d9 ----> Call Kernel32.GetProcAddress ( hModule:0x7d590000, SymName:"SHGetPathFromIDListA"<Addr:0x00415c8a> EntryPoint:0x7d604cc1) 0x00404612 ----> Call Kernel32.GetModuleHandleA ( ModuleName:0x00000000 ) 0x0040333a ----> Call User32.GetKeyboardType ( TypeFlag:0 ,Return : 0x00000004) 0x00401092 ----> Call Kernel32.GetCommandLineA ("C:\Matrix\bin\uoyx.ex_.mxe") 0x004010b2 ----> Call Kernel32.GetStartupInfoA ( StartupInfo:0x0012fba8 ) 0x004010ea ----> Call Kernel32.GetVersion ( Version:0x0a280105 ) 0x004010ea ----> Call Kernel32.GetVersion ( Version:0x0a280105 ) 0x004010e2 ----> Call Kernel32.GetCurrentThreadId ( TID:23628 [0x00005c4c] ) 0x004048ba ----> Call Kernel32.GetModuleHandleA ( ModuleName:"kernel32.dll"(0x00404cb8) ) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateToolhelp32Snapshot"<Addr:0x00404cc8> EntryPoint:0x7c865b1f) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32ListFirst"<Addr:0x00404ce4> EntryPoint:0x7c864971) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32ListNext"<Addr:0x00404cf4> EntryPoint:0x7c864a1f) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32First"<Addr:0x00404d04> EntryPoint:0x7c864ab6) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32Next"<Addr:0x00404d10> EntryPoint:0x7c864bd0) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Toolhelp32ReadProcessMemory"<Addr:0x00404d1c> EntryPoint:0x7c864cfc) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32First"<Addr:0x00404d38> EntryPoint:0x7c864df5) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32Next"<Addr:0x00404d48> EntryPoint:0x7c864f68) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32FirstW"<Addr:0x00404d58> EntryPoint:0x7c864d3c) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32NextW"<Addr:0x00404d68> EntryPoint:0x7c864ec7) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Thread32First"<Addr:0x00404d78> EntryPoint:0x7c86503a) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Thread32Next"<Addr:0x00404d88> EntryPoint:0x7c8650ee) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32First"<Addr:0x00404d98> EntryPoint:0x7c865240) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32Next"<Addr:0x00404da8> EntryPoint:0x7c8653c5) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32FirstW"<Addr:0x00404db8> EntryPoint:0x7c865187) 0x004048c2 ----> Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32NextW"<Addr:0x00404dc8> EntryPoint:0x7c865324) 0x00404def ----> Call Kernel32.CreateToolhelp32Snapshot ( "" ) 0x00404e0f ----> Call Kernel32.Process32First ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x00401146 ----> Call Kernel32.InitializeCriticalSection ( CriticalSection:0x004145b4 ) 0x00401126 ----> Call Kernel32.LocalAlloc ( Flags:0x00000000 Bytes:0x00000ff8 Ret:0x00147ed0 ) 0x00401136 ----> Call Kernel32.VirtualAlloc ( lpAddress:0x00000000, dwSize:0x00100000, flAllocationType:0x00002000, flProtect:0x00000001) Ret:0x05140000 0x00401126 ----> Call Kernel32.LocalAlloc ( Flags:0x00000000 Bytes:0x00000644 Ret:0x001497e0 ) 0x00401136 ----> Call Kernel32.VirtualAlloc ( lpAddress:0x05140000, dwSize:0x00004000, flAllocationType:0x00001000, flProtect:0x00000004) Ret:0x05140000 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "[system process]" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "system" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smss.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "csrss.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "winlogon.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "services.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "lsass.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "spoolsv.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "inetinfo.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mdm.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlservr.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "explorer.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "mysqld-nt.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "sqlwriter.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnat.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmnetdhcp.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "icesword.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "alg.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "hkcmd.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxsrvc.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "igfxpers.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "smax4pnp.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "daemon.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-tray.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "groovemonitor.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "ctfmon.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "msnmsgr.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "usnsvc.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "wftpd32.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "securecrt.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "conime.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "procexp.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "svchost.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "xdict.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "vmware-vmx.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "emule.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "qq.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "txplatform.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "bash.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "devenv.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "iexplore.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "insight3.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "dexplore.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "uedit32.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "editplus.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "cmd.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "calc.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "notepad.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x0040496a ----> Call User32.CharLowerBuffA ( "loader.exe" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040487a ----> Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x004047e2 ----> Call Kernel32.CloseHandle ( hObject:0x00000090 ) 0x0040113e ----> Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00004000, dwFreeType:0x00004000) 0x0040113e ----> Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00000000, dwFreeType:0x00008000) 0x004010f2 ----> Call Kernel32.QueryPerformanceCounter ( PerformanceCount:0x0012fc0c ) 0x00401136 ----> Call Kernel32.VirtualAlloc ( lpAddress:0x00000000, dwSize:0x00100000, flAllocationType:0x00002000, flProtect:0x00000001) Ret:0x05140000 0x00401136 ----> Call Kernel32.VirtualAlloc ( lpAddress:0x05140000, dwSize:0x00004000, flAllocationType:0x00001000, flProtect:0x00000004) Ret:0x05140000 0x004048b2 ----> Call Kernel32.GetModuleFileNameA ( Return Module Name:"C:\Matrix\bin\uoyx.ex_.mxe" ) 0x0040101a ----> Call Kernel32.CreateFileA (FileName:"C:\Matrix\bin\uoyx.ex_.mxe" , Ret hFile:0x00000090 {NewName:"C:\Matrix\bin\uoyx.ex_.mxe"}) 0x0040102a ----> Call Kernel32.GetFileSize (hFile:0x00000090, lpFileSizeHigh:0x00000000, FileSize:0x000098b6(39094)) 0x0040105a ----> Call Kernel32.SetFilePointer ( hFile:0x00000090, DistanceToMove:0x0000989d, DistanceToMoveHigh:0x00000000, MoveMethod:FILE_BEGIN ) 0x00402b3e ----> Call Kernel32.ReadFile (ReadBuffer:0x0012faa7, NumberOfBytesToRead:0x00000019) 0x0040102a ----> Call Kernel32.GetFileSize (hFile:0x00000090, lpFileSizeHigh:0x00000000, FileSize:0x000098b6(39094)) 0x0040105a ----> Call Kernel32.SetFilePointer ( hFile:0x00000090, DistanceToMove:0x000097d9, DistanceToMoveHigh:0x00000000, MoveMethod:FILE_BEGIN ) 0x00402b3e ----> Call Kernel32.ReadFile (ReadBuffer:0x0012d398, NumberOfBytesToRead:0x000000c4) 0x00401012 ----> Call Kernel32.CloseHandle ( hObject:0x00000090 ) 0x00404872 ----> Call Kernel32.GetCurrentProcess ( hObject:0xffffffff ) 0x0040479a ----> Call Advapi32.OpenProcessToken (Result:SUCCESS) 0x00404792 ----> Call Advapi32.LookupPrivilegeValueA (SystemName:(null), Name:SeDebugPrivilege, Result:SUCCESS) 0x0040478a ----> Call Advapi32.AdjustTokenPrivileges (DisableAllPrivileges:FALSE NewState:0x0012fc00 Result:FAILD ) 0x0040478a ----> Call Advapi32.AdjustTokenPrivileges (DisableAllPrivileges:FALSE NewState:0x0012fbf0 Result:SUCCESS ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x0040498a ----> Call User32.FindWindowA [Real] ( ClassName:"(null)", WindowName:"(null)", hWnd:0x00210046 ) 0x004053a2 ----> Call Shell32.SHGetSpecialFolderLocation ( "" ) 0x0040539a ----> Call Shell32.SHGetPathFromIDListA ( "" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\DOCUMENTS AND SETTINGS\KENDIV\「开始」菜单\程序\启动\JAFXSC.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x0040498a ----> Call User32.FindWindowA [Real] ( ClassName:"(null)", WindowName:"(null)", hWnd:0x00210046 ) 0x004053a2 ----> Call Shell32.SHGetSpecialFolderLocation ( "" ) 0x0040539a ----> Call Shell32.SHGetPathFromIDListA ( "" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\DOCUMENTS AND SETTINGS\ALL USERS\「开始」菜单\程序\启动\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\WINDOWS\SYSTEM32\MUTEMP.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "D:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "D:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "D:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "D:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "E:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "E:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "E:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "E:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "F:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "F:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "F:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "F:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "G:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "G:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "G:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "G:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "H:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "H:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "H:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "H:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "I:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "I:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "I:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "I:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "J:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "J:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "J:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "J:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "K:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "K:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "K:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "K:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "L:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "L:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "L:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "L:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "M:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "M:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "M:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "M:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "N:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "N:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "N:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "N:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "O:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "O:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "O:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "O:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "P:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "P:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "P:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "P:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Q:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Q:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Q:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Q:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "R:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "R:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "R:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "R:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "S:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "S:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "S:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "S:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "T:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "T:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "T:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "T:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "U:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "U:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "U:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "U:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "V:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "V:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "V:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "V:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "W:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "W:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "W:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "W:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "X:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "X:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "X:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "X:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Y:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Y:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Y:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Y:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Z:\XNGGXD.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Z:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Z:\.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "Z:\.EXE" ) 0x0040486a ----> Call Kernel32.GetComputerNameA ( "ICE-4COREMX" ) 0x0040486a ----> Call Kernel32.GetComputerNameA ( "ICE-4COREMX" ) 0x0040498a ----> Call User32.FindWindowA [Real] ( ClassName:"IAG/", WindowName:"KAE/", hWnd:0x00000000 ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\WINDOWS\SYSTEM32\JAFXSC.EXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\WINDOWS\SYSTEM32\XNGGXD.EXE" ) 0x0040486a ----> Call Kernel32.GetComputerNameA ( "ICE-4COREMX" ) 0x00404912 ----> Call Kernel32.OpenMutexA (DesiredAccess:0x001f0001, InheritHandle:"FALSE", Name:"IAG/", hMutex::0x00000000) 0x0040486a ----> Call Kernel32.GetComputerNameA ( "ICE-4COREMX" ) 0x00404912 ----> Call Kernel32.OpenMutexA (DesiredAccess:0x001f0001, InheritHandle:"FALSE", Name:"KAE/", hMutex::0x00000000) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x004047ea ----> Call Kernel32.CopyFileA (ExistingFileName:C:\Matrix\bin\uoyx.ex_.mxe, NewFileName:C:\WINDOWS\system32\jafxsc.exe, FailIfExists:0) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x004047ea ----> Call Kernel32.CopyFileA (ExistingFileName:C:\Matrix\bin\uoyx.ex_.mxe, NewFileName:C:\WINDOWS\system32\xnggxd.exe, FailIfExists:0) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x0040493a ----> Call Kernel32.SetFileAttributesA ( FileName:"C:\WINDOWS\system32\jafxsc.exe", FileAttributes:0x00000006 ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x0040493a ----> Call Kernel32.SetFileAttributesA ( FileName:"C:\WINDOWS\system32\xnggxd.exe", FileAttributes:0x00000006 ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404962 ----> Call Kernel32.WinExec [Fake] ( CmdLine:"C:\WINDOWS\system32\jafxsc.exe", CmdShow:0x00000001(1) ) 0x004048d2 ----> Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404962 ----> Call Kernel32.WinExec [Fake] ( CmdLine:"C:\WINDOWS\system32\xnggxd.exe", CmdShow:0x00000001(1) ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\" ) 0x004048ea ----> Call Kernel32.GetWindowsDirectoryA ( OutBuffer:"C:\WINDOWS"<Addr:0x0012fb04>, SizeOfBuf:260 ) 0x00404972 ----> Call User32.CharUpperBuffA ( "C:\WINDOWS\" ) 0x00404def ----> Call Kernel32.CreateToolhelp32Snapshot ( "" ) 0x00404e0f ----> Call Kernel32.Process32First ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x0040491a ----> Call Kernel32.OpenProcess [Real] ( DesiredAccess:0x00000001, InheritHandle:0x00000000, ProcessId:0x00005244(21060)(QQ.exe), Result:Success) 0x00404952 ----> Call Kernel32.TerminateProcess [Fake] ( hProcess:0x0000012c, uExitCode:0x00000000, Result:Success) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404def ----> Call Kernel32.CreateToolhelp32Snapshot ( "" ) 0x00404e0f ----> Call Kernel32.Process32First ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404def ----> Call Kernel32.CreateToolhelp32Snapshot ( "" ) 0x00404e0f ----> Call Kernel32.Process32First ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404e2f ----> Call Kernel32.Process32Next ( "" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "UOYX.EX_.MXE" ) 0x00404972 ----> Call User32.CharUpperBuffA ( "我的相片.JPG.EXE" ) 0x0040488a ----> Call Kernel32.GetEnvironmentVariableA ( Name:"Comspec", Buffer:"C:\WINDOWS\system32\cmd.exe" nSize:0x00000104) 0x004010aa ----> Call Kernel32.GetModuleFileNameA ( Return Module Name:"C:\Matrix\bin\uoyx.ex_.mxe" ) 0x00404962 ----> Call Kernel32.WinExec [Fake] ( CmdLine:"C:\WINDOWS\system32\cmd.exe /c del "C:\Matrix\bin\uoyx.ex_.mxe"", CmdShow:0x00000000(0) ) 0x0040113e ----> Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00004000, dwFreeType:0x00004000) 0x0040113e ----> Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00000000, dwFreeType:0x00008000) 0x0040112e ----> Call Kernel32.LocalFree ( hMem:0x00147ed0 ) 0x0040112e ----> Call Kernel32.LocalFree ( hMem:0x001497e0 ) 0x0040115e ----> Call ntdll.RtlDeleteCriticalSection (Ret:0x00000000) 0x0040107a ----> Call Kernel32.ExitProcess ( ExitCode:0x00000000) 2009-3-10 16:04 0
monsterok 雪币： 603 活跃值： (40) 能力值： ( LV9，RANK：140 ) 在线值：发帖 14 回帖 360 粉丝 0 关注私信	monsterok 3 55 楼写的真好，哈 2009-3-10 18:18 0
情剑无伤雪币： 235 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 33 粉丝 0 关注私信	情剑无伤 56 楼函数写的整齐，也是常用的 2009-3-10 19:40 0
haptor 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	haptor 57 楼好文章，学习了 2009-3-24 09:57 0
roadblosso 雪币： 103 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 61 粉丝 1 关注私信	roadblosso 58 楼写得很好啊，很辛苦 2009-3-24 11:28 0
xinshouzy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 10 粉丝 0 关注私信	xinshouzy 59 楼楼主辛苦了！~~~~~~~~~ 2009-3-24 12:26 0
王小攀雪币： 0 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 21 粉丝 0 关注私信	王小攀 60 楼收藏,方便以后可以用 2009-7-29 23:56 0
浩燕雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 6 粉丝 0 关注私信	浩燕 61 楼我的天哪，这是天书。。。。。 2009-7-30 21:43 0
gaorqing 雪币： 304 活跃值： (66) 能力值： ( LV6，RANK：90 ) 在线值：发帖 8 回帖 36 粉丝 1 关注私信	gaorqing 2 62 楼学习了 2009-7-31 09:36 0
graymice 雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 9 粉丝 0 关注私信	graymice 63 楼 00400154 > 8725 9C554200 xchg dword ptr [42559C], esp 0040015A 61 popad 0040015B 94 xchg eax, esp 0040015C 55 push ebp 0040015D A4 movs byte ptr es:[edi], byte ptr [esi] 0040015E B6 80 mov dh, 80 00400160 FF13 call dword ptr [ebx] 这个木马的进入点在这里，而且导入函数就只有2个，是加壳了，还是修改了PE头文件，具体怎么实现的，那位大虾整理以下 2009-8-2 21:23 0
graymice 雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 9 粉丝 0 关注私信	graymice 64 楼请哪位上传一个没加壳的，谢谢，或者这个加什么壳？ 2009-8-2 21:33 0
安达雪币： 62 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 17 粉丝 0 关注私信	安达 65 楼好东西，谢谢提供 2009-8-2 21:41 0
雪雨馨风雪币： 232 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 21 粉丝 0 关注私信	雪雨馨风 66 楼这木马功能强大啊。。。。LZ分析思维强悍啊 2009-8-4 17:47 0
小瘦猴雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 8 粉丝 0 关注私信	小瘦猴 67 楼兄弟，能不能指点一下怎么去学习这个方面的知识啊，我是计算机专业毕业的，具备了这个方面的基础，有了汇编和C/C++语言基础，对api编程也有基础，另外对于驱动开发也是比较熟悉的，但是在逆向方面怎么没有入门啊，就是拿到一个木马后不知道从哪里开始分析，对于脱壳这方面当然是没有很大问题了，但是对于分析木马这些特征码还是不清楚从何入手，能不能谈下您当时怎么入门的啊 2009-8-24 22:51 0
logical 雪币： 5 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 27 粉丝 0 关注私信	logical 68 楼别的不说了直接收藏了 2009-8-25 09:21 0
lgccaa 雪币： 232 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 32 粉丝 0 关注私信	lgccaa 69 楼 mark up 2009-8-25 11:21 0
feierin 雪币： 474 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 314 粉丝 0 关注私信	feierin 70 楼写病毒很是实用呵呵谢谢楼主 2009-8-25 14:44 0
fullx 雪币： 249 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 29 粉丝 1 关注私信	fullx 71 楼写的很详细, 学习 2009-8-26 02:18 0
yuruozhou 雪币： 134 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 24 粉丝 0 关注私信	yuruozhou 72 楼不是木马吧...这很明显是一个Worm类... 2009-8-27 19:40 0
kougui 雪币： 192 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 34 粉丝 0 关注私信	kougui 73 楼这病毒很**…… 太变态了，想不明白，搞到这种地步这木马如何存在于电脑之中……主人还不直接修理去了？ 2009-8-27 21:57 0
foresee 雪币： 222 活跃值： (10) 能力值： ( LV6，RANK：90 ) 在线值：发帖 6 回帖 153 粉丝 0 关注私信	foresee 2 74 楼现在的老大很多了,.分不清 2009-8-28 00:43 0
kangk 雪币： 100 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 20 粉丝 0 关注私信	kangk 75 楼楼主很厉害啊,写这么多汇编 2009-9-4 15:17 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

lixupeng

雪币： 563

活跃值： (101)

能力值：

( LV2，RANK：10 )

在线值：

发帖

31

回帖

1636

粉丝

0

关注

私信

lixupeng: 51 楼

收藏了慢慢看

2009-3-1 17:27

0

rizhaoren

雪币： 210

活跃值： (40)

能力值：

( LV2，RANK：10 )

在线值：

发帖

8

回帖

33

粉丝

0

关注

私信

rizhaoren: 52 楼

久仰FLY老大,如何也让你给我布置作业?嘿嘿

2009-3-1 20:56

0

recnad

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

6

回帖

36

粉丝

0

关注

私信

recnad: 53 楼

好文章，mark了，现在早上脑子混混的看不进，晚上研究

2009-3-2 09:28

0

Kendiv

雪币： 230

活跃值： (149)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

106

粉丝

0

关注

私信

Kendiv: 54 楼

用工具跑了一下，流程如下～～比较奇怪～

0x004001c9 ---->  Call Kernel32.LoadLibraryA ( FileName:"kernel32.dll"<Addr:0x00415328> )
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"DeleteCriticalSection"<Addr:0x00415338> EntryPoint:0x7c93135a)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LeaveCriticalSection"<Addr:0x00415350> EntryPoint:0x7c9210e0)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"EnterCriticalSection"<Addr:0x00415368> EntryPoint:0x7c921000)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"InitializeCriticalSection"<Addr:0x00415380> EntryPoint:0x7c809f81)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"VirtualFree"<Addr:0x0041539c> EntryPoint:0x7c809b74)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"VirtualAlloc"<Addr:0x004153aa> EntryPoint:0x7c809ae1)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LocalFree"<Addr:0x004153ba> EntryPoint:0x7c8099bf)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LocalAlloc"<Addr:0x004153c6> EntryPoint:0x7c809a1d)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetTickCount"<Addr:0x004153d4> EntryPoint:0x7c80932e)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"QueryPerformanceCounter"<Addr:0x004153e4> EntryPoint:0x7c80a4b7)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetVersion"<Addr:0x004153fe> EntryPoint:0x7c81126a)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCurrentThreadId"<Addr:0x0041540c> EntryPoint:0x7c8097b8)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetThreadLocale"<Addr:0x00415422> EntryPoint:0x7c80a4a5)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetStartupInfoA"<Addr:0x00415434> EntryPoint:0x7c801ef2)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleFileNameA"<Addr:0x00415446> EntryPoint:0x7c80b55f)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetLocaleInfoA"<Addr:0x0041545c> EntryPoint:0x7c80d2f2)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetLastError"<Addr:0x0041546e> EntryPoint:0x7c92fe01)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCommandLineA"<Addr:0x0041547e> EntryPoint:0x7c812fad)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FreeLibrary"<Addr:0x00415490> EntryPoint:0x7c80ac6e)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"ExitProcess"<Addr:0x0041549e> EntryPoint:0x7c81cafa)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"WriteFile"<Addr:0x004154ac> EntryPoint:0x7c810e17)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"UnhandledExceptionFilter"<Addr:0x004154b8> EntryPoint:0x7c863e6a)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetFilePointer"<Addr:0x004154d4> EntryPoint:0x7c810c1e)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetEndOfFile"<Addr:0x004154e6> EntryPoint:0x7c83205e)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"RtlUnwind"<Addr:0x004154f6> EntryPoint:0x7c94aba5)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"ReadFile"<Addr:0x00415502> EntryPoint:0x7c801812)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"RaiseException"<Addr:0x0041550e> EntryPoint:0x7c812a99)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetStdHandle"<Addr:0x00415520> EntryPoint:0x7c812fc9)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileSize"<Addr:0x00415530> EntryPoint:0x7c810b07)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileType"<Addr:0x0041553e> EntryPoint:0x7c810ee1)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateFileA"<Addr:0x0041554c> EntryPoint:0x7c801a28)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CloseHandle"<Addr:0x0041555a> EntryPoint:0x7c809bd7)
0x004001c9 ---->  Call Kernel32.LoadLibraryA ( FileName:"user32.dll"<Addr:0x00415566> )
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetKeyboardType"<Addr:0x00415574> EntryPoint:0x77d311db)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"MessageBoxA"<Addr:0x00415586> EntryPoint:0x77d507ea)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CharNextA"<Addr:0x00415594> EntryPoint:0x77d2c8b0)
0x004001c9 ---->  Call Kernel32.LoadLibraryA ( FileName:"advapi32.dll"<Addr:0x0041559e> )
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegQueryValueExA"<Addr:0x004155ae> EntryPoint:0x77da7aab)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegOpenKeyExA"<Addr:0x004155c2> EntryPoint:0x77da7842)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegCloseKey"<Addr:0x004155d2> EntryPoint:0x77da6c17)
0x004001c9 ---->  Call Kernel32.LoadLibraryA ( FileName:"oleaut32.dll"<Addr:0x004155de> )
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x770f0000, SymName:"SysFreeString"<Addr:0x004155ee> EntryPoint:0x770f4880)
0x004001c9 ---->  Call Kernel32.LoadLibraryA ( FileName:"kernel32.dll"<Addr:0x004155fc> )
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"TlsSetValue"<Addr:0x0041560c> EntryPoint:0x7c809c55)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"TlsGetValue"<Addr:0x0041561a> EntryPoint:0x7c8097d0)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LocalAlloc"<Addr:0x00415628> EntryPoint:0x7c809a1d)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleHandleA"<Addr:0x00415636> EntryPoint:0x7c80b731)
0x004001c9 ---->  Call Kernel32.LoadLibraryA ( FileName:"advapi32.dll"<Addr:0x00415648> )
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegSetValueExA"<Addr:0x00415658> EntryPoint:0x77daead7)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegQueryValueExA"<Addr:0x0041566a> EntryPoint:0x77da7aab)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegOpenKeyExA"<Addr:0x0041567e> EntryPoint:0x77da7842)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegOpenKeyA"<Addr:0x0041568e> EntryPoint:0x77daefb8)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegDeleteValueA"<Addr:0x0041569c> EntryPoint:0x77daecd5)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegDeleteKeyA"<Addr:0x004156ae> EntryPoint:0x77db4280)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegCreateKeyExA"<Addr:0x004156be> EntryPoint:0x77dae9e4)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"RegCloseKey"<Addr:0x004156d0> EntryPoint:0x77da6c17)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"OpenProcessToken"<Addr:0x004156de> EntryPoint:0x77da797b)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"LookupPrivilegeValueA"<Addr:0x004156f2> EntryPoint:0x77dcc208)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77da0000, SymName:"AdjustTokenPrivileges"<Addr:0x0041570a> EntryPoint:0x77daeffc)
0x004001c9 ---->  Call Kernel32.LoadLibraryA ( FileName:"kernel32.dll"<Addr:0x00415720> )
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"WinExec"<Addr:0x00415730> EntryPoint:0x7c8623ad)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"UnmapViewOfFile"<Addr:0x0041573a> EntryPoint:0x7c80ba04)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"TerminateProcess"<Addr:0x0041574c> EntryPoint:0x7c801e1a)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Sleep"<Addr:0x00415760> EntryPoint:0x7c802446)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetFileTime"<Addr:0x00415768> EntryPoint:0x7c831ca8)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetFileAttributesA"<Addr:0x00415776> EntryPoint:0x7c812812)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"SetErrorMode"<Addr:0x0041578c> EntryPoint:0x7c80ac9f)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"RemoveDirectoryA"<Addr:0x0041579c> EntryPoint:0x7c85c121)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"ReleaseMutex"<Addr:0x004157b0> EntryPoint:0x7c8024b7)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"OpenProcess"<Addr:0x004157c0> EntryPoint:0x7c8309d1)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"OpenMutexA"<Addr:0x004157ce> EntryPoint:0x7c80eaab)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"MoveFileExA"<Addr:0x004157dc> EntryPoint:0x7c85e3cb)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"MoveFileA"<Addr:0x004157ea> EntryPoint:0x7c835ea7)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"MapViewOfFile"<Addr:0x004157f6> EntryPoint:0x7c80b995)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"LoadLibraryA"<Addr:0x00415806> EntryPoint:0x7c801d7b)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetWindowsDirectoryA"<Addr:0x00415816> EntryPoint:0x7c82134b)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetVolumeInformationA"<Addr:0x0041582e> EntryPoint:0x7c821b8d)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetVersionExA"<Addr:0x00415846> EntryPoint:0x7c812b6e)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetSystemDirectoryA"<Addr:0x00415856> EntryPoint:0x7c814f7a)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetShortPathNameA"<Addr:0x0041586c> EntryPoint:0x7c835bc8)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetProcAddress"<Addr:0x00415880> EntryPoint:0x7c80ae30)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleHandleA"<Addr:0x00415892> EntryPoint:0x7c80b731)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetModuleFileNameA"<Addr:0x004158a6> EntryPoint:0x7c80b55f)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetLastError"<Addr:0x004158bc> EntryPoint:0x7c92fe01)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileTime"<Addr:0x004158cc> EntryPoint:0x7c831c35)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileSize"<Addr:0x004158da> EntryPoint:0x7c810b07)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetFileAttributesA"<Addr:0x004158e8> EntryPoint:0x7c8115cc)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetEnvironmentVariableA"<Addr:0x004158fe> EntryPoint:0x7c814b82)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetDriveTypeA"<Addr:0x00415918> EntryPoint:0x7c8214cb)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCurrentProcessId"<Addr:0x00415928> EntryPoint:0x7c8099b0)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetCurrentProcess"<Addr:0x0041593e> EntryPoint:0x7c80de85)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"GetComputerNameA"<Addr:0x00415952> EntryPoint:0x7c82168c)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FreeLibrary"<Addr:0x00415966> EntryPoint:0x7c80ac6e)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FindNextFileA"<Addr:0x00415974> EntryPoint:0x7c834ec9)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FindFirstFileA"<Addr:0x00415984> EntryPoint:0x7c813869)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FindClose"<Addr:0x00415996> EntryPoint:0x7c80ee67)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FileTimeToLocalFileTime"<Addr:0x004159a2> EntryPoint:0x7c80e8f6)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"FileTimeToDosDateTime"<Addr:0x004159bc> EntryPoint:0x7c83064d)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"DeleteFileA"<Addr:0x004159d4> EntryPoint:0x7c831ec5)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateThread"<Addr:0x004159e2> EntryPoint:0x7c8106c7)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateMutexA"<Addr:0x004159f2> EntryPoint:0x7c80e9cf)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateFileMappingA"<Addr:0x00415a02> EntryPoint:0x7c8094ee)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateFileA"<Addr:0x00415a18> EntryPoint:0x7c801a28)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CopyFileA"<Addr:0x00415a26> EntryPoint:0x7c8286d6)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CloseHandle"<Addr:0x00415a32> EntryPoint:0x7c809bd7)
0x004001c9 ---->  Call Kernel32.LoadLibraryA ( FileName:"user32.dll"<Addr:0x00415a3e> )
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CreateWindowExA"<Addr:0x00415a4c> EntryPoint:0x77d2e4a9)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"mouse_event"<Addr:0x00415a5e> EntryPoint:0x77d6673f)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"keybd_event"<Addr:0x00415a6c> EntryPoint:0x77d66783)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"TranslateMessage"<Addr:0x00415a7a> EntryPoint:0x77d18bf6)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"ShowWindow"<Addr:0x00415a8e> EntryPoint:0x77d2af56)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetTimer"<Addr:0x00415a9c> EntryPoint:0x77d18c2e)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetForegroundWindow"<Addr:0x00415aa8> EntryPoint:0x77d242ed)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SetCursorPos"<Addr:0x00415abe> EntryPoint:0x77d561b3)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"SendMessageA"<Addr:0x00415ace> EntryPoint:0x77d2f3c2)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"RegisterClassA"<Addr:0x00415ade> EntryPoint:0x77d2ea5e)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"PostQuitMessage"<Addr:0x00415af0> EntryPoint:0x77d2ca5a)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"PostMessageA"<Addr:0x00415b02> EntryPoint:0x77d2aafd)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"MapVirtualKeyA"<Addr:0x00415b12> EntryPoint:0x77d2feea)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"LoadIconA"<Addr:0x00415b24> EntryPoint:0x77d2e8f6)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"LoadCursorA"<Addr:0x00415b30> EntryPoint:0x77d2d33e)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"KillTimer"<Addr:0x00415b3e> EntryPoint:0x77d18c42)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetWindowThreadProcessId"<Addr:0x00415b4a> EntryPoint:0x77d18a80)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetWindowTextA"<Addr:0x00415b66> EntryPoint:0x77d3216b)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetWindowRect"<Addr:0x00415b78> EntryPoint:0x77d290b4)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetMessageA"<Addr:0x00415b88> EntryPoint:0x77d2772b)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetDesktopWindow"<Addr:0x00415b96> EntryPoint:0x77d2d1d2)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"GetClassNameA"<Addr:0x00415baa> EntryPoint:0x77d2f45f)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"FindWindowExA"<Addr:0x00415bba> EntryPoint:0x77d3214a)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"FindWindowA"<Addr:0x00415bca> EntryPoint:0x77d282e1)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"DispatchMessageA"<Addr:0x00415bd8> EntryPoint:0x77d196b8)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"DefWindowProcA"<Addr:0x00415bec> EntryPoint:0x77d2c17e)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CharLowerBuffA"<Addr:0x00415bfe> EntryPoint:0x77d28845)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x77d10000, SymName:"CharUpperBuffA"<Addr:0x00415c10> EntryPoint:0x77d1ae3f)
0x004001c9 ---->  Call Kernel32.LoadLibraryA ( FileName:"shell32.dll"<Addr:0x00415c20> )
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7d590000, SymName:"ShellExecuteA"<Addr:0x00415c2e> EntryPoint:0x7d6111e0)
0x004001c9 ---->  Call Kernel32.LoadLibraryA ( FileName:"wininet.dll"<Addr:0x00415c3c> )
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x41fd0000, SymName:"DeleteUrlCacheEntry"<Addr:0x00415c4a> EntryPoint:0x420047ee)
0x004001c9 ---->  Call Kernel32.LoadLibraryA ( FileName:"shell32.dll"<Addr:0x00415c5e> )
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7d590000, SymName:"SHGetSpecialFolderLocation"<Addr:0x00415c6c> EntryPoint:0x7d5bf7e3)
0x004001d9 ---->  Call Kernel32.GetProcAddress ( hModule:0x7d590000, SymName:"SHGetPathFromIDListA"<Addr:0x00415c8a> EntryPoint:0x7d604cc1)
0x00404612 ---->  Call Kernel32.GetModuleHandleA ( ModuleName:0x00000000 )
0x0040333a ---->  Call User32.GetKeyboardType ( TypeFlag:0 ,Return : 0x00000004)
0x00401092 ---->  Call Kernel32.GetCommandLineA ("C:\Matrix\bin\uoyx.ex_.mxe")
0x004010b2 ---->  Call Kernel32.GetStartupInfoA ( StartupInfo:0x0012fba8 )
0x004010ea ---->  Call Kernel32.GetVersion ( Version:0x0a280105 )
0x004010ea ---->  Call Kernel32.GetVersion ( Version:0x0a280105 )
0x004010e2 ---->  Call Kernel32.GetCurrentThreadId ( TID:23628 [0x00005c4c] )
0x004048ba ---->  Call Kernel32.GetModuleHandleA ( ModuleName:"kernel32.dll"(0x00404cb8) )
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"CreateToolhelp32Snapshot"<Addr:0x00404cc8> EntryPoint:0x7c865b1f)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32ListFirst"<Addr:0x00404ce4> EntryPoint:0x7c864971)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32ListNext"<Addr:0x00404cf4> EntryPoint:0x7c864a1f)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32First"<Addr:0x00404d04> EntryPoint:0x7c864ab6)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Heap32Next"<Addr:0x00404d10> EntryPoint:0x7c864bd0)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Toolhelp32ReadProcessMemory"<Addr:0x00404d1c> EntryPoint:0x7c864cfc)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32First"<Addr:0x00404d38> EntryPoint:0x7c864df5)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32Next"<Addr:0x00404d48> EntryPoint:0x7c864f68)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32FirstW"<Addr:0x00404d58> EntryPoint:0x7c864d3c)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Process32NextW"<Addr:0x00404d68> EntryPoint:0x7c864ec7)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Thread32First"<Addr:0x00404d78> EntryPoint:0x7c86503a)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Thread32Next"<Addr:0x00404d88> EntryPoint:0x7c8650ee)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32First"<Addr:0x00404d98> EntryPoint:0x7c865240)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32Next"<Addr:0x00404da8> EntryPoint:0x7c8653c5)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32FirstW"<Addr:0x00404db8> EntryPoint:0x7c865187)
0x004048c2 ---->  Call Kernel32.GetProcAddress ( hModule:0x7c800000, SymName:"Module32NextW"<Addr:0x00404dc8> EntryPoint:0x7c865324)
0x00404def ---->  Call Kernel32.CreateToolhelp32Snapshot ( "" )
0x00404e0f ---->  Call Kernel32.Process32First ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x00401146 ---->  Call Kernel32.InitializeCriticalSection ( CriticalSection:0x004145b4 )
0x00401126 ---->  Call Kernel32.LocalAlloc ( Flags:0x00000000 Bytes:0x00000ff8 Ret:0x00147ed0 )
0x00401136 ---->  Call Kernel32.VirtualAlloc ( lpAddress:0x00000000, dwSize:0x00100000, flAllocationType:0x00002000, flProtect:0x00000001) Ret:0x05140000
0x00401126 ---->  Call Kernel32.LocalAlloc ( Flags:0x00000000 Bytes:0x00000644 Ret:0x001497e0 )
0x00401136 ---->  Call Kernel32.VirtualAlloc ( lpAddress:0x05140000, dwSize:0x00004000, flAllocationType:0x00001000, flProtect:0x00000004) Ret:0x05140000
0x0040496a ---->  Call User32.CharLowerBuffA ( "[system process]" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "[system process]" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "[system process]" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "[system process]" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "[system process]" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "[system process]" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "[system process]" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "system" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "system" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "system" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "system" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "system" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "system" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "system" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smss.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "csrss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "csrss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "csrss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "csrss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "csrss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "csrss.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "csrss.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "winlogon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "winlogon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "winlogon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "winlogon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "winlogon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "winlogon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "winlogon.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "services.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "services.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "services.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "services.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "services.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "services.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "services.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "lsass.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "lsass.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "lsass.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "lsass.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "lsass.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "lsass.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "lsass.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "spoolsv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "spoolsv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "spoolsv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "spoolsv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "spoolsv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "spoolsv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "spoolsv.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "inetinfo.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "inetinfo.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "inetinfo.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "inetinfo.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "inetinfo.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "inetinfo.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "inetinfo.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mdm.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mdm.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mdm.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mdm.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mdm.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mdm.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mdm.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlservr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlservr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlservr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlservr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlservr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlservr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlservr.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "explorer.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "explorer.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "explorer.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "explorer.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "explorer.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "explorer.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "explorer.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mysqld-nt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mysqld-nt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mysqld-nt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mysqld-nt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mysqld-nt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mysqld-nt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "mysqld-nt.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlwriter.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlwriter.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlwriter.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlwriter.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlwriter.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlwriter.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "sqlwriter.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnat.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnat.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnat.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnat.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnat.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnat.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnat.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnetdhcp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnetdhcp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnetdhcp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnetdhcp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnetdhcp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnetdhcp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmnetdhcp.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "icesword.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "icesword.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "icesword.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "icesword.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "icesword.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "icesword.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "icesword.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "alg.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "alg.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "alg.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "alg.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "alg.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "alg.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "alg.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "hkcmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "hkcmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "hkcmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "hkcmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "hkcmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "hkcmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "hkcmd.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxsrvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxsrvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxsrvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxsrvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxsrvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxsrvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxsrvc.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxpers.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxpers.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxpers.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxpers.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxpers.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxpers.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "igfxpers.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smax4pnp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smax4pnp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smax4pnp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smax4pnp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smax4pnp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smax4pnp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "smax4pnp.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "daemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "daemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "daemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "daemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "daemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "daemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "daemon.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "googlepinyindaemon.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-tray.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-tray.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-tray.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-tray.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-tray.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-tray.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-tray.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "groovemonitor.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "groovemonitor.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "groovemonitor.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "groovemonitor.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "groovemonitor.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "groovemonitor.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "groovemonitor.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "ctfmon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "ctfmon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "ctfmon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "ctfmon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "ctfmon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "ctfmon.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "ctfmon.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "msnmsgr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "msnmsgr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "msnmsgr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "msnmsgr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "msnmsgr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "msnmsgr.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "msnmsgr.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "usnsvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "usnsvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "usnsvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "usnsvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "usnsvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "usnsvc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "usnsvc.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "wftpd32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "wftpd32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "wftpd32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "wftpd32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "wftpd32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "wftpd32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "wftpd32.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "securecrt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "securecrt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "securecrt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "securecrt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "securecrt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "securecrt.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "securecrt.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "conime.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "conime.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "conime.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "conime.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "conime.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "conime.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "conime.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "procexp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "procexp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "procexp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "procexp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "procexp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "procexp.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "procexp.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "svchost.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "xdict.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "xdict.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "xdict.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "xdict.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "xdict.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "xdict.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "xdict.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "vmware-vmx.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "emule.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "emule.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "emule.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "emule.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "emule.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "emule.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "emule.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "qq.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "qq.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "qq.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "qq.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "qq.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "qq.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "qq.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "txplatform.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "txplatform.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "txplatform.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "txplatform.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "txplatform.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "txplatform.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "txplatform.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "bash.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "bash.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "bash.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "bash.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "bash.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "bash.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "bash.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "devenv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "devenv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "devenv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "devenv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "devenv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "devenv.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "devenv.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "iexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "iexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "iexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "iexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "iexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "iexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "iexplore.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "insight3.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "insight3.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "insight3.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "insight3.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "insight3.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "insight3.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "insight3.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "dexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "dexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "dexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "dexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "dexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "dexplore.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "dexplore.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "uedit32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "uedit32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "uedit32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "uedit32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "uedit32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "uedit32.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "uedit32.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "editplus.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "editplus.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "editplus.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "editplus.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "editplus.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "editplus.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "editplus.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "cmd.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "calc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "calc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "calc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "calc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "calc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "calc.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "calc.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "notepad.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x0040496a ---->  Call User32.CharLowerBuffA ( "loader.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "loader.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "loader.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "loader.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "loader.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "loader.exe" )
0x0040496a ---->  Call User32.CharLowerBuffA ( "loader.exe" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040487a ---->  Call Kernel32.GetCurrentProcessId [Real] ( ProcId:0x00005a10 )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x004047e2 ---->  Call Kernel32.CloseHandle ( hObject:0x00000090 )
0x0040113e ---->  Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00004000, dwFreeType:0x00004000)
0x0040113e ---->  Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00000000, dwFreeType:0x00008000)
0x004010f2 ---->  Call Kernel32.QueryPerformanceCounter ( PerformanceCount:0x0012fc0c )
0x00401136 ---->  Call Kernel32.VirtualAlloc ( lpAddress:0x00000000, dwSize:0x00100000, flAllocationType:0x00002000, flProtect:0x00000001) Ret:0x05140000
0x00401136 ---->  Call Kernel32.VirtualAlloc ( lpAddress:0x05140000, dwSize:0x00004000, flAllocationType:0x00001000, flProtect:0x00000004) Ret:0x05140000
0x004048b2 ---->  Call Kernel32.GetModuleFileNameA ( Return Module Name:"C:\Matrix\bin\uoyx.ex_.mxe" )
0x0040101a ---->  Call Kernel32.CreateFileA (FileName:"C:\Matrix\bin\uoyx.ex_.mxe" , Ret hFile:0x00000090 {NewName:"C:\Matrix\bin\uoyx.ex_.mxe"})
0x0040102a ---->  Call Kernel32.GetFileSize (hFile:0x00000090, lpFileSizeHigh:0x00000000, FileSize:0x000098b6(39094))
0x0040105a ---->  Call Kernel32.SetFilePointer ( hFile:0x00000090, DistanceToMove:0x0000989d, DistanceToMoveHigh:0x00000000, MoveMethod:FILE_BEGIN )
0x00402b3e ---->  Call Kernel32.ReadFile (ReadBuffer:0x0012faa7, NumberOfBytesToRead:0x00000019)
0x0040102a ---->  Call Kernel32.GetFileSize (hFile:0x00000090, lpFileSizeHigh:0x00000000, FileSize:0x000098b6(39094))
0x0040105a ---->  Call Kernel32.SetFilePointer ( hFile:0x00000090, DistanceToMove:0x000097d9, DistanceToMoveHigh:0x00000000, MoveMethod:FILE_BEGIN )
0x00402b3e ---->  Call Kernel32.ReadFile (ReadBuffer:0x0012d398, NumberOfBytesToRead:0x000000c4)
0x00401012 ---->  Call Kernel32.CloseHandle ( hObject:0x00000090 )
0x00404872 ---->  Call Kernel32.GetCurrentProcess ( hObject:0xffffffff )
0x0040479a ---->  Call Advapi32.OpenProcessToken (Result:SUCCESS)
0x00404792 ---->  Call Advapi32.LookupPrivilegeValueA (SystemName:(null), Name:SeDebugPrivilege, Result:SUCCESS)
0x0040478a ---->  Call Advapi32.AdjustTokenPrivileges (DisableAllPrivileges:FALSE NewState:0x0012fc00 Result:FAILD )
0x0040478a ---->  Call Advapi32.AdjustTokenPrivileges (DisableAllPrivileges:FALSE NewState:0x0012fbf0 Result:SUCCESS )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x0040498a ---->  Call User32.FindWindowA [Real] ( ClassName:"(null)", WindowName:"(null)", hWnd:0x00210046 )
0x004053a2 ---->  Call Shell32.SHGetSpecialFolderLocation ( "" )
0x0040539a ---->  Call Shell32.SHGetPathFromIDListA ( "" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\DOCUMENTS AND SETTINGS\KENDIV\「开始」菜单\程序\启动\JAFXSC.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x0040498a ---->  Call User32.FindWindowA [Real] ( ClassName:"(null)", WindowName:"(null)", hWnd:0x00210046 )
0x004053a2 ---->  Call Shell32.SHGetSpecialFolderLocation ( "" )
0x0040539a ---->  Call Shell32.SHGetPathFromIDListA ( "" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\DOCUMENTS AND SETTINGS\ALL USERS\「开始」菜单\程序\启动\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x004048d2 ---->  Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\WINDOWS\SYSTEM32\MUTEMP.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "D:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "D:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "D:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "D:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "E:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "E:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "E:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "E:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "F:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "F:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "F:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "F:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "G:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "G:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "G:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "G:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "H:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "H:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "H:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "H:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "I:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "I:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "I:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "I:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "J:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "J:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "J:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "J:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "K:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "K:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "K:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "K:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "L:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "L:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "L:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "L:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "M:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "M:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "M:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "M:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "N:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "N:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "N:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "N:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "O:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "O:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "O:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "O:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "P:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "P:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "P:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "P:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Q:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Q:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Q:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Q:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "R:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "R:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "R:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "R:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "S:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "S:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "S:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "S:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "T:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "T:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "T:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "T:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "U:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "U:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "U:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "U:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "V:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "V:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "V:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "V:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "W:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "W:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "W:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "W:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "X:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "X:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "X:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "X:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Y:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Y:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Y:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Y:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Z:\XNGGXD.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Z:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Z:\.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "Z:\.EXE" )
0x0040486a ---->  Call Kernel32.GetComputerNameA ( "ICE-4COREMX" )
0x0040486a ---->  Call Kernel32.GetComputerNameA ( "ICE-4COREMX" )
0x0040498a ---->  Call User32.FindWindowA [Real] ( ClassName:"IAG/", WindowName:"KAE/", hWnd:0x00000000 )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x004048d2 ---->  Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\WINDOWS\SYSTEM32\JAFXSC.EXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\UOYX.EX_.MXE" )
0x004048d2 ---->  Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\WINDOWS\SYSTEM32\XNGGXD.EXE" )
0x0040486a ---->  Call Kernel32.GetComputerNameA ( "ICE-4COREMX" )
0x00404912 ---->  Call Kernel32.OpenMutexA (DesiredAccess:0x001f0001, InheritHandle:"FALSE", Name:"IAG/", hMutex::0x00000000)
0x0040486a ---->  Call Kernel32.GetComputerNameA ( "ICE-4COREMX" )
0x00404912 ---->  Call Kernel32.OpenMutexA (DesiredAccess:0x001f0001, InheritHandle:"FALSE", Name:"KAE/", hMutex::0x00000000)
0x004048d2 ---->  Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 )
0x004047ea ---->  Call Kernel32.CopyFileA (ExistingFileName:C:\Matrix\bin\uoyx.ex_.mxe, NewFileName:C:\WINDOWS\system32\jafxsc.exe, FailIfExists:0)
0x004048d2 ---->  Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 )
0x004047ea ---->  Call Kernel32.CopyFileA (ExistingFileName:C:\Matrix\bin\uoyx.ex_.mxe, NewFileName:C:\WINDOWS\system32\xnggxd.exe, FailIfExists:0)
0x004048d2 ---->  Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 )
0x0040493a ---->  Call Kernel32.SetFileAttributesA ( FileName:"C:\WINDOWS\system32\jafxsc.exe", FileAttributes:0x00000006 )
0x004048d2 ---->  Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 )
0x0040493a ---->  Call Kernel32.SetFileAttributesA ( FileName:"C:\WINDOWS\system32\xnggxd.exe", FileAttributes:0x00000006 )
0x004048d2 ---->  Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 )
0x00404962 ---->  Call Kernel32.WinExec [Fake] ( CmdLine:"C:\WINDOWS\system32\jafxsc.exe", CmdShow:0x00000001(1) )
0x004048d2 ---->  Call Kernel32.GetSystemDirectoryA ( OutBuffer:"C:\WINDOWS\system32"<Addr:0x0012fb04>, SizeOfBuf:260 )
0x00404962 ---->  Call Kernel32.WinExec [Fake] ( CmdLine:"C:\WINDOWS\system32\xnggxd.exe", CmdShow:0x00000001(1) )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\MATRIX\BIN\" )
0x004048ea ---->  Call Kernel32.GetWindowsDirectoryA ( OutBuffer:"C:\WINDOWS"<Addr:0x0012fb04>, SizeOfBuf:260 )
0x00404972 ---->  Call User32.CharUpperBuffA ( "C:\WINDOWS\" )
0x00404def ---->  Call Kernel32.CreateToolhelp32Snapshot ( "" )
0x00404e0f ---->  Call Kernel32.Process32First ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x0040491a ---->  Call Kernel32.OpenProcess [Real] ( DesiredAccess:0x00000001, InheritHandle:0x00000000, ProcessId:0x00005244(21060)(QQ.exe), Result:Success)
0x00404952 ---->  Call Kernel32.TerminateProcess [Fake] ( hProcess:0x0000012c, uExitCode:0x00000000, Result:Success)
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404def ---->  Call Kernel32.CreateToolhelp32Snapshot ( "" )
0x00404e0f ---->  Call Kernel32.Process32First ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404def ---->  Call Kernel32.CreateToolhelp32Snapshot ( "" )
0x00404e0f ---->  Call Kernel32.Process32First ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404e2f ---->  Call Kernel32.Process32Next ( "" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "UOYX.EX_.MXE" )
0x00404972 ---->  Call User32.CharUpperBuffA ( "我的相片.JPG.EXE" )
0x0040488a ---->  Call Kernel32.GetEnvironmentVariableA ( Name:"Comspec", Buffer:"C:\WINDOWS\system32\cmd.exe" nSize:0x00000104)
0x004010aa ---->  Call Kernel32.GetModuleFileNameA ( Return Module Name:"C:\Matrix\bin\uoyx.ex_.mxe" )
0x00404962 ---->  Call Kernel32.WinExec [Fake] ( CmdLine:"C:\WINDOWS\system32\cmd.exe /c del "C:\Matrix\bin\uoyx.ex_.mxe"", CmdShow:0x00000000(0) )
0x0040113e ---->  Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00004000, dwFreeType:0x00004000)
0x0040113e ---->  Call Kernel32.VirtualFree ( lpAddress:0x05140000, dwSize:0x00000000, dwFreeType:0x00008000)
0x0040112e ---->  Call Kernel32.LocalFree ( hMem:0x00147ed0 )
0x0040112e ---->  Call Kernel32.LocalFree ( hMem:0x001497e0 )
0x0040115e ---->  Call ntdll.RtlDeleteCriticalSection (Ret:0x00000000)
0x0040107a ---->  Call Kernel32.ExitProcess ( ExitCode:0x00000000)

2009-3-10 16:04

0

monsterok

雪币： 603

活跃值： (40)

能力值：

( LV9，RANK：140 )

在线值：

发帖

14

回帖

360

粉丝

0

关注

私信

monsterok 3: 55 楼

写的真好，哈

2009-3-10 18:18

0

情剑无伤

雪币： 235

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

33

粉丝

0

关注

私信

情剑无伤: 56 楼

函数写的整齐，也是常用的

2009-3-10 19:40

0

haptor

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

5

粉丝

0

关注

私信

haptor: 57 楼

好文章，学习了

2009-3-24 09:57

0

roadblosso

雪币： 103

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

61

粉丝

1

关注

私信

roadblosso: 58 楼

写得很好啊，很辛苦

2009-3-24 11:28

0

xinshouzy

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

10

粉丝

0

关注

私信

xinshouzy: 59 楼

楼主辛苦了！~~~~~~~~~

2009-3-24 12:26

0

王小攀

雪币： 0

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

21

粉丝

0

关注

私信

王小攀: 60 楼

收藏,方便以后可以用

2009-7-29 23:56

0

浩燕

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

6

粉丝

0

关注

私信

浩燕: 61 楼

我的天哪，这是天书。。。。。

2009-7-30 21:43

0

gaorqing

雪币： 304

活跃值： (66)

能力值：

( LV6，RANK：90 )

在线值：

发帖

8

回帖

36

粉丝

1

关注

私信

gaorqing 2: 62 楼

学习了

2009-7-31 09:36

0

graymice

雪币： 212

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

4

回帖

9

粉丝

0

关注

私信

graymice: 63 楼

00400154 >  8725 9C554200 xchg dword ptr [42559C], esp
0040015A 61             popad
0040015B 94             xchg eax, esp
0040015C 55             push ebp
0040015D A4             movs byte ptr es:[edi], byte ptr [esi]
0040015E B6 80          mov    dh, 80
00400160 FF13          call dword ptr [ebx]

这个木马的进入点在这里，而且导入函数就只有2个，是加壳了，还是修改了PE头文件，具体怎么实现的，
那位大虾整理以下

2009-8-2 21:23

0

graymice

雪币： 212

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

4

回帖

9

粉丝

0

关注

私信

graymice: 64 楼

请哪位上传一个没加壳的，谢谢，或者这个加什么壳？

2009-8-2 21:33

0

安达

雪币： 62

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

2

回帖

17

粉丝

0

关注

私信

安达: 65 楼

好东西，谢谢提供

2009-8-2 21:41

0

雪雨馨风

雪币： 232

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

21

粉丝

0

关注

私信

雪雨馨风: 66 楼

这木马功能强大啊。。。。LZ分析思维强悍啊

2009-8-4 17:47

0

小瘦猴

雪币： 202

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

3

回帖

8

粉丝

0

关注

私信

小瘦猴: 67 楼

兄弟，能不能指点一下怎么去学习这个方面的知识啊，我是计算机专业毕业的，具备了这个方面的基础，有了汇编和C/C++语言基础，对api编程也有基础，另外对于驱动开发也是比较熟悉的，但是在逆向方面怎么没有入门啊，就是拿到一个木马后不知道从哪里开始分析，对于脱壳这方面当然是没有很大问题了，但是对于分析木马这些特征码还是不清楚从何入手，能不能谈下您当时怎么入门的啊

2009-8-24 22:51

0