"ESWin.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows" "uninst.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive" "ESWinHelp.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Tue Apr 28 02:00:44 2009 mtime=Tue Jan 2 02:50:30 2018 atime=Tue Apr 28 02:00:44 2009 length=6265 window=hide" "InstallOptions.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" "Uninstall.lnk" has type "MS Windows shortcut Item id list present Has Relative path Has Working directory ctime=Mon Jan 1 00:06:32 1601 mtime=Mon Jan 1 00:06:32 1601 atime=Mon Jan 1 00:06:32 1601 length=0 window=hide" "ESWin.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Mon May 24 08:33:54 2010 mtime=Tue Jan 2 02:50:30 2018 atime=Mon May 24 08:33:54 2010 length=406016 window=hide" Possibly tries to detect the presence of a debugger Source Hybrid Analysis Technology relevance 10/10 See related instructions: ".+0 sub esp, 00000098h+6 mov eax, dword ptr +11 xor eax, esp+13 mov dword ptr, eax+20 lea eax, dword ptr +23 push eax+24 mov dword ptr, 00000094h+32 call dword ptr GetVersionExA+38 mov eax, dword ptr +42 cmp eax, 05h+45 jc 0040412Bh". Which is directly followed by "cmp eax, 05h" and "jc 0040412Bh". See related instructions: ".+102 call 00422E50h+107 add esp, 0Ch+110 lea eax, dword ptr +116 push eax+117 mov dword ptr, edi+123 call dword ptr GetVersionExA+129 cmp dword ptr, 06h+136 jc 0041AD8Fh". Which is directly followed by "cmp dword ptr, 06h" and "jc 0041AD8Fh". See related instructions: ".+35 call 00422E50h+40 add esp, 0Ch+43 lea eax, dword ptr +49 push eax+50 mov dword ptr, 00000094h+60 call dword ptr GetVersionExA+66 mov ecx, dword ptr +69 xor eax, eax+71 cmp dword ptr, 02h+78 sete al+81 xor ecx, ebp". Which is directly followed by "cmp dword ptr, 02h" and "xor ecx, ebp". "" wrote bytes "c9972074" to virtual address "0x7565D8B8" (part of module "SHEL元2.DLL") "" wrote bytes "eb6e1f74" to virtual address "0x7565D8FC" (part of module "SHEL元2.DLL") "" wrote bytes "946b1f74" to virtual address "0x7565DED0" (part of module "SHEL元2.DLL") "" wrote bytes "a06e1f74" to virtual address "0x7565D8DC" (part of module "SHEL元2.DLL") "" wrote bytes "e4962074" to virtual address "0x756ADE68" (part of module "SHEL元2.DLL") "" wrote bytes "796d1f74" to virtual address "0x7565D908" (part of module "SHEL元2.DLL") "" wrote bytes "4e6c1f74" to virtual address "0x7565DE9C" (part of module "SHEL元2.DLL") "" wrote bytes "6c982074" to virtual address "0x756ADE6C" (part of module "SHEL元2.DLL") "" wrote bytes "326e1f74" to virtual address "0x7565D8D4" (part of module "SHEL元2.DLL") "" wrote bytes "076d1f74" to virtual address "0x7565DEC4" (part of module "SHEL元2.DLL") "" wrote bytes "c9972074" to virtual address "0x7565DE80" (part of module "SHEL元2.DLL") "" wrote bytes "bc6c1f74" to virtual address "0x7565DEA4" (part of module "SHEL元2.DLL") "" wrote bytes "5d6f1f74" to virtual address "0x756875D0" (part of module "SHEL元2.DLL") "" wrote bytes "e4962074" to virtual address "0x7565DE88" (part of module "SHEL元2.DLL") "" wrote bytes "e4962074" to virtual address "0x7565D8C0" (part of module "SHEL元2.DLL") "" wrote bytes "df6b1f74" to virtual address "0x7565DEAC" (part of module "SHEL元2.DLL") "" wrote bytes "c46d1f74" to virtual address "0x7565D8E4" (part of module "SHEL元2.DLL")
0 Comments
Leave a Reply. |