EP_X0FF wrote:kiddies are very productive, so probably new rebuild with new key will be released maybe even today
00401382 PUSH junk.0040402C ; String2 = "90650231"
00401387 PUSH junk.00407088 ; String1 = "C"
0040138C CALL <JMP.&kernel32.lstrcmp> ; lstrcmpA
00401AA0 lea edx, [ebp+psz2]
00401AA6 push edx ; psz2
00401AA7 push offset psz1 ; "WARCRAFT"
00401AAC call ebx ; StrCmpW
nullptr wrote:The pornoplayer sample just drops the binary that is embedded in its resources, writes the userinit entry so it starts with windows and then reboots the computer.
So it's likely that Sandboxie now blocks any ExitWindowsEx(...) call.
Users browsing this forum: virushalo and 8 guests