Sample details: ab2b0f3e9eec065a0f22c181cce48cd0 --

Hashes
MD5: ab2b0f3e9eec065a0f22c181cce48cd0
SHA1: b785e75eddb267801f760456b5a9f457a224cb7f
SHA256: 8e77fdbc9d9fba416b3a22d96115e81ee9e11fbb191727eca40e18949cf3d0be
SSDEEP: 12288:FuMwkBi8vvrHxVPKyv2m77sZB07FxObO326:FHwl8vrx52t07FQaD
Details
File Type: PE32
Yara Hits
CuckooSandbox/vmdetect | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_60_70 | YRP/Borland | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/borland_delphi | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/contentis_base64 | YRP/Sandboxie_Detection | YRP/VirtualPC_Detection | YRP/VirtualBox_Detection | YRP/Dropper_Strings | YRP/Obfuscated_Strings | YRP/Check_Dlls | YRP/vmdetect | YRP/anti_dbg | YRP/anti_dbgtools | YRP/antisb_joesanbox | YRP/antisb_anubis | YRP/antisb_threatExpert | YRP/antisb_sandboxie | YRP/antisb_cwsandbox | YRP/antivm_virtualbox | YRP/inject_thread | YRP/keylogger | YRP/win_mutex | YRP/win_registry | YRP/win_files_operation | YRP/Delphi_CompareCall | YRP/Delphi_Copy |
Strings
		This program must be run under Win32
.idata
.rdata
P.reloc
P.rsrc
StringX
TObject
YZ]_^[
~KxI[)
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
_^[YY]
_^[YY]
_^[YY]
TStringArray
UnitInjectLibraryXM@
TLibInfo
kernel32
LoadLibraryA
GetModuleHandleA
kernel32
GetProcAddress
ExitThread
SArray
EditSvrXX@
TLoader
CG-CG-CG-CG
####@####
kernel32.dll
CreateToolhelp32Snapshot
Heap32ListFirst
Heap32ListNext
Heap32First
Heap32Next
Toolhelp32ReadProcessMemory
Process32First
Process32Next
Process32FirstW
Process32NextW
Thread32First
Thread32Next
Module32First
Module32Next
Module32FirstW
Module32NextW
_^[YY]
ShellExecuteA
shell32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
AppData
Startup
GetSystemDirectoryA
kernel32.dll
GetWindowsDirectoryA
kernel32.dll
GetTempPathA
kernel32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion
ProgramFilesDir
C:\default.html
PSAPI.dll
GetModuleFileNameExA
VBoxService.exe
SbieDll.dll
dbghelp.dll
Software\Microsoft\Windows\CurrentVersion
ProductId
55274-640-2673064-23950
Software\Microsoft\Windows\CurrentVersion
ProductId
76487-644-3177037-23510
Software\Microsoft\Windows\CurrentVersion
ProductId
76487-337-8429955-22614
QQQQSVW3
CurrentUser
kernel32.dll
IsDebuggerPresent
DAEMON
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SICE
\\.\NTICE
TCAutostartSV
 Restart
Software\Microsoft\Active Setup\Installed Components\
StubPath
Software\Microsoft\Active Setup\Installed Components\
Restart
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
DeleteFileA
kernel32.dll
ExitThread
explorer.exe
explorer.exe
shell_traywnd
Shell_TrayWnd
explorer.exe
QQQQQSV
####@####
Restart
Runtime error     at 00000000
0123456789ABCDEF
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
GetThreadLocale
GetStartupInfoA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
user32.dll
GetKeyboardType
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
GetUserNameA
kernel32.dll
lstrcmpiA
WriteProcessMemory
WriteFile
WaitForSingleObject
VirtualProtect
VirtualFree
VirtualAllocEx
VirtualAlloc
SizeofResource
SetFilePointer
SetFileAttributesA
ReadProcessMemory
OpenProcess
LockResource
LoadResource
LoadLibraryA
GetTickCount
GetProcAddress
GetModuleHandleA
GetLastError
GetFileAttributesA
GetExitCodeThread
FreeResource
FindResourceA
FindFirstFileA
FindClose
ExitProcess
DeleteFileA
CreateRemoteThread
CreateProcessA
CreateMutexA
CreateFileA
CreateEventA
CreateDirectoryA
CopyFileA
CloseHandle
user32.dll
TranslateMessage
PostQuitMessage
PeekMessageA
MsgWaitForMultipleObjects
GetWindowThreadProcessId
FindWindowA
DispatchMessageA
CharLowerA
CharUpperA
shell32.dll
FindExecutableA
0,080<0@0D0H0L0P0T0b0j0r0z0
161>1F1N1V1^1f1n1y1
:,:2:::L:\:k:w:
;&;,;4;>;Z;e;
>"?+?4???H?O?^?e?
001:1U1^1
353>3\3b3j3
4#53595A5
5<6D6L6R6X6`6f6l6s6}6@7n7
=!=7=U=k=
060R0^0r0|0
0'101e1l1
2K3s3z3
5"5*555D5L5x5
6/696>6^6c6
7-7K7T7`7g7
8M8o8{8
9)939Z9o9
:(:8:I:Z:f:k:p:w:~:
;";*;2;:;B;J;R;Z;b;j;r;z;
<"<*<2<:<B<J<R<Z<b<j<r<z<
= =6=>=T=j=
?*?/?]?}?
02070m0
23384n4{4
5-6?6H6
8,84888<8@8D8H8L8P8T8b8
;);k;w;
<#<6<C<O<\<n<{<
=&=4=I=V=[=h=m=z=
>!>.>3>@>E>R>W>d>o>
0 020?0K0X0j0
5+606w6|6
9J9X9e9
='>3>@>R>v>
>-?W?z?
0'1c1|1
2,3O3[3h3z3
4"4.4E4R4g4t4y4
5,515A5Q5a5|5
6,6<6L6\6a6|6
7!7?7K7V7`7j7t7~7
8(828<8F8P8Z8d8n8x8
;;<d<w<
>@?N?\?
70C0P0b0h0
4$4;4O4c4p4~4
747d7}7
9N:a:f:y:~:
<$<><X<r<
=(===R=g=|=
>$>9>N>s>
0(0`0e0
1/242Z2_2i2
434?4D4K4W4y4
5R6m6}6
8 8$8(8,8084888<8@8D8H8L8P8T8\8r8
004080
####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@####
####@####
####@####
####@####
####@####
####@#### ####@####
####@####
####@#### ####@#### ####@####
####@####
####@####
####@####
####@####
####@####
####@#### ####@####
####@####
####@####
####@#### ####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@####
####@#### ####@#### ####@#### ####@####
####@#### ####@#### ####@####
####@#### ####@#### ####@####
####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@####
8>xhyz
8A'JQDQ)e
:z+#y`
a2.2mv
*QWi^.	TLm'
^?:ES"
 Fmyu}
y.YZJO
$VYMXH6
Y	NS$5
.8(u7Pg
F&{6Na8y
C#V!,Ep+_
27Y(4_
+2\Vod
RgEf}F:_
}_B2jc S
)754L&.
_hUgBR
T25lhoG
-&;QZ!lE
)gl4z'
a;3tk!
nO$qC90
rs)Y)vb/
zb!8&W
; x$<K5M4*
#z1VAq0
S3TVv'[
RsuK|B
KfdS&;
.|+9F>H
Q:DF3l
;>J$<$o
XkDEMdx
4"/8RR
7v1|;8&cz8@
R-MKsJ
WL/A!-
#h ~$-+8
dZVH"^
3|)A)rMV
47SDaR
;:\5~H
pdI,CP
Srm\|4
OEh@{Hv
P/|e?s
jX4?Sc
g]C?V-
P [w.O
7|OBvD
&Od}i)
>0fG4#
0WQq{	
 &J~^8
lm+7\C
J[OP_e>
D:l;W'
	%:Az S
gzCb!k
s:ob#L
%We:2v
B-d|}&mg/
Y(\+)Q
Dt!J2s
R%fLJg
mb:a,l
%5gCva
F{	PZ'.
3r<Cm=
>)?~|1
0nki%m)%
RtH)>,+
qP2vQ{Mx
SS`^wG!EU
OtOC[ 
i$=K\!
sL<Jkb
~Kh~-?
]@bFGW`y
P*C.I4
Y/vx<ee+Q,
hQ?tz(
'Y7wf&QoN
UV#dJ ;D
5V#1k8
f=V$Cm
g^Q%^~_
]Cra*S
\Z	aEj
(YF<r(
Q# 9XW
@9#Om1
<%);Tb
DFsR_y>
65pVx'E
e_pkhve
7w*Y_{
W)Jp`L
V ^08]
WtK<~&
~{}PC1
mYN."^S
?70y!{
bD)bY@
LS7sh8
6RCvln
IA81A,
Y3kC?=s o
Y${RJcBbI
-w2;POe
}{\cG~
uG{.l-j
Lz_c)Tl
!2$D2X3~
c;H=lA
Ohs!i52
ID6{KM
`4VN7WE
9]G!gx
\#`jN:HW
F1{'}K
"2%oL|i
pOek,R
[G|g=*#
{Hfj|H
TYu]F*{
X5QZK8x
6HE63N
p|A!v/	f
#U^9#;
F=d;='
Eo	6^C
[zlRt	
=L	Hk|
/:w704
Crgb8g
L|G\@M
S)t2>DQ
ocC>A%$
FL;~x9
OtUd71
I/ByT]
KJ2)Lxe
qXU8K;y
ZLNC=4
AW)=%;
=YA!Kk5
V%)L>$'J\
]}:?2FP
X_d7G5
+/~	6yh,
wY6XQ|
/=BQ:N
vGRyC$
UpytVSB
VkY16Tm0
kuO@<X
q~Ou_-
TE,?==ST
Qw>%UPRi
n]hvKt
dXD9V1de
X'<)O0@
+rt^qgQ{y
####@####
+ACKC?E
oC=xDBCC7f7(
$P?xT1
*04q5t}\x
K^5l#;
c:8sdC
]pg*KM?~
mbeRXd
(DCCCC
_yxF\ 
CCCC)s
5M_33:
tLCACW
2s7i7z
.?|r\B
m{h5d7
D7]5vU
eKg?eK
Jm\mnmjmk
~hxNS`
*n4f?|
X0X%KC
LPT////X\`d////hlptuu-/x|
@DuuuuHLPTuuuuX\`duuuuhlptuuuux|
 $uuuu(,04uuuu8<
@DHLuuuuPTX\uuuu`dhluuuuptx|uuuu
puuu $(,|S
)|TxDv<
}Joc~/h57.
L)?sP\
547o<^@
rrM2,D
U?sCD}LU
( <(<}D
D!/DC<d
Q(wU\gP
2<8SL(
]]~Ut=
T]]S 4w
S*`T5~
5o&W{?
F9cP<@
}*jA".
\8/=!Z
XT1H./
2,& X.
2X.jtL
;X.k@X
N&(e|9[
+;zNC'
t9l$`?
t[,Tt9
./HH?P
;ip6<6
XTPAPA
&Z`ppp
:7/LPS
k5jD>n0H
oT0F?x
7v%KE9
g5!e5)D
5bd9o\
8~7m9n
Vw7ioj1
ut(04,t(
X. PLxX.-
HTD-/@
eDc``E6
a~a}a|
T2 J	=7
lh*k8X
{$Y|,f
\X%X,``
/DolW}
z);n61
l=f|iz1/
}t;K-0
0 4(8O
0@k5TE
A=qG,$
7q?yCnR
KM5k'=A
|~"={A| 
=~C8}k
6:4CPN
S?FC&p
}E]s=}:
,Knd=D
oAt#?S
Z]4=FH
dn6m,,|
BSQKoB
Qz;=?/
 uuuu$(,0
xuu48<
%XXTTD*/
uRx<Wq
f<z@fF
7D7spS9
x=L"|>0P
Q%11M?l
$)`oXXXX`ddh
O-8g5!<
Hdhhht?
'17z4{
fd3l]lh
u  $$X
;tppX&
////TX\`;///dhlp
,I?B^:	DO
sPF~J,
@DHSSu<
.In:|k
R,w0,9
a7V0hf=,
@.8r91
0=S:?e
X?,)@=
uhI+ib.
#[9 XH
|K>}4!
y4!PKN
:JK>0d
ET01?uZk
Nd/.zk
ldlw{G
+vwdXATP
YDDHDi*
<avjX<PL
(T{#]W
pGpi,Z
\<P}P)v
ptTtx&-
U+8840=
s<]wYn
L8,?XH@
.?XtplX
)QL*``l
YtD(AY<#
A< UpX
*dE$71d`.J
2hhT&'
?HFHFuQ
HDPUy~t
PIUuP7h
`F`Fh|
YS957|
tDELELEX
LEHEHE
?'PtEt
 TMTGX
9 +T?n
~ EEnQ
1@Bkh%
,D,D<8
X0D0D64
[t55>t
\cg62X
X$K$K&w
su((,,
P<i8=8
-|PT&Qe
yDtob[
PmUHt=
wptukstqrgdvef`abc\]_
sOtdP,
xmIdrLC#
Ui\4en+
CCCC[-
CCCCAPu
kCCCCt
nWCCC$
NQCCCC)
@ccLCC
k)d~xm
$^CCCue
CCCCn!
X!CCCCC
EESCCCC
sCCCCl	7"e
CCCCiY
~m6TSFweH_
CC]TM[lOT
CCCC18
Cp{nF]P/wx
CCcLRl
~Si*eJU
yXE#bA
CCCC<A
!CCCC5
CCCC=w
kCCCCd
DCCCle
|CCCCA
Aczj9+
|CC2C1&
aCCCC$
K\RCCCCs
To4QU6
M(CCCC
wIF)1KqC
+CCCCNV
)y<\(D{
3P!<6gK
>CCCCZ
aCCCCd
9[~m\<
ApBCCC
CCC7h&WUzE
tCCCCk
d)kCCCC
iCCCn&Vi
eCCCC"7
.n2'Yi
:onhMh^
*{teCCCC6
FST6_Hew
")8ACCC
4CCCC1
P]FnIFw/
[ZOBBA~
maHyBC
Sn(Je*i
Ab#EjOp
TCCCel
CCCCu.2
i'CCCC
^XUQ4oW
6CCCCV
L@mn{B+
K1)FCCCCJ
nCCCC`
v3y#tu
{C2CCD"
&OCCCCm
>4zCCCC
Z=`fm8/p
:iCCCC
CCCC+!	x
QBCCCd
KoCCCC
$I@oCCCCC,R
 o?{E}
CCCCBv
%"TCCCCb@0
+jec&S
nW3)yLtb
ILCgCC6
!4CCCc
####@#### ####@####PAD
{<:y&q?	
'unitStartup
UnitDiversos
TlHelp32
System
SysInit
KWindows
UTypes
gUnitServerUtils
3Messages
AclAPI
AAccCtrl
*ShellAPI
\StreamUnit
UnitComandos
deleteUnit
EditSvr
UnitInstalacao
UUnitSettings
RUnitVariaveis
6UnitSandBox
0UnitInjectLibrary