Second version with anti-forensic features on board against homemade virus analysts who are living mostly in 200x and 199x years. Coder of this sample did good job with reporting events - leaving all sensitive strings in code, making it much more readable. Thanks.
We are starting with
Code: Select alli:\MySoft\project Locker\optimize orig Binary\kol\err.pas
@0040D1F4 GlobalAntiForensics procedure
@0040CC18 AntiVMWare -> VMX backdoor
@0040CC9C AntiVMWareEx -> rdstc calculating ticks between instructions, > 200? Vmware detected. (I have a bad news for malware writers who copy-paste this for years)
@0040CCB0 AntiVirtualBox -> NtQuerySystemInformation(SystemProcessesAndThreads) -> VBoxService.exe
@0040CD88 AntiVirtualPC -> by invalid instruction
@0040CCEC AntiSandboxie -> by GetModuleHandle("sbiedll.dll")
@0040CD10 AntiThreadExpert -> script-kiddie author mean AntiThreatExpert. By GetModuleHandle("dbghelp.dll")
@0040CDA0 AntiWireshark -> NtQuerySystemInformation(SystemProcessesAndThreads) -> wireshark.exe
@0040CDD8 AntiJoeBox -> same as previous, by "joeboxserver.exe" and "joeboxcontrol.exe" process names
AntiRFP (RegMon @0040CE50, FileMon @0040CE84, ProcMon @0040CEB8)
@0040CF84 AntiAllDebugger -> IsDebuggerPresent and same directly from PEB flag.
@0040CFA0 AntiOllyDbg -> part of previous (blind copy-paste)
@0040D058 AntiSoftIce -> by device symbolic links, hello from 200x
@0040D0CC AntiSyserDebugger -> by device symbolic links
@0040D12C AntiTrwDebugger -> by CreateFile, hello from 199x
@0040CD34 AntiVirtualMachine -> sldt instruction, I have a bad news for ransom author
@0040D14C AntiSunbeltSandboxie -> GetModuleHandle("api_log.dll"), GetModuleHandle("dir_watch.dll")
Collection of primitive and out-of-date methods created by mindless copy-paste.
