Malicious Indicators : Matched Compiler/Packer signature Found (Borland Delphi 4.0) , Reads the active computer name , Drops executable files , Contains ability to create named pipes for inter-process communication , Makes a code branch decision directly after an API that is environment aware , Found potential URL in binary/memory
Some suspicious/malicious Indicators : Matched Compiler/Packer signature , Reads the active computer name , Reads the cryptographic machine GUID , Reads the windows installation date , Queries process information , Queries the internet cache settings , Contains ability to start/interact with device drivers , Spawns a lot of processes , Reads configuration files , Drops executable files , Opens the Kernel Security Device Driver , Contains ability to listen for incoming connections , Contacts 8 domains and 1249 hosts. , Multiple malicious artifacts seen in the context of different hosts , Uses network protocols on unusual ports (Multiple TCP connections over Port 6969 and 6881), Sends UDP traffic to various hosts , P2P BitTorrent DHT ping request , P2P Torrent download , HTTP request contains Base64 encoded artifacts