Windows Analysis Report
Windows Total Protection 2010.exe

Overview

General Information

Sample name: Windows Total Protection 2010.exe
Analysis ID: 1670094
MD5: c41acf0b536ceedce47ad30d7214697b
SHA1: 37904464ad46edebf414089baaf7ad64861bc11d
SHA256: 314464acb596a12ac54b601e1635cd7149dd81861da6f381b321dfbb7648c11b
Tags: exeuser-FelloBoiYuuka
Infos:

Detection

Score: 3
Range: 0 - 100
Confidence: 80%

Signatures

Detected potential crypto function
Found large amount of non-executed APIs
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Source: Windows Total Protection 2010.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_004011A8 1_2_004011A8
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_004500E6 1_2_004500E6
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00456CF3 1_2_00456CF3
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_004569C7 1_2_004569C7
Source: Windows Total Protection 2010.exe, 00000001.00000000.1268395743.0000000000692000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesus.exe vs Windows Total Protection 2010.exe
Source: Windows Total Protection 2010.exe Binary or memory string: OriginalFilenamesus.exe vs Windows Total Protection 2010.exe
Source: Windows Total Protection 2010.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Windows Total Protection 2010.exe, 00000001.00000002.2538497659.0000000000691000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: h*\AC:\Program Files\Microsoft Visual Studio\VB98\Project1.vbp +m
Source: Windows Total Protection 2010.exe Binary or memory string: i*\AC:\Program Files\Microsoft Visual Studio\VB98\Project1.vbp
Source: classification engine Classification label: clean3.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Mutant created: NULL
Source: Windows Total Protection 2010.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Section loaded: textshaping.dll Jump to behavior
Source: Windows Total Protection 2010.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Windows Total Protection 2010.exe Static file information: File size 2748416 > 1048576
Source: Windows Total Protection 2010.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x290000
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00454849 push FFFFFFF3h; retf 1_2_0045484B
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_0044F832 push 1168CA11h; retf 1_2_0044F8A6
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_004504C3 push 0C67CE0Ch; iretd 1_2_0045052A
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_004528CC push 0C68CF0Ch; iretd 1_2_00452936
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_004558D5 push 0C67CF0Ch; iretd 1_2_00455939
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_0044F8A8 push 1169CA11h; retf 1_2_0044F8AF
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00451CBB push 0C68CF0Ch; iretd 1_2_00451D2A
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00455943 push 0C68CF0Ch; iretd 1_2_00455948
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_0045654C push 0C68CF0Ch; iretd 1_2_00456551
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_0045052B push 0C67CF0Ch; iretd 1_2_00450530
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00451D34 push 0C68D00Ch; iretd 1_2_00451D39
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00450537 push 0C68CF0Ch; iretd 1_2_0045053C
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00451137 push 0C68D00Ch; iretd 1_2_0045113C
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00452937 push 0C68CF0Ch; iretd 1_2_0045293C
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00450531 push 0C68D00Ch; iretd 1_2_00450536
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00451131 push 0C68CF0Ch; iretd 1_2_00451136
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00454D3D push 0C68CF0Ch; iretd 1_2_00454D42
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00451D3A push 0C67CF0Ch; iretd 1_2_00451D3F
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_0045593A push 0C68CF0Ch; iretd 1_2_00455942
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00454B86 push 0C68CF0Ch; iretd 1_2_00454D3C
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00450F92 push 0C68CF0Ch; iretd 1_2_00451130
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Code function: 1_2_00452392 pushad ; ret 1_2_00452393
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe API coverage: 2.1 %
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
No contacted IP infos