Windows Analysis Report
Windows Total Protection 2010.exe

Overview

General Information

Sample name:	Windows Total Protection 2010.exe
Analysis ID:	1670094
MD5:	c41acf0b536ceedce47ad30d7214697b
SHA1:	37904464ad46edebf414089baaf7ad64861bc11d
SHA256:	314464acb596a12ac54b601e1635cd7149dd81861da6f381b321dfbb7648c11b
Tags:	exeuser-FelloBoiYuuka
Infos:

Detection

Score:	3
Range:	0 - 100
Confidence:	80%

Signatures

Detected potential crypto function

Found large amount of non-executed APIs

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Uses 32bit PE files

Source: Windows Total Protection 2010.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Detected potential crypto function

Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_004011A8	1_2_004011A8
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_004500E6	1_2_004500E6
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00456CF3	1_2_00456CF3
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_004569C7	1_2_004569C7

Sample file is different than original file name gathered from version info

Source: Windows Total Protection 2010.exe, 00000001.00000000.1268395743.0000000000692000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesus.exe vs Windows Total Protection 2010.exe
Source: Windows Total Protection 2010.exe	Binary or memory string: OriginalFilenamesus.exe vs Windows Total Protection 2010.exe

Uses 32bit PE files

Source: Windows Total Protection 2010.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Windows Total Protection 2010.exe, 00000001.00000002.2538497659.0000000000691000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: h*\AC:\Program Files\Microsoft Visual Studio\VB98\Project1.vbp +m
Source: Windows Total Protection 2010.exe	Binary or memory string: i*\AC:\Program Files\Microsoft Visual Studio\VB98\Project1.vbp

Source: classification engine

Classification label: clean3.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe

Mutant created: NULL

Source: Windows Total Protection 2010.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Section loaded: textshaping.dll	Jump to behavior

Source: Windows Total Protection 2010.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Windows Total Protection 2010.exe

Static file information: File size 2748416 > 1048576

Source: Windows Total Protection 2010.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x290000

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00454849 push FFFFFFF3h; retf	1_2_0045484B
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_0044F832 push 1168CA11h; retf	1_2_0044F8A6
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_004504C3 push 0C67CE0Ch; iretd	1_2_0045052A
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_004528CC push 0C68CF0Ch; iretd	1_2_00452936
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_004558D5 push 0C67CF0Ch; iretd	1_2_00455939
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_0044F8A8 push 1169CA11h; retf	1_2_0044F8AF
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00451CBB push 0C68CF0Ch; iretd	1_2_00451D2A
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00455943 push 0C68CF0Ch; iretd	1_2_00455948
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_0045654C push 0C68CF0Ch; iretd	1_2_00456551
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_0045052B push 0C67CF0Ch; iretd	1_2_00450530
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00451D34 push 0C68D00Ch; iretd	1_2_00451D39
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00450537 push 0C68CF0Ch; iretd	1_2_0045053C
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00451137 push 0C68D00Ch; iretd	1_2_0045113C
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00452937 push 0C68CF0Ch; iretd	1_2_0045293C
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00450531 push 0C68D00Ch; iretd	1_2_00450536
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00451131 push 0C68CF0Ch; iretd	1_2_00451136
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00454D3D push 0C68CF0Ch; iretd	1_2_00454D42
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00451D3A push 0C67CF0Ch; iretd	1_2_00451D3F
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_0045593A push 0C68CF0Ch; iretd	1_2_00455942
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00454B86 push 0C68CF0Ch; iretd	1_2_00454D3C
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00450F92 push 0C68CF0Ch; iretd	1_2_00451130
Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe	Code function: 1_2_00452392 pushad ; ret	1_2_00452393

Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Windows Total Protection 2010.exe

API coverage: 2.1 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1670094
Product:	CloudBasic
Start time:	05:26:16
Start date:	21.04.2025
Sample:	Windows Total Protection 2010.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c41acf0b536ceedce47ad30d7214697b
SHA1:	37904464ad46edebf414089baaf7ad64861bc11d
SHA256:	314464acb596a12ac54b601e1635cd7149dd81861da6f381b321dfbb7648c11b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
Windows Total Protection 2010.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Windows Total Protection 2010.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Windows Total Protection 2010.exe