Attempts to repeatedly call a single API many times in order to delay analysis time
A process attempted to delay the analysis task.
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
One or more AV tool detects this sample as malicious: Ransom:Win32/Gandcrab.D!MTB
Connects to an IRC server, possibly part of a botnet
Operates on local firewall's policies and settings
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Attempts to remove evidence of file being downloaded from the Internet
Sample contacts servers at uncommon ports
The executable has PE anomalies (could be a false positive)
Allocates read-write-execute memory (usually to unpack itself)
The binary likely contains encrypted or compressed data.
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup
More than %50 of the external calls do not go through the import address table
This sample contains high entropy sections
Anomalous binary characteristics
Possible date expiration check, exits too soon after checking local time
Creates a hidden or system file