Typical Behaviour from Malicious Apps

Grabbing credentials: a malicious application can be considered as such if it is designed to extract credentials thorough packet sniffing, keylogging, 'dumpster fiving', or other methods.

Process injection: any application or activity that manages to supersede normal system processes by introducing malicious binaries or code pieces. An example of the most targeted system processes are regsvr32.exe and svchost.exe.

Dynamic-link library injection: is any action whose purpose is to externally manipulate a functioning DLL; for example, writing a path to a DLL found inside an app’s process and then executing malicious code via a remote-controlled thread.

Hook injection: allows attackers to gain access to the core memory functions. It loads and run a piece of malicious code inside the environment of a runnning platform.

Registry persistence: it is possible that removed applications still linger in the computer registry. Sometimes, they can start modifying registry keys or values meaning that you have a malicious app.

‘Trojanazing’ commonly used system binaries: this practice compromises commonly used binary systems and turns them into biz-sized tojans granting hackers acccess to key memory areas. This is done thorough fake patching.

Hijacking the DLL load orderif the part to a specific DLL (Dynamic Link Library) is not hard coded a malicious piece of code can easily be introduced in the search order, resulting in the executable loading it.