Steals private information from local Internet browsers Show sources
file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@google[2].txt |
file_read | C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs |
file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\QuotaManager |
file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies |
file_read | C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\webappsstore.sqlite |
file_read | C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\cookies.sqlite |
file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@microsoft[2].txt |
file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@downloads.sourceforge[1].txt |
file_read | C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\SiteSecurityServiceState.txt |
file_read | C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db |
file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@c1.microsoft[2].txt |
Harvests credentials from local FTP client softwares Show sources
key | HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 8 Home |
key | HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 7 Professional |
key | HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 8 Professional |
key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Globalscape\CuteFTP 9 |
key | HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 7 Home |
key | HKEY_USERS\.DEFAULT\Software\Globalscape\CuteFTP 9 |
key | HKEY_CURRENT_USER\SOFTWARE\FileZilla Client |
key | HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla Client |
Harvests information related to installed mail clients Show sources
file | C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini |
Generates some ICMP traffic
A process attempted to delay the analysis task. Show sources
api_process_name | 8983a49172af96178458266f93d65fa193eaaef2.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds |
Tries to suspend Cuckoo threads to prevent logging of malicious activity Show sources
api_process_name | 8983a49172af96178458266f93d65fa193eaaef2.exe (2212) |
Checks the CPU name from registry, possibly for anti-virtualization Show sources
registry_read | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString |
Detects VirtualBox through the presence of a file Show sources
file_query | C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe |
Creates RWX memory Show sources
injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Attempts to identify installed AV products by installation directory Show sources
file_query | C:\Program Files\Sandboxie\Start.exe |
file_query | C:\Program Files\Sandboxie |
file_query | C:\Program Files\Sandboxie\Start.exe |
file_query | C:\Program Files\Sandboxie |
file_query | C:\Program Files\Sandboxie\Start.exe |
file_query | C:\Program Files\Sandboxie |
file_query | C:\Program Files\Sandboxie\SbieCtrl.exe |
file_query | C:\Program Files\Sandboxie |
file_query | C:\Program Files\Sandboxie\Start.exe |
file_query | C:\Program Files\Sandboxie |
file_query | C:\Windows\Installer\SandboxieInstall64.exe |
file_query | C:\Program Files (x86)\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe |
file_query | C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe |
file_query | C:\Program Files (x86)\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe |
file_query | C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe |
file_query | C:\Program Files (x86)\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe |
file_query | C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe |
file_query | C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-Aware.exe |
file_query | C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe |
file_query | C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe |
file_query | C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe |
file_query | C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe |
file_query | C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe |
file_query | C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe |
file_query | C:\Program Files\Malwarebytes Anti-Malware\mbam.exe |
file_query | C:\Program Files (x86)\Sandboxie\Start.exe |
file_query | C:\Program Files\Sandboxie\Start.exe |
file_query | C:\ProgramData\McAfee\MCLOGS |
Attempts to identify installed AV products by registry key Show sources
registry_query | HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm |
registry_query | HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm |
registry_query | HKEY_LOCAL_MACHINE\Software\Avast Software\Avast |
registry_query | HKEY_LOCAL_MACHINE\Software\Avast Software\Avast |
registry_query | HKEY_CURRENT_USER\Software\Avast Software\Avast |
registry_query | HKEY_CURRENT_USER\Software\Avast Software\Avast |