1a04fc725eba1cbbf3423e4a6341a8466a1cee67796b14526162a8d7d05f9698

Analysis

max time kernel
142s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 15:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SweetIMSetup.exe
Size

3.8MB
MD5

6f7be2a5693e302f820ed7f80857a7d9
SHA1

aadc115aae7f1b637433fb2ec31e3ee47176e089
SHA256

46bcfcf8ba7515fd89c3ab8a64afba453f36926ec60b201432980105f68dc075
SHA512

19055b1d492963f6d4306f98cd57fc6894ffbc7f927be3ea14c666eaf4085a071ec80c58ad964eae15156085e448074a8f80a21e30bb337f4be3a45d88ef298f
SSDEEP

98304:91BGPQIJEmxdhZdFxddWiwF4u/R6rMRC+9:91BiDjxzZHxHlwKuJHC+9

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4668	VistaCookiesCollector.exe
4172	SweetIM.exe

Loads dropped DLL 32 IoCs

pid	Process
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
4172	SweetIM.exe
3268	MsiExec.exe
1392	MSIEXEC.EXE
1392	MSIEXEC.EXE
1384	SweetIMSetup.exe
1384	SweetIMSetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SweetIM = "C:\\Program Files (x86)\\SweetIM\\Messenger\\SweetIM.exe"	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SweetIM\Messenger\mgICQAuto.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgMsnMessengerAdapter.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgFlashPlayer.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\resources\images\NudgeButton.png	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgArchive.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgICQMessengerAdapter.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgUpdateSupport.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mghooking.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\msvcp71.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\resources\images\KeyboardButton.png	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\resources\sqlite\mgSqlite3.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgAdaptersProxy.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgMediaPlayer.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\ContentPackagesActivationHandler.exe	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgYahooAuto.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\msvcr71.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\default.xml	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgYahooMessengerAdapter.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mglogger.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\resources\images\AudibleButton.png	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\resources\images\GamesButton.png	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\resources\images\WinksButton.png	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgcommon.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgconfig.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgsimcommon.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\resources\images\DisplayPicturesButton.png	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgcommunication.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\resources\images\SoundFxButton.png	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgMsnAuto.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgSweetIM.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\mgxml_wrapper.dll	msiexec.exe
File created	C:\Program Files (x86)\SweetIM\Messenger\resources\images\EmoticonButton.png	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58508c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B85C4CB2-B352-4BD8-818C-BCE353599107}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI688B.tmp	msiexec.exe
File created	C:\Windows\Installer\e585090.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI98B8.tmp	msiexec.exe
File created	C:\Windows\Installer\e58508c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D00.tmp	msiexec.exe
File created	C:\Windows\Installer\{B85C4CB2-B352-4BD8-818C-BCE353599107}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{B85C4CB2-B352-4BD8-818C-BCE353599107}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DE8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6175.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI76B5.tmp	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}\DisplayName = "SweetIM Search"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}\URL = "http://search.sweetim.com/search.asp?src=6&q={searchTerms}"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{EEE6C360-6118-11DC-9C72-001320C79847}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}\DisplayName = "SweetIM Search"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}\URL = "http://search.sweetim.com/search.asp?src=6&q={searchTerms}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{EEE6C360-6118-11DC-9C72-001320C79847}"	MsiExec.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://home.sweetim.com"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://home.sweetim.com"	MsiExec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sim-packages\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BC4C58B253B8DB418C8CB3E35951970\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064}\InprocServer32\ = "C:\\Program Files (x86)\\SweetIM\\Messenger\\mgMediaPlayer.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlayer.GraphicsUtils	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlayer.GraphicsUtils.1\ = "GraphicsUtils Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BC4C58B253B8DB418C8CB3E35951970\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{B3F49787-0C16-465F-955E-95447E5514B8}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BC4C58B253B8DB418C8CB3E35951970\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{B3F49787-0C16-465F-955E-95447E5514B8}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}\InprocServer32\ = "C:\\Program Files (x86)\\SweetIM\\Messenger\\mgMediaPlayer.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}\ProxyStubClsid32	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BC4C58B253B8DB418C8CB3E35951970\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}\VersionIndependentProgID\ = "MgMediaPlayer.GifAnimator"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}\ = "IGifAnimator"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}\ = "IGraphicsUtils"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}\1.0\HELPDIR	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlayer.GraphicsUtils\ = "GraphicsUtils Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MgMediaPlayer.GifAnimator.1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MgMediaPlayer.GifAnimator\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}\Version\ = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SweetIM\\Messenger\\\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BC4C58B253B8DB418C8CB3E35951970	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}\InprocServer32\InprocServer32 = 3800670054003900640052005900260048004000270045005300340072006e00310068004c0025003e002b0044006300690041007100660075007100380042005e0066002d004f0045003100490026003f0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BC4C58B253B8DB418C8CB3E35951970\ProductIcon = "C:\\Windows\\Installer\\{B85C4CB2-B352-4BD8-818C-BCE353599107}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BC4C58B253B8DB418C8CB3E35951970\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sim-packages\DefaultIcon\ = "ContentPackagesActivationHandler.exe,1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}\1.0\0\win32\ = "C:\\PROGRA~2\\SweetIM\\MESSEN~1\\MGMEDI~1.DLL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sim-packages\shell\open\command\ = "C:\\Program Files (x86)\\SweetIM\\Messenger\\ContentPackagesActivationHandler.exe \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}\Control	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}\ToolboxBitmap32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BC4C58B253B8DB418C8CB3E35951970\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BC4C58B253B8DB418C8CB3E35951970\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sim-packages\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}\1.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BC4C58B253B8DB418C8CB3E35951970\SourceList\PackageName = "SweetIMSetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlayer.GraphicsUtils.1\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\789034A89BAC50E4782F0A7BDBF75632	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}\TypeLib\ = "{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2BC4C58B253B8DB418C8CB3E35951970\PackageCode = "80584D142D05D1E41B90A95F3723C247"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sim-packages\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sim-packages	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}\MiscStatus\1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaPlayer.GraphicsUtils.1\CLSID\ = "{A4A0CB15-8465-4F58-A7E5-73084EA2A064}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MgMediaPlayer.GifAnimator	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sim-packages	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064}\TypeLib\ = "{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3644	msiexec.exe
3644	msiexec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe
3268	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1392	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1392	MSIEXEC.EXE
Token: SeSecurityPrivilege	3644	msiexec.exe
Token: SeCreateTokenPrivilege	1392	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1392	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1392	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1392	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1392	MSIEXEC.EXE
Token: SeTcbPrivilege	1392	MSIEXEC.EXE
Token: SeSecurityPrivilege	1392	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1392	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1392	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1392	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1392	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1392	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1392	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1392	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1392	MSIEXEC.EXE
Token: SeBackupPrivilege	1392	MSIEXEC.EXE
Token: SeRestorePrivilege	1392	MSIEXEC.EXE
Token: SeShutdownPrivilege	1392	MSIEXEC.EXE
Token: SeDebugPrivilege	1392	MSIEXEC.EXE
Token: SeAuditPrivilege	1392	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1392	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1392	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1392	MSIEXEC.EXE
Token: SeUndockPrivilege	1392	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1392	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1392	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1392	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1392	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1392	MSIEXEC.EXE
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe
Token: SeRestorePrivilege	3644	msiexec.exe
Token: SeTakeOwnershipPrivilege	3644	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4172	SweetIM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1392	1384	SweetIMSetup.exe	94
PID 1384 wrote to memory of 1392	1384	SweetIMSetup.exe	94
PID 1384 wrote to memory of 1392	1384	SweetIMSetup.exe	94
PID 3644 wrote to memory of 3268	3644	msiexec.exe	103
PID 3644 wrote to memory of 3268	3644	msiexec.exe	103
PID 3644 wrote to memory of 3268	3644	msiexec.exe	103
PID 3268 wrote to memory of 4668	3268	MsiExec.exe	104
PID 3268 wrote to memory of 4668	3268	MsiExec.exe	104
PID 3268 wrote to memory of 4668	3268	MsiExec.exe	104
PID 3268 wrote to memory of 4172	3268	MsiExec.exe	105
PID 3268 wrote to memory of 4172	3268	MsiExec.exe	105
PID 3268 wrote to memory of 4172	3268	MsiExec.exe	105

C:\Users\Admin\AppData\Local\Temp\SweetIMSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SweetIMSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{B3F49787-0C16-465F-955E-95447E5514B8}\SweetIMSetup.msi" /qn SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D4287A0F4031ABE88D700B1B23589612
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Users\Admin\AppData\Local\Temp\{B85C4CB2-B352-4BD8-818C-BCE353599107}\VistaCookiesCollector.exe
    C:\Users\Admin\AppData\Local\Temp\{B85C4CB2-B352-4BD8-818C-BCE353599107}\VistaCookiesCollector.exe http://sweetim.com,C:\Users\Admin\AppData\LocalLow\simcookies.dat
    3⤵
    - Executes dropped EXE
    PID:4668
- - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe
    "C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe" -AutoStartIM
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58508f.rbs

Filesize
33KB

MD5
b35c0c4d4e718b98c167d155f16b34ef

SHA1
ec4dc90c1a2a9a1f251fa8d1b2e53b1659b83e15

SHA256
b30e979d4151d29fed9b0ccb4dc9c772a337fcec35a848b7219bc123849554b3

SHA512
bb1900b4543048b22b43593710013556d31ec1572b73861840f4dc503ae5ffd1c415f2c974992c4ef36575a9363876f4a4c2d41f5df022c6adf9ad4a6013faf8

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\MSVCR71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

Filesize
112KB

MD5
92dccd7ad8fb9fb475a4f48086938838

SHA1
d564d1a07de540774c510bfe799819934fbe1d6a

SHA256
2c5f313e06e36239b19bc0e9b95452bc59e876db64ba57cc9d9a30f940b0750e

SHA512
5456d97217d8b5e310a02c208d5d9ed16cffd71fcb6c2669f15f2eb1d3fe813bc272e5b684ae5a4206c3bf5eab9759606e999f4f00c2a744cdba4ce50f9a976c

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\default.xml

Filesize
462B

MD5
4a93f75295ba23d7ce7e39fff5bdbdd5

SHA1
55f76e394beffd52861fd65d3010267588f2d3c0

SHA256
34eb3fafa9f5a9e754abfc0a0334ec9b5ab83317daca150fcd2104723763911a

SHA512
57d5e6b319465e5f3b4251656e87c30424093fc5c3181e030a5832d8296479dd15a118f93c41a39fa177d16653c2c3dae4f25999edf73e7f139b2a0b7791cfca

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\mgAdaptersProxy.dll

Filesize
26KB

MD5
7bc5b26fa0bc100a9f5b2fd178e7e4e2

SHA1
03545d82223fc511301296b5d992745ff4173bcf

SHA256
24d3ebd2877cd0db6fc7ed4bc013f0912523c9c95c3135f367d36b207d69700a

SHA512
1644b4e28ff095d78619de75e2280e653a5dd44f3d53e4750969b96e181a48a1b831ef2881e2dc607065ee9654ac00b64068c366997368176f99759631ce8e79

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\mgUpdateSupport.dll

Filesize
276KB

MD5
106bc82184bebbf6222d913c10705716

SHA1
3df985121d4f0186d7ccf9ce71fb53adfc060daf

SHA256
5f13baf6440b184805631b1c20615f8d618690bd1c29693953fd8f10738f2200

SHA512
f51329c4ffbc2c219b5fedf33ac9bc65079a9185b7cbc578ef33c98b6eead08887f71ee5fdfaa60885f2509f3ba8db1ec879ea2a2b0af1ff67fe65419f3ea081

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\mgcommon.dll

Filesize
276KB

MD5
ecd3f6f1ae3fee04e858538df4081b3b

SHA1
1abd074275e22a01d13f609f945d24783c20ffcb

SHA256
ed3bc423f09ce45aa8a6a36747d224a76bc1473816cb7fbbfab90a1aac42e01e

SHA512
67057bc91064a3315ebac2be09fc35b4dfb808588572670a16f74b3d0f474a90d70604f84d1475f8ad7dca71e13fa3ab1be35984896a97b6978bb849933dbacb

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\mgcommunication.dll

Filesize
35KB

MD5
7d41091ab70ca7bc11ecf152c0ef12c9

SHA1
7db5fee94f8a0a2e0257586fe0e4e1113ffd965d

SHA256
f533080ef19d94977ca8b0f01e8a167152d3f76ac224fec9f8c0027f2d34925e

SHA512
94e0caa2ba84c28fbb19bd2ef63b17bff9300a8ecc189abce6ca95f8de75a1ec8d06c450215ddd8ffc709b769ca2774566c11c08f1c0e06fb610f0f4a4ae6ef1

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\mgconfig.dll

Filesize
64KB

MD5
6500c8cad5bb6fc55e32b82d8df1f987

SHA1
c2d556474baf5dca99c27e8dc8196800b1135245

SHA256
56cad4aeb8f5884d0dfffc9c63601f083be7fc4b380c1b886d39b51c82ccae2a

SHA512
bea4fafe3b48e861f7a4acb3ee3297d9ab193a4089514d560cf05d8a38fa2054a03209cbd6a7a8247d63564fbb1b4416c0b13a0116493319c9c3ff3a4bcef4e4

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\mghooking.dll

Filesize
164KB

MD5
10040468eee0283f7bd4065547f0448a

SHA1
9f98d905069e57caa5c565a5c3f711e397b5c36a

SHA256
57aee0a33715916e6ba5d3d51d05ae42c2087f34d149a1d75af56a7c78cfb301

SHA512
3e9cc92106c1d50c0e32ccb9b7b1ffe92d34785fbed9b1f293426f0ab012cee3795d8d24a15e6d1eb17c1d857f8b19d969d84487b0e7573c0d06853e383853f0

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\mgsimcommon.dll

Filesize
48KB

MD5
63ff4b3bcf770c77272dde796b620895

SHA1
ae66f0b3bc25585fc67961bd6d37617c43b228cd

SHA256
d46e648be7268ca9d72362face053dc5a1a68910a6e351352cc314791ab8e617

SHA512
652426e793e3d90ec09c1c138b1ef4c8c1c141bf59ba45212a59939975dbd985da087f25eed7629d9d64ffcaf2a1b8004beedde207e7b7bbb83f782d2c552e00

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\mgxml_wrapper.dll

Filesize
72KB

MD5
dd60555f651b16eeace2a74cd192d06f

SHA1
02f419030e627b860bb6f6c723401c6e42be6bb4

SHA256
4d334c56d1ae0e9cc47d2a8f58aed3ff44df2d280fb60be540a908abc264f229

SHA512
72e986859dded97dbae38597342285cdb0af2e1b00b6da59d454ba5a9a8336ef16791734055277ce9e9006c9331f75f153ca3ffb5fc187cf3a7d72a3486eca17

Download Submit
C:\Program Files (x86)\SweetIM\Messenger\msvcp71.dll

Filesize
492KB

MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
C:\ProgramData\SweetIM\Messenger\conf\autoupdate.xml

Filesize
533B

MD5
c2efb572ba7f1953909c401db5ac8765

SHA1
63a66651d881fe6d35b7cc1aa316089cca53a9ab

SHA256
f9cd2ac229d0e66bdc7d81ee489fecd75ed847c4bf016f886617fd609cfe0691

SHA512
b7598e4583fbd79d4ecca76cc5613a5614b34a4878c405387130ef111d7b8ad8bd41ef270a895ca3b955c6f0d0f1f919b9a9807f3a73c31b0f129afc4a503957

Download Submit
C:\ProgramData\SweetIM\Messenger\conf\sweetimapp.xml

Filesize
214B

MD5
b7754d9bdce3c62e0b9e8e1774106875

SHA1
c8d7b4dd4a696d0111b5dbf2d3d442a7139bf179

SHA256
d356149a0ad5322f4597cc1e97b840402d41ecf3f25c05aacd985c438126fc5e

SHA512
c8356c68545ae0368e342cc425583fad706181954f2285138e829cf5c0a50d196ba53fb57d361dbd594d3e23125d0bf59942d8ec948329865bb22bfd363d0666

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3F49787-0C16-465F-955E-95447E5514B8}\0x0409.ini

Filesize
6KB

MD5
26a9b54f250e00693773481b837e03cc

SHA1
554a407bf23984026785430e3bbdffdd1285be06

SHA256
2a5eb805543b141d77ce7192c5f7e4e10ffb56de0a5a66905c79298dfc5ffbd5

SHA512
a9f141f96f7bb498c4326cab2e846ce0715830ec86b04a311ccb0c7f3eb6adcc62ec1412cbd8d230b957cd923ab3a81af34b40294297773395d53d8aa73f9073

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3F49787-0C16-465F-955E-95447E5514B8}\Setup.INI

Filesize
2KB

MD5
817f669fa034f761383c3c4026e083cd

SHA1
16849fcea93d7e97a4cd3a0a8b5d7d0db7d69977

SHA256
c0b3ac33db3dda7da036f50fc53cb57109eec5edf3b9bb42dc32b127cabcfa74

SHA512
bb2bcacf046bcdaade6563a740bf3095f95ca873415b215581e2e221d0e073b89108bd733f8d8da958315d7434404b6ff586c401b997471681ca023d61b199fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3F49787-0C16-465F-955E-95447E5514B8}\SweetIMSetup.msi

Filesize
3.4MB

MD5
f5c9620b33186e24ddb8296406f1fb35

SHA1
0f950f135f45c37872eab7d88dca5603c5550017

SHA256
b0d35e012cefda8a46f607644970ac488df4758e4fd3b77b391d020a9abc04c3

SHA512
1c833bced84da81f11ec3c71e6e4fa70c41b0c116083c62aa7b60196347487261ca3e4f2182f8f53674745055f63b1b32d0d82510b09a7cf241556292720deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3F49787-0C16-465F-955E-95447E5514B8}\_ISMSIDEL.INI

Filesize
309B

MD5
7be824f4e03119281007b0c530d96b96

SHA1
dd98ee098b9632adb178f2974f47b75448321abc

SHA256
341445c4e1b555bc7d9b80e77efaff743575be69ee8ce2d010d980596accf361

SHA512
4ff62934c99ff4c26deb9b7eba1120636c7067d309c37b55cb03a7857b591bc36f331020fc7dc11a2aeadb773cadf97ada36738f5e1cd66637dfa3278c8c2c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B3F49787-0C16-465F-955E-95447E5514B8}\_ISMSIDEL.INI

Filesize
11B

MD5
3fdd2635aa94921522af8186f3c3d736

SHA1
0fe63553e9f993c0cb2cb36b8cdcfba4f4a2650d

SHA256
17ad78845c9c6a8e97a5bd14be56700a51ee85867c979ed6cf538e1fed82cf7c

SHA512
ebdbeefbdc777937fce516a1cbd9af7c305fc242091d695ad919a27c98fac5b6b16b44130bdf97dbfd10561cce701180b1fbb303d848944c3b33b8a3c058653a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B85C4CB2-B352-4BD8-818C-BCE353599107}\VistaCookiesCollector.exe

Filesize
64KB

MD5
341bf66e171eff284729e0e6c6cf0512

SHA1
858189135fb19f1373bbff6d0a8acf0899761d55

SHA256
b7e38898029c47286baca15b4ecbf79770d064ab529a081e9cbbc8d53c89b52b

SHA512
6ba6b6ca15d7a5af7c9f0bb7e1003498e95b469b1b0c332bc910285e7a73263e6e092369e5f6a5703b03a9676c0e2ecb8cb80158910812a1b4a9032f5619834e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B85C4CB2-B352-4BD8-818C-BCE353599107}\mgSqlite3.dll

Filesize
383KB

MD5
8a4af3b0695f29186ad02e2fd766fa3b

SHA1
c8f1e3f28152c6c010b7ae8fa4d167e3c388ff0c

SHA256
346f692db61b1355df431f58f0a9c4c6ed7bdf0c9ad3e2cad42e0b3920ea44c6

SHA512
3c94cd08c21bccfe66aa7c813c86f8a11672c0472dabfd12b699bb01b55741903ca73c8385f531dd2733ec70caee0af3040c6b84f09f5b5e981ba12026cbb4cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
4de8116e6abaa7c25244e3fded27fa09

SHA1
f9d0d18308bcf68225ea42bbcd069b81ab6e4aa5

SHA256
f4dfc832f9d5d148061836454629844c2cfd6ce3da66332c2e6df368ae10f00f

SHA512
87ce4967611a1c84884d7c3f4ff11a0c24d5cbfc4605fc6045a6066d21fd6d599ba99cb0bb576bda942292f1f39f3b6c51d316b6c389bb80288ea8e76f662f60

Download Submit
C:\Windows\Installer\MSI5D00.tmp

Filesize
56KB

MD5
74578bf21c4ce56dbb2fbd7616895637

SHA1
1d6a43e6d47da777abe5aa72f39f5c396d7e37e5

SHA256
c9cfe837eba6960ce065653e45fdbb6fe3fd0bbbb0787e29b1881c03a3fcfb56

SHA512
f6219335b266c6d78628ca11b7a4c49fdf6c7f1261332b2b4a8abac49be59cc5c6180caa8cddb32602c55f546c8cca3ee7c41ab72859cb07ff9c5be6e11720aa

Download Submit
C:\Windows\Installer\MSI6175.tmp

Filesize
96KB

MD5
933c5c5d2e46a10ad94aa35f90c8ef01

SHA1
6cd9f9353a3fabbbc6938afc1b67285b699f5972

SHA256
8e37e9ede55b240e4e48421a490994665b58aa5e626c6f3e4ee2da335133cffa

SHA512
2e0dac354b296682a9a31270584b6b2214664edb4eb308bb85c9d7f785f08269a1006caa49ecae6b0789f71dc9378c29319517b22c0caf8dfc4d40156960cb40

Download Submit
C:\Windows\Installer\MSI688B.tmp

Filesize
240KB

MD5
e3884deb6f58b8bcff893c551bfe3f39

SHA1
063442bb79bfb9e2f2adb263a17c26543eee2587

SHA256
93e1ef9612ea078ccd3fc45d932780822a374184edadd9357ac225da580dc56f

SHA512
f3b943a4822cc376e8410b4b83c734cc50510900195bb1d8a87eed15ea48b8963a0a14c5b960e137b2101fa79ade140f2e2daa399091114ef2353a70daf03acd

Download Submit
memory/3268-160-0x0000000002830000-0x0000000002893000-memory.dmp

Filesize
396KB

Download
memory/4172-214-0x0000000000A70000-0x0000000000A97000-memory.dmp

Filesize
156KB

Download
memory/4172-212-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/4172-209-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/4172-198-0x00000000005F0000-0x0000000000633000-memory.dmp

Filesize
268KB

Download