Windows Analysis Report
BundleSweetIMSetup.exe

Overview

General Information

Sample name:	BundleSweetIMSetup.exe
Analysis ID:	1431987
MD5:	bcc96659d6a46536dbde959fb9d60f67
SHA1:	eb2352a46bf4d0112346814b406f2af3484cb93f
SHA256:	beb0423b1afe047964ad168060a8fd92c550814f6797b937ee0092004640aa18
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	50
Range:	0 - 100

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Creates an undocumented autostart registry key

Found suspicious ZIP file

Overwrites Mozilla Firefox settings

Tries to harvest and steal browser information (history, passwords, etc)

Changes the start page of internet explorer

Checks for available system drives (often done to infect USB drives)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Internet Explorer Autorun Keys Modification

Sigma detected: Suspicious Execution From GUID Like Folder Names

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://storage2.stgbssint.com/Search/SearchApplication/Resources/Images/Search/closeSprite.png

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\SweetIM\Messenger\ContentPackagesActivationHandler.exe	ReversingLabs: Detection: 34%
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgAdaptersProxy.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgArchive.dll	ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgFlashPlayer.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgICQAuto.dll	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgICQMessengerAdapter.dll	ReversingLabs: Detection: 24%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgMediaPlayer.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgMsnAuto.dll	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgMsnMessengerAdapter.dll	ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgSweetIM.dll	ReversingLabs: Detection: 22%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgUpdateSupport.dll	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgYahooAuto.dll	ReversingLabs: Detection: 29%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgYahooMessengerAdapter.dll	ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgcommon.dll	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgcommunication.dll	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgconfig.dll	ReversingLabs: Detection: 27%
Source: C:\Program Files (x86)\SweetIM\Messenger\mghooking.dll	ReversingLabs: Detection: 33%
Source: C:\Program Files (x86)\SweetIM\Messenger\mglogger.dll	ReversingLabs: Detection: 29%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgsimcommon.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgxml_wrapper.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Messenger\resources\sqlite\mgSqlite3.dll	ReversingLabs: Detection: 20%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\ClearHist.exe	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll	ReversingLabs: Detection: 28%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe	ReversingLabs: Detection: 31%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll	ReversingLabs: Detection: 27%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgcommon.dll	ReversingLabs: Detection: 24%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgconfig.dll	ReversingLabs: Detection: 27%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mghooking.dll	ReversingLabs: Detection: 24%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mglogger.dll	ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgsimcommon.dll	ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgxml_wrapper.dll	ReversingLabs: Detection: 24%
Source: C:\Users\user\AppData\Local\Temp\1714110143_4764500_750.tmp	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\1714110143_4764625_750.tmp	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe (copy)	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe (copy)	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}\mgSqlite3.dll	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\mgSqlite3.dll	ReversingLabs: Detection: 20%
Source: C:\Windows\Installer\MSIC547.tmp	ReversingLabs: Detection: 28%
Source: C:\Windows\Installer\MSID16F.tmp	ReversingLabs: Detection: 28%
Source: C:\Windows\Installer\MSID25A.tmp	ReversingLabs: Detection: 28%
Source: C:\Windows\Installer\MSID2C8.tmp	ReversingLabs: Detection: 28%
Source: C:\Windows\Installer\MSIEB08.tmp	ReversingLabs: Detection: 21%
Source: C:\Windows\Installer\MSIEF30.tmp	ReversingLabs: Detection: 24%
Source: C:\Windows\Installer\MSIF7EB.tmp	ReversingLabs: Detection: 21%
Source: C:\Windows\Installer\MSIF889.tmp	ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: BundleSweetIMSetup.exe	ReversingLabs: Detection: 50%
Source: BundleSweetIMSetup.exe	Virustotal: Detection: 37%			Perma Link

Phishing

Source: https://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}

HTTP Parser: No favicon

Compliance

Uses 32bit PE files

Source: BundleSweetIMSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Window detected: Agree && Continue >DisagreeTo continue the installation you must agree to the following terms of service agreementSweetIM provides aid when misspelling or incorrectly formatting browser address request.SWEETIM Technologies LTD.Thank you for installing SweetIM for Messenger and SweetIM Toolbar for browserSweetIM is certified as Trusted Download Program by TRUSTeEND USER LICENSE AGREEMENT / TERMS OF SERVICE / AND PRIVACY POLICY IMPORTANT - PLEASE READ THE FOLLOWING AGREEMENT CAREFULLY.THIS AGREEMENT SHALL GOVERN YOUR USE OF SWEETIM SOFTWARE SERVICE AND SITE. IF AFTER READING THIS AGREEMNET YOU WISH TO USE THE SWEETIM SOFTWARE WEBSITE AND ITS FEATURES PLEASE INDICATE YOUR ACCEPTANCE HEREOF BY CLICKING "I AGREE" AT THE END.Please note: (1) you MUST be 13 years or older to install or to use the SweetIM Software. If you are not yet 13 do not download SweetIM Software; (2) the SweetIM Software is not intended for use by or be available to persons under the age limit of any jurisdiction which restricts the use of Internet-based applications and services according to age. IF YOU RESIDE IN SUCH A JURISDICTION AND ARE UNDER THAT JURISDICTION'S AGE LIMIT FOR USING INTERNET-BASED APPLICATIONS OR SERVICES YOU MAY NOT DOWNLOAD INSTALL OR USE THE SWEETIM SOFTWARE AND YOU MAY NOT ACCESS THE SERVICESThis combined End User License Agreement / Terms / and Privacy policy (The "Agreement") constitutes a valid and binding agreement between SweetIM Technologies LTD. (formerly known as Imvent Ltd) which governs the use of the SweetIM Website Software and its features (together with its affiliates successors and assigns "SweetIM") and you ("you" or "your") for the use of the SweetIM Software Network Content and Services as defined below. You must enter into this agreement in order to install and use such SweetIM Software. When you download the SweetIM Software you will receive the following software features: 1.SweetIM for Messenger: An add-on toolbar that allows you to easily add fun content to your instant messenger conversations. This content is updated constantly and offers fun Emoticons Audibles Winks SoundFX Nudges Games special effects and more.2.SweetIM Toolbar for IE and for Firefox: A toolbar that is located on your internet browser and allows you to:oAdd SweetIM fun content such as emoticons texticons and other animations to web mail chat forums and social networksoSearch the web through SweetIM Search powered by Google (described below).oSweetIM Search: allows you to search the web through:1.A search box in the toolbar.2.Default Search (for IE 7 and up and Firefox): Using the search box next to the address bar. Upon installation we offer you to use SweetIM search as your default search provider in IE 7 and up and Firefox. You can manually choose other search providers by clicking on the drop down button next to the search box. 3. Search Assistance: if you place a search query in the address bar or misspell an address this feature provides you with

Source: BundleSweetIMSetup.exe

Static PE information: certificate valid

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

File opened: C:\Program Files (x86)\SweetIM\Messenger\MSVCR71.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 13.249.98.125:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.249.98.125:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49771 version: TLS 1.2

Source: BundleSweetIMSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mgconfig.pdb source: mgconfig.dll0.3.dr
Source:	Binary string: C:\Imvent\Develop\Client\vc\SweetSDM\Release\SweetSDM.pdb source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\Release_bin\mgHelper.pdbh source: mgHelper.dll.3.dr
Source:	Binary string: c:\SimOlderVersions\SIM 3.6\Client\vc\output\Release\mgICQMessengerAdapter.pdb source: mgICQMessengerAdapter.dll.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mghooking.pdb source: mghooking.dll0.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mghooking.pdb source: mghooking.dll0.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\Release_bin\mgHelper.pdb source: mgHelper.dll.3.dr
Source:	Binary string: msvcp71.pdb source: SweetIM.exe, SweetIM.exe, 00000007.00000002.1895639481.000000007C3C1000.00000020.00000001.01000000.00000010.sdmp, msvcp71.dll.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\output\release\mgToolbarProxy.pdb source: mgToolbarProxy.dll.3.dr
Source:	Binary string: c:\SimOlderVersions\SIM 3.6\Client\vc\output\release\mgICQAuto.pdb source: mgICQAuto.dll.3.dr
Source:	Binary string: C:\Imvent\Develop\Client\vc\SweetSDM\Release\SweetSDM.pdb@ source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: msvcr71.pdb source: SweetIMSetup.exe, 00000001.00000002.1844516312.000000007C361000.00000020.00000001.01000000.00000011.sdmp, SweetIM.exe, SweetIM.exe, 00000007.00000002.1895440500.000000007C361000.00000020.00000001.01000000.00000011.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00413D18 __EH_prolog,GetTempPathA,FindFirstFileA,CompareFileTime,DeleteFileA,FindNextFileA,FindClose,	1_2_00413D18
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00422D97 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,	1_2_00422D97
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007B36A0 _IsDirectoryEmpty@4,wcslen,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,FindFirstFileW,wcscmp,wcscmp,wcscmp,FindNextFileW,FindClose,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,	7_2_007B36A0
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007B3800 DeleteFolder,wcslen,IsDirectoryFile,wcscpy,PathAddBackslashW,PathAddExtensionW,FindFirstFileW,FindNextFileW,wcscpy,PathAddBackslashW,wcscat,DeleteFileW,DeleteFolder,FindClose,RemoveDirectoryW,	7_2_007B3800
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_10007070 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,RegQueryValueExW,wcslen,wcscat,_IsFileExist@4,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,RegCloseKey,?GetShellFolderPath@@YG?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_IsFileExist@4,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,RegQueryValueExW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,wcslen,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,wcscpy,PathStripPathW,wcslen,wcslen,wcslen,?erase@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@II@Z,?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,FindClose,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB,wcslen,?erase@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@II@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG@Z,?SplitString@@YAHABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@0AAV?$vector@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@V?$allocator@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@@2@@2@H@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,	7_2_10007070
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C378DFA _wstat,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileW,wcspbrk,_wfullpath,wcslen,GetDriveTypeW,_errno,__doserrno,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	7_2_7C378DFA
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C376DCB _findfirst64,FindFirstFileA,GetLastError,_errno,_errno,_errno,strcpy,	7_2_7C376DCB
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C377ED3 _stat,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileA,_mbspbrk,_fullpath,strlen,GetDriveTypeA,_errno,__doserrno,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	7_2_7C377ED3
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C376FD6 _findfirsti64,FindFirstFileA,GetLastError,_errno,_errno,_errno,strcpy,	7_2_7C376FD6

Networking

Contains functionality to check if a connection to the internet is available

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

Code function: 7_2_10016120 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,InternetCheckConnectionW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,

7_2_10016120

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

Code function: 7_2_004C3CC0 ?URLDownload@CDownloadManager@@QAEHPBGPAGPAVCBSCallbackImpl@@H@Z,GetFileAttributesW,SetFileAttributesW,RegOpenKeyExW,RegEnumKeyExW,RegCloseKey,URLDownloadToFileW,DeleteUrlCacheEntryW,DeleteFileW,InternetOpenW,InternetSetOptionW,InternetOpenUrlW,InternetCloseHandle,HttpQueryInfoW,HttpQueryInfoW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoW,_wtol,CreateFileW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,WriteFile,FlushFileBuffers,Sleep,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteUrlCacheEntryW,

7_2_004C3CC0

Source: global traffic	HTTP traffic detected: GET /bi/track.gif?prodid=1&compid=35&actid=100&cargo=WV:6.2;SC:0;SSN:145695948050;C_FILEVER:1.3.0.3;C_BUILDTIME:1302091979;C_REPORT:;B_IMVER:3.6.0002;B_IEVER:4.2.0004;B_BUILDTIME:1318168523;B_INFO:;; HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: content.sweetim.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=6NvAnKL1OPtr5PT&MD=RuvlYw+b HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /bi/track.gif?prodid=1&compid=35&actid=102&cargo=WV:6.2;SC:0;SSN:145695948050;C_FILEVER:1.3.0.3;C_BUILDTIME:1302091979;C_REPORT:;B_IMVER:3.6.0002;B_IEVER:4.2.0004;B_BUILDTIME:1318168523;B_INFO:;; HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: content.sweetim.comConnection: Keep-AliveCookie: UserId=C0736790-038F-11EF-AAC5-BF869E32CC1E; UserData=2024-04-26T05%3A42%3A21.577Z
Source: global traffic	HTTP traffic detected: GET /installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588} HTTP/1.1Host: www.sweetim.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AfQPRnlSkk0SHkG5PXvb3F_Q7hH-5ddsxHHT56Cx-_JWux0fg0SnDHAT6sRgPwMxLj9QK3jdbgroAjU8smhTZreN3EjllobyDxCd6anURJdX2LwhsxiO4Wd9jGJUvOZjNG0AxlKa5b7kLavSfewVpsPdhgIchnuqABvb/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_24_4_1_2.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /search/images/homepage/button_bg.png HTTP/1.1Host: se-p-static-content.seccint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sweetim.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Search/SearchApplication/Resources/SpyGlass130x40.png HTTP/1.1Host: storage2.stgbssint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sweetim.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Search/SearchApplication/Resources/Images/Search/closeSprite.png HTTP/1.1Host: storage2.stgbssint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sweetim.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.sweetim.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-arch: "x86"sec-ch-ua-platform-version: "10.0.0"dpr: 1downlink: 1.3sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-platform: "Windows"device-memory: 8rtt: 350sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36viewport-width: 1280sec-ch-ua-full-version: "117.0.5938.132"ect: 3gAccept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: UserId=D725A570-038F-11EF-AAC5-BF869E32CC1E; UserData=2024-04-26T05%3A42%3A59.655Z; st=SearchWeb; _hse=true
Source: global traffic	HTTP traffic detected: GET /search/images/homepage/button_bg.png HTTP/1.1Host: se-p-static-content.seccint.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Search/SearchApplication/Resources/SpyGlass130x40.png HTTP/1.1Host: storage2.stgbssint.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Search/SearchApplication/Resources/Images/Search/closeSprite.png HTTP/1.1Host: storage2.stgbssint.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.sweetim.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: UserId=D725A570-038F-11EF-AAC5-BF869E32CC1E; UserData=2024-04-26T05%3A42%3A59.655Z; st=SearchWeb; _hse=true
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /webstore/inlineinstall/detail/efaidnbmnnnibpcajpcglclefindmkaj HTTP/1.1Host: chrome.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=6NvAnKL1OPtr5PT&MD=RuvlYw+b HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /bi/track.gif?prodid=1&compid=35&actid=100&cargo=WV:6.2;SC:0;SSN:145695948050;C_FILEVER:1.3.0.3;C_BUILDTIME:1302091979;C_REPORT:;B_IMVER:3.6.0002;B_IEVER:4.2.0004;B_BUILDTIME:1318168523;B_INFO:;; HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: content.sweetim.com
Source: global traffic	HTTP traffic detected: GET /bi/track.gif?prodid=1&compid=35&actid=102&cargo=WV:6.2;SC:0;SSN:145695948050;C_FILEVER:1.3.0.3;C_BUILDTIME:1302091979;C_REPORT:;B_IMVER:3.6.0002;B_IEVER:4.2.0004;B_BUILDTIME:1318168523;B_INFO:;; HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: content.sweetim.comCookie: UserId=C0736790-038F-11EF-AAC5-BF869E32CC1E; UserData=2024-04-26T05%3A42%3A21.577Z
Source: global traffic	HTTP traffic detected: GET /installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588} HTTP/1.1Host: www.sweetim.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: toolbar.xml.3.dr	String found in binary or memory: <EXTERNAL_SEARCH target="sim_search_combo" engine="http://www.facebook.com/s.php" param="q=" encoding="65001"/> equals www.facebook.com (Facebook)
Source: toolbar.xml.3.dr	String found in binary or memory: <WEBJUMP name="doFacebookNewTab" href="http://www.facebook.com" targetwindow="newtab"/> equals www.facebook.com (Facebook)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920992518.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920858823.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}, equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe	String found in binary or memory: "],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https:/ equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920491757.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920281542.0000000004274000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}} equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}": equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1919261004.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919178794.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919315905.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}":i equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1916601668.0000000002B1C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919721396.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1921062510.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}i equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1916881361.000000000429A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}ru equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajap equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe	String found in binary or memory: fault"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeo equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe	String found in binary or memory: ml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google. equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1920760714.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920726981.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1922449222.00000000042C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}, equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: content.sweetim.com
Source: global traffic	DNS traffic detected: DNS query: www.sweetim.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: storage2.stgbssint.com
Source: global traffic	DNS traffic detected: DNS query: se-p-static-content.seccint.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: chrome.google.com

Source: toolbar.xml.3.dr	String found in binary or memory: http://127.0.0.1/test/content-notifier.js
Source: toolbar.xml.3.dr	String found in binary or memory: http://127.0.0.1/test/locales34.xml
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://127.0.0.1/test/rc_tb.html
Source: addonlistener.js.10.dr, addonlistener.js0.10.dr	String found in binary or memory: http://adblockplus.org/blog/how-many-hacks-does-it-take-to-make-your-extension-install-without-a-res
Source: chromecache_795.15.dr	String found in binary or memory: http://api.autocompleteplus.com/?q=
Source: stringbundles.js1.10.dr, stringbundles.js0.10.dr	String found in binary or memory: http://books.mozdev.org/html/mozilla-chp-11-sect-3.html)
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/emoticons/mietb202p.html
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/fb/images/facebook.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/fb/m0100.html
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/animals.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/emoticons.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/gestures.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/glitters.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/love.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/texticons.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/resources/fb/ieinfb.js
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/resources/fb/ieinfb_https.js
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=1
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=2
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=3
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=4
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=5
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=7
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/winks/mietb202p.html
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.triplegames.com/shared/apps/gamearcade/arcade.htm?publisherId=3205&sectionId=767997
Source: BundleSweetIMSetup.exe, 00000000.00000003.1674858263.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1969481685.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2062389261.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061074019.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2063830032.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068383399.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065296062.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065627810.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2069638260.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=100&8
Source: BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=100&cargo=WV:6.2;SC:0;SSN:145695948
Source: BundleSweetIMSetup.exe, 00000000.00000002.2076285085.0000000004281000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2069638260.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073166287.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065627810.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=102&cargo=WV:6.2;SC:0;SSN:145695948
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://content.sweetim.com/bi/track.gif?prodid=1&compid=actid=%d;;cargo=&irmaReportDownloadRemoteFil
Source: sweetim-contentmenu.xul0.10.dr, sweetim-contentmenu.xul.10.dr	String found in binary or memory: http://content.sweetim.com/sim/mfftb20.html
Source: MSIC4F8.tmp.3.dr, MSIDA99.tmp.3.dr, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, MSIE99E.tmp.3.dr, MSIF8B9.tmp.3.dr, MSIEAC8.tmp.3.dr	String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: MSIC4F8.tmp.3.dr, MSIDA99.tmp.3.dr, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, MSIE99E.tmp.3.dr, MSIF8B9.tmp.3.dr, MSIEAC8.tmp.3.dr	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: cookies.js0.10.dr, cookies.js1.10.dr, cookies.js.10.dr	String found in binary or memory: http://developer.mozilla.org/En/NsICookieService
Source: commands.js0.10.dr	String found in binary or memory: http://developer.mozilla.org/en/docs/Code_snippets:Cookies
Source: SIMAutoCompleteSearch.js1.10.dr, SIMAutoCompleteSearch.js.10.dr	String found in binary or memory: http://developer.mozilla.org/en/docs/How_to_implement_custom_autocomplete_search_component
Source: splitter.js0.10.dr	String found in binary or memory: http://developer.mozilla.org/en/docs/XUL_Tutorial:More_Event_Handlers
Source: install.js.10.dr	String found in binary or memory: http://developer.mozilla.org/en/docs/nsIFile:remove
Source: config.js0.10.dr	String found in binary or memory: http://developer.mozilla.org/en/docs/nsIPrefBranch
Source: bar.js1.3.dr	String found in binary or memory: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8
Source: SIMAutoCompleteSearch.js1.10.dr, SIMAutoCompleteSearch.js.10.dr	String found in binary or memory: http://forums.mozillazine.org/viewtopic.php?f=19&t=2070317)
Source: cookies.js0.10.dr, cookies.js1.10.dr, cookies.js.10.dr	String found in binary or memory: http://forums.mozillazine.org/viewtopic.php?f=27&t=656397
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1941745817.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931426271.0000000004295000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931108151.0000000004295000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942049041.00000000042A2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931392225.0000000004295000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931985408.000000000429C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931954475.000000000429A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945571211.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947052473.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1940929338.0000000004295000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931858184.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943390567.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947428250.00000000042A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.swee
Source: BundleSweetIMSetup.exe, 00000000.00000002.2076375666.00000000042A2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1949290499.00000000042A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.sweeA
Source: prefs.js.0.dr, globals.js0.10.dr	String found in binary or memory: http://home.sweetim.com
Source: BundleSweetIMSetup.exe, 00000000.00000003.1921147282.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: http://home.sweetim.com/?barid=
Source: toolbar.xml.3.dr	String found in binary or memory: http://home.sweetim.com/?st=1$amp_crg_equals_cargo;
Source: BundleSweetIMSetup.exe, 00000000.00000003.1969399479.0000000002A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.sweetim.com/cal
Source: BundleSweetIMSetup.exe, 00000000.00000003.1935736279.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936066195.00000000042BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.sweetim.com;
Source: mgsimcommon.dll.3.dr	String found in binary or memory: http://home.sweetim.com?barid=/&barid=&barid=?http://search.sweetim.com/search.asp?src=6&q=
Source: SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, MSIEB08.tmp.3.dr, MSIF7EB.tmp.3.dr	String found in binary or memory: http://home.sweetim.comPrevious.HKLM.Start
Source: 48c209.msi.3.dr, MSID16F.tmp.3.dr, MSID25A.tmp.3.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://home.sweetim.comSIMHPURLhttp://search.sweetim.com/?src=6&q=
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SweetIM.exe, 00000007.00000002.1893180868.00000000004A4000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://home.sweetim.comhttp://search.sweetim.com/search.asp?src=6&q=
Source: chromecache_795.15.dr	String found in binary or memory: http://info.sweetim.com
Source: chromecache_795.15.dr	String found in binary or memory: http://info.sweetim.com/aboutus/
Source: chromecache_795.15.dr	String found in binary or memory: http://info.sweetim.com/privacy-policy/
Source: chromecache_795.15.dr	String found in binary or memory: http://info.sweetim.com/terms/
Source: install.js.10.dr	String found in binary or memory: http://kb.mozillazine.org/Keyword.URL)
Source: install.js.10.dr	String found in binary or memory: http://kb.mozillazine.org/Search_Provider)
Source: mglogger.dll0.3.dr	String found in binary or memory: http://mguglielmi.free.fr
Source: MSIC4F8.tmp.3.dr, MSIDA99.tmp.3.dr, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, MSIE99E.tmp.3.dr, MSIF8B9.tmp.3.dr, MSIEAC8.tmp.3.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: mglogger.dll0.3.dr	String found in binary or memory: http://resource.jsmadeeasy.com/viewscript.asp?scriptid=507
Source: inject.js.10.dr, inject.js1.10.dr	String found in binary or memory: http://sc.sweetim.com/apps/in/fb/infb.js
Source: install.js.10.dr	String found in binary or memory: http://search.sweetim.
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SweetIM.exe, 00000007.00000002.1893761079.00000000007D7000.00000002.00000001.01000000.0000000E.sdmp, 48c209.msi.3.dr, install.js.10.dr, MSID16F.tmp.3.dr, SweetIESetup.msi.8.dr, MSID25A.tmp.3.dr, 48c20d.msi.3.dr, sweetim.xml.10.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://search.sweetim.com
Source: BundleSweetIMSetup.exe, 00000000.00000003.1942817662.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942781086.00000000042BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.sweetim.com/?src=6$1q=
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1945077551.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944736609.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945416513.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946637880.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942817662.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948776353.00000000042C0000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1941087262.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948421204.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1941207681.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943216817.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947394238.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943178865.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944813184.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1949217415.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945116548.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946152544.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946475050.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942957332.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944176269.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947806512.00000000042C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.sweetim.com/?src=6&q=
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://search.sweetim.com/?src=6&q=
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=1&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=1&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=10&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=11&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=12&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=13&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=14&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=15&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=15&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=16&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=17&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=2&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=2&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=3&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=3&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=4&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=4&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=5&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=5&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=6&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=6&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=7&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=8&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=9&q=%sim_search_combo
Source: globals.js1.10.dr, globals.js0.10.dr, toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/search.asp
Source: search.js0.10.dr	String found in binary or memory: http://search.sweetim.com/search.asp?src=1&q=%sim_search_combo
Source: mgHelper.dll.3.dr	String found in binary or memory: http://search.sweetim.com/search.asp?src=2&pdp=1000&q=%shttp://search.sweetim.com/search.asp?src=8&p
Source: MenuExt.html.3.dr	String found in binary or memory: http://search.sweetim.com/search.asp?src=4&q=
Source: BundleSweetIMSetup.exe, 00000000.00000003.1923091904.00000000042A2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1969287489.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1922482118.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1922236173.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, SweetIM.exe, 48c209.msi.3.dr, MSID16F.tmp.3.dr, MSID25A.tmp.3.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://search.sweetim.com/search.asp?src=6&q=
Source: install.js.10.dr	String found in binary or memory: http://search.yahoo.com/
Source: addonlistener.js.10.dr, addonlistener.js0.10.dr	String found in binary or memory: http://stackoverflow.com/questions/6284051/in-my-firefox-extension-onuninstalled-event-doesnt-seem-t
Source: VistaCookiesCollector.exe, 00000005.00000002.1791302329.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, VistaCookiesCollector.exe, 00000005.00000002.1791260931.0000000000450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sweetim.com
Source: VistaCookiesCollector.exe, 00000005.00000002.1791302329.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sweetim.com/
Source: VistaCookiesCollector.exe, 00000005.00000002.1791302329.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sweetim.com/c77b0923665da6f1
Source: VistaCookiesCollector.exe, 00000005.00000002.1791537351.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sweetim.com2;C:
Source: 48c20d.msi.3.dr, MSIEB08.tmp.3.dr, MSIF7EB.tmp.3.dr	String found in binary or memory: http://sweetim.comAnalyzeCookieslogDllVersion.
Source: 48c209.msi.3.dr, MSID16F.tmp.3.dr, MSID25A.tmp.3.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://sweetim.comREFERRALID
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sweetim.comREFERRALIDGetReferralCookieFound.
Source: toolbar.xml.3.dr	String found in binary or memory: http://tab.search.sweetim.com/tab.asp
Source: cookies.js0.10.dr, cookies.js1.10.dr, cookies.js.10.dr	String found in binary or memory: http://weblogs.mozillazine.org/doron/archives/2008/06/extensions_and_firefox_3_nsico.html
Source: 48c209.msi.3.dr, MSID16F.tmp.3.dr, MSID25A.tmp.3.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://www.aim.comSweetIM
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.hi5.com
Source: MSIC4F8.tmp.3.dr, MSIDA99.tmp.3.dr, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, MSIE99E.tmp.3.dr, MSIF8B9.tmp.3.dr, MSIEAC8.tmp.3.dr	String found in binary or memory: http://www.macrovision.com0
Source: install.rdf1.10.dr	String found in binary or memory: http://www.mozilla.org/2004/em-rdf#
Source: SweetIM.exe, 00000007.00000002.1893761079.00000000007D7000.00000002.00000001.01000000.0000000E.sdmp, 48c209.msi.3.dr, MSID16F.tmp.3.dr, SweetIESetup.msi.8.dr, MSID25A.tmp.3.dr, 48c20d.msi.3.dr, sweetim.xml.10.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.css.10.dr, bindings.xml0.10.dr, bindings.xml1.10.dr, sweetim-contentmenu.xul0.10.dr, sweetim-toolbar.xul1.10.dr, sweetim-contentmenu.xul.10.dr	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: bindings.xml1.10.dr	String found in binary or memory: http://www.mozilla.org/xbl
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.orkut.com
Source: 48c20b.rbs.3.dr, MSICDA5.tmp.3.dr, install.rdf1.10.dr, globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/about_overview.asp
Source: SweetIM.exe, 00000007.00000002.1894174346.0000000002630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sweetim.com/autoupdate/u.asp
Source: BundleSweetIMSetup.exe, 00000000.00000002.2073166287.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sweetim.com/cbi.gif
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.sweetim.com/cbi.gifSubmitTrackingPixel.
Source: SweetIM.exe, 00000007.00000002.1894174346.0000000002630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sweetim.com/download/install/SweetIMSetup.exeup.exe
Source: globals.js1.10.dr, globals.js0.10.dr, toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/eula.html#privacy
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/forum/
Source: BundleSweetIMSetup.exe, 00000000.00000003.1674858263.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1675117885.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2071455802.000000000045F000.00000040.00000001.01000000.00000003.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1674858263.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712010420.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1674811988.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr	String found in binary or memory: http://www.sweetim.com/help
Source: globals.js1.10.dr, globals.js0.10.dr, toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/help_contact.asp
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/help_simff.asp
Source: BundleSweetIMSetup.exe, 00000000.00000003.1674811988.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/help_simie.asp
Source: BundleSweetIMSetup.exe, 00000000.00000003.1674858263.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1675117885.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2071455802.000000000045F000.00000040.00000001.01000000.00000003.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1674858263.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712010420.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr	String found in binary or memory: http://www.sweetim.com/help_simie.asp#inst
Source: BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sweetim.com/installbar.asp?barid=
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/installbar.asp?barid=$toolbar_id;
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/installbar.asp?barid=%toolbar_id
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.sweetim.com/installbar.asp?barid=GetSIMAppID
Source: 48c20d.msi.3.dr, MSIEB08.tmp.3.dr, MSIF7EB.tmp.3.dr	String found in binary or memory: http://www.sweetim.com/installbar.asp?barid=http://www.sweetim.com/uninstallbar.asp?barid=http://www
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://www.sweetim.com/simffbar/rc.html
Source: install.rdf1.10.dr	String found in binary or memory: http://www.sweetim.com/simffbar/update.rdf?ff_version=%APP_VERSION%&toolbar_status=%ITEM_STATUS%
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/simiebar/
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/simiebar/download/toolbar.cab
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/uninstallbar.asp?barid=$toolbar_id;
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/uninstallbar.asp?barid=%toolbar_id
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.sweetim.com/uninstallbar.asp?barid=http://www.sweetim.com/updatebar.aspFinalizeSweetIESet
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/uninstallhelp.asp
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/uninstallhelpff.asp
Source: 48c209.msi.3.dr, MSID16F.tmp.3.dr, MSID25A.tmp.3.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://www.sweetim.com/uninstallim.asp?simappid=%sUPGRADINGPRODUCTCODEhttp://www.sweetim.com/downloa
Source: globals.js1.10.dr, globals.js0.10.dr, toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/updatebar.asp
Source: 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	String found in binary or memory: http://www.sweetim.com0
Source: uninstallobserver.js1.10.dr, uninstallobserver.js0.10.dr	String found in binary or memory: http://xulsolutions.blogspot.com/2006/07/creating-uninstall-script-for.html
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1916707330.0000000004277000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1916707330.0000000004277000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.l
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.lga1.a
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.lga1.admark
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&c
Source: BundleSweetIMSetup.exe, 00000000.00000003.1948585972.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947911162.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946152544.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946475050.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942957332.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947694690.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942852451.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935924437.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934723785.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935593919.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944176269.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947806512.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946074746.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934003704.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942781086.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946308990.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947731414.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947620062.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934221488.0000000002B1C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944457193.00000000042C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943390567.0000000004296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.n
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?versio
Source: BundleSweetIMSetup.exe, 00000000.00000003.1947093299.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=169633223
Source: BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945077551.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936131977.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942817662.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946115163.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935736279.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944882361.00000000042B1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932917107.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948421204.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943216817.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947394238.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943178865.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935096471.00000000042B6000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945303103.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948205588.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934686053.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935997640.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947357892.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946975552.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936337518.00000000042BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: SIMAutoCompleteSearch.js1.10.dr, SIMAutoCompleteSearch.js.10.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=625319
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/asse
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icoht
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.0000000004295000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931240313.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931426271.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932093565.00000000042B1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932017591.00000000042AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appi0
Source: BundleSweetIMSetup.exe, 00000000.00000003.1969287489.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2069638260.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065627810.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content.sweetim.com/4
Source: BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=100&cargo=WV:6.2;SC:0;SSN:14569594
Source: BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2064156782.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068807066.0000000002A46000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2074530070.0000000002A48000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2066491581.0000000002A46000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061074019.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2064156782.0000000002A46000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073166287.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A46000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2069638260.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065627810.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=102&cargo=WV:6.2;SC:0;SSN:14569594
Source: BundleSweetIMSetup.exe, 00000000.00000003.1969287489.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2069638260.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065627810.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content.sweetim.com/c
Source: BundleSweetIMSetup.exe, 00000000.00000003.1948585972.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947911162.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946152544.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946475050.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942957332.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947694690.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942852451.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935924437.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934723785.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935593919.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944176269.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947806512.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946074746.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934003704.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942781086.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946308990.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947731414.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947620062.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934221488.0000000002B1C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944457193.00000000042C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_
Source: BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945077551.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936131977.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942817662.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946115163.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935736279.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944882361.00000000042B1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932917107.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948421204.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943216817.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947394238.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943178865.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935096471.00000000042B6000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945303103.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948205588.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934686053.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935997640.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947357892.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946975552.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936337518.00000000042BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: tabinfo.js.10.dr	String found in binary or memory: https://developer.mozilla.org/en/Code_snippets/Tabbed_browser
Source: addonlistener.js.10.dr, addonlistener.js0.10.dr	String found in binary or memory: https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932818795.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931614131.00000000042C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.googl
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://docs.google.
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chro
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://docs.google.com/presentat
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932818795.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931614131.00000000042C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/in
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1919261004.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1916601668.0000000002B1C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1916881361.000000000429A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919178794.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919721396.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920491757.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1921062510.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932818795.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920992518.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920281542.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919748111.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920858823.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931614131.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920760714.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920726981.00000000042C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932818795.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1933055444.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1933341291.00000000042C3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931614131.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1933188058.00000000042C3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1933228210.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932983840.00000000042B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.go
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_d
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_defaul
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: BundleSweetIMSetup.exe, 00000000.00000003.1947357892.00000000042AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?
Source: BundleSweetIMSetup.exe, 00000000.00000003.1935924437.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935482180.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935593919.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935848149.00000000042AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7
Source: BundleSweetIMSetup.exe, 00000000.00000003.1947769791.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947178638.00000000042B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBU
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqmf
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9
Source: prefs.js.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://mail.google.com/mail/installwebapp
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932818795.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931614131.00000000042C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrom4
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://support.micr
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://www.amazon.
Source: BundleSweetIMSetup.exe, 00000000.00000002.2076466457.00000000042B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=G
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://www.amazon.com/?tag=admarketus-2
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=
Source: BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945077551.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936131977.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942817662.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946115163.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935736279.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944882361.00000000042B1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932917107.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948421204.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943216817.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947394238.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943178865.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935096471.00000000042B6000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945303103.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948205588.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934686053.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935997640.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947357892.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946975552.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936337518.00000000042BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: BundleSweetIMSetup.exe, 00000000.00000003.1945571211.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943390567.0000000004296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_U
Source: BundleSweetIMSetup.exe, 00000000.00000003.1947769791.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947178638.00000000042B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid
Source: BundleSweetIMSetup.exe, 00000000.00000003.1934475528.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMA
Source: BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945571211.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943390567.0000000004296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEM
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL
Source: BundleSweetIMSetup.exe, 00000000.00000003.1936337518.00000000042BF000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948059516.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945116548.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946819961.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948585972.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947911162.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946152544.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946475050.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942957332.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947694690.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942852451.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935924437.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934723785.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935593919.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944176269.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947806512.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946074746.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934003704.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942781086.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946308990.00000000042BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 13.249.98.125:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.249.98.125:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49771 version: TLS 1.2

Change of System Appearance

Changes the start page of internet explorer

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main Start Page

Jump to behavior

System Summary

Found suspicious ZIP file

Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/main.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/sweetim-toolbar.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/chevron.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/commands.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/config.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/contentmenu-handler.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/contentmenu.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/cookies.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/file.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/globals.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/highlight.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/history.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/install.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/logger.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/registry.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/release.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/search.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/searchguard.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/searchservice.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/splitter.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/stringbundles.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/tabinfo.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/tabinfo-array.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/tooltip.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/uninstallobserver.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/version.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/webprogresslistener.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/remote.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/dynamic.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/ppcbully.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/gui.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/inject.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/version-ff.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/findword.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/wait.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/addonlistener.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/addonmanager.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/global-namespace.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/messagebox.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/domainutils.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/generalobserver.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: components/SIMAutoCompleteSearch.js

Contains functionality to call native functions

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081D66C GetLastError,GetCurrentProcessId,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,FindCloseChangeNotification,CloseHandle,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError,	7_2_0081D66C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081C98C LocalAlloc,NtReplyWaitReceivePort,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,CloseHandle,SetEvent,EnterCriticalSection,LeaveCriticalSection,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree,	7_2_0081C98C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081CCDC InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalAlloc,NtCreatePort,LocalFree,EnterCriticalSection,LocalAlloc,CreateSemaphoreA,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,InitializeCriticalSection,LeaveCriticalSection,	7_2_0081CCDC
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081DC3A ReleaseSemaphore,NtConnectPort,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,SetEvent,WaitForSingleObject,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,	7_2_0081DC3A
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081D664 GetLastError,GetCurrentProcessId,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,FindCloseChangeNotification,CloseHandle,OpenProcess,CloseHandle,SetLastError,	7_2_0081D664
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081CB86 LocalAlloc,NtReplyWaitReceivePort,NtAcceptConnectPort,LocalFree,ReleaseSemaphore,LocalFree,	7_2_0081CB86

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

Code function: 7_2_007CCA30 ?CreateLowProcess@CVistaSupport@OSVista@@QAEHPBG0K@Z,wcslen,wcscpy,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,ConvertStringSidToSidW,GetLengthSid,SetTokenInformation,CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,LocalFree,CloseHandle,CloseHandle,

7_2_007CCA30

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00421166 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,		1_2_00421166
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007CC6F0 ?Restart@CShutDownManager@@QAE_N_N@Z,ExitWindowsEx,		7_2_007CC6F0

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c209.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC380.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4F8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC547.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{A81A974F-8A22-43E6-9243-5198FF758DA1}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICDA5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A81A974F-8A22-43E6-9243-5198FF758DA1}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A81A974F-8A22-43E6-9243-5198FF758DA1}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c20c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c20c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID16F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID25A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID2C8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDA99.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c20d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE99E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAC8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB08.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB47.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c210.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c210.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF30.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF7EB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF889.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF8B9.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIC380.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00432106	1_2_00432106
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_0042C18D	1_2_0042C18D
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00428BF0	1_2_00428BF0
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00409C88	5_2_00409C88
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00406966	5_2_00406966
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00402580	5_2_00402580
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00404B7C	5_2_00404B7C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00492180	7_2_00492180
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007B1360	7_2_007B1360
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007CE660	7_2_007CE660
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007CE7A0	7_2_007CE7A0
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007CD950	7_2_007CD950
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008110B8	7_2_008110B8
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080C3F4	7_2_0080C3F4
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008098CC	7_2_008098CC
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080E9E8	7_2_0080E9E8
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080BB10	7_2_0080BB10
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00812D90	7_2_00812D90
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00808EBC	7_2_00808EBC
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_10012050	7_2_10012050
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C37DC27	7_2_7C37DC27
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C396FA7	7_2_7C396FA7

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: String function: 00404B30 appears 35 times
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: String function: 7C3630A4 appears 50 times
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: String function: 0080451C appears 65 times
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: String function: 008044F8 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: String function: 00427498 appears 243 times

Sample file is different than original file name gathered from version info

Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: P@...*OLESelfRegisterSpecialBuildProductVersionProductNamePrivateBuildOriginalFilenameLegalTrademarksLegalCopyrightInternalNameFileVersionFileDescriptionCompanyNameComments\VarFileInfo\TranslationUnknown@ vs BundleSweetIMSetup.exe
Source: BundleSweetIMSetup.exe, 00000000.00000002.2076548180.00000000042B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemgToolbarIE.dll$ vs BundleSweetIMSetup.exe

Uses 32bit PE files

Source: BundleSweetIMSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1714110143_4764703_750.tmp.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal60.phis.spyw.winEXE@39/504@21/9

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00421166 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	1_2_00421166
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007CC720 ?AdjustToken@CShutDownManager@@AAE_N_N@Z,GetCurrentProcess,OpenProcessToken,GetLastError,_CxxThrowException,LookupPrivilegeValueW,GetLastError,_CxxThrowException,AdjustTokenPrivileges,GetLastError,_CxxThrowException,wsprintfW,MessageBoxW,CloseHandle,	7_2_007CC720
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081E15C GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueA,LookupPrivilegeValueA,LookupPrivilegeValueA,AdjustTokenPrivileges,LocalFree,CloseHandle,FindCloseChangeNotification,	7_2_0081E15C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081E143 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueA,LookupPrivilegeValueA,LookupPrivilegeValueA,AdjustTokenPrivileges,LocalFree,CloseHandle,FindCloseChangeNotification,	7_2_0081E143

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_004207E4 LoadLibraryA,GetProcAddress,lstrcpyA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,FreeLibrary,

1_2_004207E4

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

Code function: 7_2_007BE200 ?URLEncode2@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@V12@K@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,CoCreateInstance,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??_U@YAPAXI@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z,??_V@YAXPAX@Z,??_V@YAXPAX@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,

7_2_007BE200

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_0040A454 FindResourceA,SizeofResource,LoadResource,LockResource,

1_2_0040A454

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\SweetIM

Jump to behavior

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track[1].htm

Jump to behavior

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{D564BB4E-74F6-4fd5-900A-313328F6DF9F}
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{EEE6C370-6118-11DC-9C72-001320C79847}

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

File created: C:\Users\user\AppData\Local\Temp\1714110139_4760671_41.tmp

Jump to behavior

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);name='%q'
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');sqlite_sequence
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;U

Source: BundleSweetIMSetup.exe	ReversingLabs: Detection: 50%
Source: BundleSweetIMSetup.exe	Virustotal: Detection: 37%

Source: BundleSweetIMSetup.exe	String found in binary or memory: user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);
Source: BundleSweetIMSetup.exe	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_d
Source: BundleSweetIMSetup.exe	String found in binary or memory: edpiccmgmieda":{"cohort":"1::","cohortname":"","dlrc":6120,"installdate":6120,"pf":"dcb37f49-aa68-4ebc-a8d4-14eaa556e331"}}},"web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_defaul
Source: BundleSweetIMSetup.exe	String found in binary or memory: 8f88011f783"); user_pref("app.update.auto.migrated", true); user_pref("app.update.background.rolledout", true); user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0); user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830)
Source: BundleSweetIMSetup.exe	String found in binary or memory: "],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https:/
Source: BundleSweetIMSetup.exe	String found in binary or memory: mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_
Source: BundleSweetIMSetup.exe	String found in binary or memory: japmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["htt
Source: BundleSweetIMSetup.exe	String found in binary or memory: s://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentat
Source: BundleSweetIMSetup.exe	String found in binary or memory: on/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chro
Source: BundleSweetIMSetup.exe	String found in binary or memory: om/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp
Source: BundleSweetIMSetup.exe	String found in binary or memory: 3-bf01-28f88011f783"); user_pref("app.update.auto.migrated", true); user_pref("app.update.background.rolledout", true); user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0); user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 169
Source: BundleSweetIMSetup.exe	String found in binary or memory: usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],
Source: BundleSweetIMSetup.exe	String found in binary or memory: hbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldo
Source: BundleSweetIMSetup.exe	String found in binary or memory: mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}},"web_apps":{"did_migrat
Source: BundleSweetIMSetup.exe	String found in binary or memory: eanup-thumbnails", 0); user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830); user_pr
Source: BundleSweetIMSetup.exe	String found in binary or memory: pdateTime.browser-cleanup-thumbnails", 0); user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1

Source: unknown	Process created: C:\Users\user\Desktop\BundleSweetIMSetup.exe "C:\Users\user\Desktop\BundleSweetIMSetup.exe"
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe /s /w /v" /qn SIMHP=0 SIMSP=0 "
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{8929CE83-143A-4A6A-A32A-AA9D4E2B602B}\SweetIMSetup.msi" /qn SIMHP=0 SIMSP=0 SETUPEXEDIR="C:\Users\user\AppData\Local\Temp"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A265C8E8A3BB4B1A10A4D9F720E583B6
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe http://sweetim.com,C:\Users\user\AppData\LocalLow\simcookies.dat
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe "C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe" -AutoStartIM
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe /s /w /v" /qn SIMOB=0 SIMADDREGIE={UserSelectedHP=1,UserSelectedDS=1} "
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{B3CA5B4C-F637-458C-81D6-CD8DADBE9841}\SweetIESetup.msi" /qn SIMOB=0 SIMADDREGIE={UserSelectedHP=1,UserSelectedDS=1} SETUPEXEDIR="C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F0CC6D3E1A3C8837D5C7D007B45C879F
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1960,i,7459701528248846225,13626864308159879949,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe /s /w /v" /qn SIMHP=0 SIMSP=0 "	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe /s /w /v" /qn SIMOB=0 SIMADDREGIE={UserSelectedHP=1,UserSelectedDS=1} "	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{8929CE83-143A-4A6A-A32A-AA9D4E2B602B}\SweetIMSetup.msi" /qn SIMHP=0 SIMSP=0 SETUPEXEDIR="C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A265C8E8A3BB4B1A10A4D9F720E583B6	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F0CC6D3E1A3C8837D5C7D007B45C879F	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe http://sweetim.com,C:\Users\user\AppData\LocalLow\simcookies.dat	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe "C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe" -AutoStartIM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{B3CA5B4C-F637-458C-81D6-CD8DADBE9841}\SweetIESetup.msi" /qn SIMOB=0 SIMADDREGIE={UserSelectedHP=1,UserSelectedDS=1} SETUPEXEDIR="C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1960,i,7459701528248846225,13626864308159879949,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgupdatesupport.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgcommon.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgconfig.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgadaptersproxy.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: msvcp71.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgsimcommon.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgcommunication.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgcommon.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mghooking.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgxml_wrapper.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgconfig.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: msvcp71.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgxml_wrapper.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msvcr71.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mgsimcommon.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mgcommon.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mgconfig.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mghooking.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mghelper.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mgcommon.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mgxml_wrapper.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msxml3.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mlang.dll

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

File written: C:\Users\user\AppData\Local\Temp\{8929CE83-143A-4A6A-A32A-AA9D4E2B602B}\Setup.INI

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Source: BundleSweetIMSetup.exe

Static PE information: certificate valid

Source: BundleSweetIMSetup.exe

Static file information: File size 4666160 > 1048576

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

File opened: C:\Program Files (x86)\SweetIM\Messenger\MSVCR71.dll

Jump to behavior

Source: BundleSweetIMSetup.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x465200

Source: BundleSweetIMSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mgconfig.pdb source: mgconfig.dll0.3.dr
Source:	Binary string: C:\Imvent\Develop\Client\vc\SweetSDM\Release\SweetSDM.pdb source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\Release_bin\mgHelper.pdbh source: mgHelper.dll.3.dr
Source:	Binary string: c:\SimOlderVersions\SIM 3.6\Client\vc\output\Release\mgICQMessengerAdapter.pdb source: mgICQMessengerAdapter.dll.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mghooking.pdb source: mghooking.dll0.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mghooking.pdb source: mghooking.dll0.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\Release_bin\mgHelper.pdb source: mgHelper.dll.3.dr
Source:	Binary string: msvcp71.pdb source: SweetIM.exe, SweetIM.exe, 00000007.00000002.1895639481.000000007C3C1000.00000020.00000001.01000000.00000010.sdmp, msvcp71.dll.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\output\release\mgToolbarProxy.pdb source: mgToolbarProxy.dll.3.dr
Source:	Binary string: c:\SimOlderVersions\SIM 3.6\Client\vc\output\release\mgICQAuto.pdb source: mgICQAuto.dll.3.dr
Source:	Binary string: C:\Imvent\Develop\Client\vc\SweetSDM\Release\SweetSDM.pdb@ source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: msvcr71.pdb source: SweetIMSetup.exe, 00000001.00000002.1844516312.000000007C361000.00000020.00000001.01000000.00000011.sdmp, SweetIM.exe, SweetIM.exe, 00000007.00000002.1895440500.000000007C361000.00000020.00000001.01000000.00000011.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_004101BC __EH_prolog,lstrcpyA,lstrcpyA,lstrcpyA,LoadLibraryA,GetProcAddress,FreeLibrary,

1_2_004101BC

PE file contains sections with non-standard names

Source: 1714110143_4764703_750.tmp.0.dr	Static PE information: section name: .stab
Source: 1714110143_4764703_750.tmp.0.dr	Static PE information: section name: .stabstr
Source: mgAdaptersProxy.dll.3.dr	Static PE information: section name: .SHARDAT
Source: mgAdaptersProxy.dll.3.dr	Static PE information: section name: .SHARDAT
Source: mgHelper.dll.3.dr	Static PE information: section name: .SHARED
Source: mgToolbarIE.dll.3.dr	Static PE information: section name: .SHARED

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00427498 push eax; ret	1_2_004274B6
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00427BC0 push eax; ret	1_2_00427BEE
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00405940 push eax; ret	5_2_00405954
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00405940 push eax; ret	5_2_0040597C
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00404B6B push ecx; ret	5_2_00404B7B
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_0040AF14 push eax; ret	5_2_0040AF32
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004080D7 push ecx; ret	7_2_004080E7
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00485987 push ecx; ret	7_2_00485997
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0049306F push ecx; ret	7_2_0049307F
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00492CF0 push eax; ret	7_2_00492D04
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00492CF0 push eax; ret	7_2_00492D2C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004A35E7 push ecx; ret	7_2_004A35F7
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004C4610 push eax; ret	7_2_004C4624
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004C4610 push eax; ret	7_2_004C464C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004C48EF push ecx; ret	7_2_004C48FF
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004D7763 push ecx; ret	7_2_004D7773
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007D407B push ecx; ret	7_2_007D408B
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007D3C70 push eax; ret	7_2_007D3C84
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007D3C70 push eax; ret	7_2_007D3CAC
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007BCF50 push ecx; mov dword ptr [esp], 00000000h	7_2_007BCF66
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080D0D8 push 0080D104h; ret	7_2_0080D0FC
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008080E0 push 00808133h; ret	7_2_0080812B
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00807060 push 0080708Ch; ret	7_2_00807084
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00808138 push 00808165h; ret	7_2_0080815D
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081E4A0 push 0081E533h; ret	7_2_0081E52B
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008055E4 push 00805635h; ret	7_2_0080562D
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081E538 push 0081E56Ch; ret	7_2_0081E564
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081E63C push 0081E662h; ret	7_2_0081E65A
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080589E push 008058CCh; ret	7_2_008058C4
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008058A0 push 008058CCh; ret	7_2_008058C4
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008058D8 push 00805904h; ret	7_2_008058FC

Source: msvcr90.dll.3.dr

Static PE information: section name: .text entropy: 6.922045894978299

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID16F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgAdaptersProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcm90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcp90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgcommon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\ContentPackagesActivationHandler.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgcommunication.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgxml_wrapper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF889.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgICQAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgYahooAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgconfig.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgUpdateSupport.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\1714110143_4764703_750.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgsimcommon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDA99.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4F8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF7EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mglogger.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID2C8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgArchive.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgsimcommon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgMsnAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB08.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}\mgSqlite3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcr90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgMediaPlayer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAC8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID25A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\ClearHist.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC380.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgcommon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgconfig.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\1714110143_4764500_750.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF30.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgICQMessengerAdapter.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\1714110143_4764625_750.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgSweetIM.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC547.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF8B9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgYahooMessengerAdapter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mglogger.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE99E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgFlashPlayer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mghooking.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgxml_wrapper.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\mgSqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mghooking.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\msvcp71.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\resources\sqlite\mgSqlite3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgMsnMessengerAdapter.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC547.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB08.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID16F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF8B9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAC8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDA99.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID25A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE99E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC380.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4F8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF7EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF889.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF30.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID2C8.tmp	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar {EEE6C35B-6118-11DC-9C72-001320C79847}
Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar {EEE6C35B-6118-11DC-9C72-001320C79847}
Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847} NULL
Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847} NULL
Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847} NoExplorer
Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847} NoExplorer

Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SweetIM			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SweetIM			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_00422B9D LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00422B9D

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgArchive.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgMsnAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEB08.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID16F.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}\mgSqlite3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcr90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgMediaPlayer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcp90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcm90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEAC8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID25A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\ClearHist.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\ContentPackagesActivationHandler.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC380.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF889.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgYahooAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgICQAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEF30.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgICQMessengerAdapter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgSweetIM.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC547.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF8B9.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1714110143_4764703_750.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mglogger.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgYahooMessengerAdapter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDA99.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE99E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgFlashPlayer.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\mgSqlite3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC4F8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF7EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mglogger.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\resources\sqlite\mgSqlite3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID2C8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgMsnMessengerAdapter.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Evaded block: after key decision

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	API coverage: 6.0 %
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	API coverage: 3.7 %

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00413D18 __EH_prolog,GetTempPathA,FindFirstFileA,CompareFileTime,DeleteFileA,FindNextFileA,FindClose,	1_2_00413D18
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00422D97 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,	1_2_00422D97
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007B36A0 _IsDirectoryEmpty@4,wcslen,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,FindFirstFileW,wcscmp,wcscmp,wcscmp,FindNextFileW,FindClose,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,	7_2_007B36A0
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007B3800 DeleteFolder,wcslen,IsDirectoryFile,wcscpy,PathAddBackslashW,PathAddExtensionW,FindFirstFileW,FindNextFileW,wcscpy,PathAddBackslashW,wcscat,DeleteFileW,DeleteFolder,FindClose,RemoveDirectoryW,	7_2_007B3800
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_10007070 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,RegQueryValueExW,wcslen,wcscat,_IsFileExist@4,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,RegCloseKey,?GetShellFolderPath@@YG?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_IsFileExist@4,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,RegQueryValueExW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,wcslen,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,wcscpy,PathStripPathW,wcslen,wcslen,wcslen,?erase@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@II@Z,?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,FindClose,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB,wcslen,?erase@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@II@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG@Z,?SplitString@@YAHABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@0AAV?$vector@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@V?$allocator@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@@2@@2@H@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,	7_2_10007070
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C378DFA _wstat,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileW,wcspbrk,_wfullpath,wcslen,GetDriveTypeW,_errno,__doserrno,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	7_2_7C378DFA
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C376DCB _findfirst64,FindFirstFileA,GetLastError,_errno,_errno,_errno,strcpy,	7_2_7C376DCB
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C377ED3 _stat,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileA,_mbspbrk,_fullpath,strlen,GetDriveTypeA,_errno,__doserrno,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	7_2_7C377ED3
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C376FD6 _findfirsti64,FindFirstFileA,GetLastError,_errno,_errno,_errno,strcpy,	7_2_7C376FD6

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_0041AD16 GetVersionExA,GetSystemInfo,

1_2_0041AD16

Source: VistaCookiesCollector.exe, 00000005.00000002.1791302329.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: BundleSweetIMSetup.exe, 00000000.00000003.1726120393.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1736669295.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2064156782.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2066491581.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1731561853.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1969287489.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068807066.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BundleSweetIMSetup.exe, 00000000.00000003.1726120393.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1736669295.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2064156782.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2066491581.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1731561853.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068807066.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2074530070.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712010420.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1720707154.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&
Source: SweetIM.exe, 00000007.00000002.1893598487.0000000000516000.00000004.00000020.00020000.00000000.sdmp, SweetIM.exe, 00000007.00000003.1892322214.0000000000516000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_00404DE4 GetProcessHeap,LdrInitializeThunk,

1_2_00404DE4

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_004101BC __EH_prolog,lstrcpyA,lstrcpyA,lstrcpyA,LoadLibraryA,GetProcAddress,FreeLibrary,

1_2_004101BC

Contains functionality to read the PEB

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00817534 mov eax, dword ptr fs:[00000030h]	7_2_00817534
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008179F5 mov eax, dword ptr fs:[00000030h]	7_2_008179F5
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00817A00 mov eax, dword ptr fs:[00000030h]	7_2_00817A00
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080BDBC mov eax, dword ptr fs:[00000030h]	7_2_0080BDBC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_00404008 GetFileSize,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,ReadFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_00404008

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_0042E90F SetUnhandledExceptionFilter,	1_2_0042E90F
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_0042E921 SetUnhandledExceptionFilter,	1_2_0042E921
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_0040480E SetUnhandledExceptionFilter,	5_2_0040480E
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_004047FA SetUnhandledExceptionFilter,	5_2_004047FA

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe "C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe" -AutoStartIM			Jump to behavior

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

Code function: 7_2_007B66A0 ?init@CMutex@@QAEXPAG@Z,??0CWinOsInfo@@QAE@XZ,?IsVistaOrLater@CWinOsInfo@@QBE_NXZ,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,CreateMutexW,CreateMutexW,CreateMutexW,GetLastError,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,GetLastError,GetLastError,wsprintfW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG@Z,??0CErrException@@QAE@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??_7CErrException@@6B@,_CxxThrowException,??1CWinOsInfo@@UAE@XZ,

7_2_007B66A0

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_0042123B GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,

1_2_0042123B

Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1731380441.00000000042BB000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1731472873.00000000042C0000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1941087262.00000000042AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SweetIMSetup.exe, SweetIMSetup.exe, 00000001.00000002.1843428963.000000000043D000.00000008.00000001.01000000.0000000A.sdmp, SweetIMSetup.exe, 00000001.00000000.1745279311.000000000043D000.00000008.00000001.01000000.0000000A.sdmp, SweetIESetup.exe, 00000008.00000002.1913355012.000000000043D000.00000008.00000001.01000000.00000017.sdmp	Binary or memory string: Shell_TrayWnd
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918020280.000000000429D000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1917921416.0000000004296000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager!V
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.000000000045F000.00000040.00000001.01000000.00000003.sdmp, SweetIMSetup.exe, 00000001.00000002.1843428963.000000000043D000.00000008.00000001.01000000.0000000A.sdmp, SweetIMSetup.exe, 00000001.00000000.1745279311.000000000043D000.00000008.00000001.01000000.0000000A.sdmp	Binary or memory string: %sSetupLogFileNameSoftware\InstallShield\ISWI\7.0\SetupExeLogShell_TrayWndSplashTimeTahomaCancelMsi.dll%x,ALLCANCELDescriptionTitleMSlovenianBasquedefault%#04x0x0409.iniNoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXEDIRCertKeyCacheFolderCacheRootLocationTypeSuppressWrongOSSuppressReboot%.2lx" 00000000000000000000000000000000AM_OTP#xAM_CONTENTID="This program cannot be run in DOS mode.toys::file

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

Code function: 7_2_0080D74C cpuid

7_2_0080D74C

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: GetLocaleInfoA,	1_2_004213BE
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: GetLocaleInfoA,TranslateCharsetInfo,	1_2_00421361
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: GetLocaleInfoA,	5_2_00408CF8
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: GetLocaleInfoA,	7_2_00805570
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: ??0CWinOsInfo@@QAE@XZ,?GetPlatformId@CWinOsInfo@@QBEKXZ,?GetMajor@CWinOsInfo@@QBEKXZ,?GetMinor@CWinOsInfo@@QBEKXZ,?GetCSDString@CWinOsInfo@@QBEPBGXZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,wsprintfW,wsprintfW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,wsprintfW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,wsprintfW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,??1CWinOsInfo@@UAE@XZ,GetLocaleInfoW,GetLocaleInfoW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,??_V@YAXPAX@Z,	7_2_10005490
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,strcpy,_itoa,	7_2_7C370C1A
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: GetLocaleInfoA,atol,	7_2_7C370DCF
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: GetLastError,malloc,malloc,free,_strncpy,free,__crtGetLocaleInfoW,isdigit,	7_2_7C370FF0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_00413EA3 __EH_prolog,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,wsprintfA,wsprintfA,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetSystemTimeAsFileTime,

1_2_00413EA3

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

Code function: 7_2_7C372E79 _lock,strcmp,free,strlen,malloc,strcpy,_strncpy,atol,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_local_unwind2,atol,atol,_strncpy,

7_2_7C372E79

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_00415269 GetVersionExA,GetTempPathA,GetWindowsDirectoryA,wsprintfA,

1_2_00415269

Lowering of HIPS / PFW / Operating System Security Settings

Overwrites Mozilla Firefox settings

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\searchplugins\sweetim.xml
Source: C:\Windows\SysWOW64\msiexec.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\searchplugins\sweetim.xml

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\user.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\searchplugins\sweetim.xml
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies-wal	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\user.js	Jump to behavior

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004C3B60 ?OnStopBinding@CBSCallbackImpl@@UAGJJPBG@Z,		7_2_004C3B60
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004C3BA0 ?GetBindInfo@CBSCallbackImpl@@UAGJPAKPAU_tagBINDINFO@@@Z,		7_2_004C3BA0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.178.50.46	www3.l.google.com	United States	15169	GOOGLEUS	false
192.178.50.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
142.250.217.228	www.google.com	United States	15169	GOOGLEUS	false
13.249.98.78	dw0k3g0iqpx8s.cloudfront.net	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
13.249.98.125	d1a7vclbryqy69.cloudfront.net	United States	16509	AMAZON-02US	false
13.249.98.124	unknown	United States	16509	AMAZON-02US	false
108.157.173.24	d1p1fga02t8l00.cloudfront.net	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.4

Contacted Domains

Name	IP	Active
d1p1fga02t8l00.cloudfront.net	108.157.173.24	true
www3.l.google.com	192.178.50.46	true
d1a7vclbryqy69.cloudfront.net	13.249.98.125	true
www.google.com	142.250.217.228	true
googlehosted.l.googleusercontent.com	192.178.50.65	true
dw0k3g0iqpx8s.cloudfront.net	13.249.98.78	true
clients2.googleusercontent.com	unknown	unknown
se-p-static-content.seccint.com	unknown	unknown
storage2.stgbssint.com	unknown	unknown
www.sweetim.com	unknown	unknown
chrome.google.com	unknown	unknown
content.sweetim.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=102&cargo=WV:6.2;SC:0;SSN:145695948050;C_FILEVER:1.3.0.3;C_BUILDTIME:1302091979;C_REPORT:;B_IMVER:3.6.0002;B_IEVER:4.2.0004;B_BUILDTIME:1318168523;B_INFO:;;	false		high
https://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}	false		high
https://www.sweetim.com/favicon.ico	false		high
https://storage2.stgbssint.com/Search/SearchApplication/Resources/Images/Search/closeSprite.png	false	Avira URL Cloud: malware	unknown
http://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=100&cargo=WV:6.2;SC:0;SSN:145695948050;C_FILEVER:1.3.0.3;C_BUILDTIME:1302091979;C_REPORT:;B_IMVER:3.6.0002;B_IEVER:4.2.0004;B_BUILDTIME:1318168523;B_INFO:;;	false		high
https://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=100&cargo=WV:6.2;SC:0;SSN:145695948050;C_FILEVER:1.3.0.3;C_BUILDTIME:1302091979;C_REPORT:;B_IMVER:3.6.0002;B_IEVER:4.2.0004;B_BUILDTIME:1318168523;B_INFO:;;	false		high
http://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}	false		high
https://se-p-static-content.seccint.com/search/images/homepage/button_bg.png	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://storage2.stgbssint.com/Search/SearchApplication/Resources/Images/Search/closeSprite.png

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\SweetIM\Messenger\ContentPackagesActivationHandler.exe	ReversingLabs: Detection: 34%
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgAdaptersProxy.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgArchive.dll	ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgFlashPlayer.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgICQAuto.dll	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgICQMessengerAdapter.dll	ReversingLabs: Detection: 24%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgMediaPlayer.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgMsnAuto.dll	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgMsnMessengerAdapter.dll	ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgSweetIM.dll	ReversingLabs: Detection: 22%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgUpdateSupport.dll	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgYahooAuto.dll	ReversingLabs: Detection: 29%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgYahooMessengerAdapter.dll	ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgcommon.dll	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgcommunication.dll	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgconfig.dll	ReversingLabs: Detection: 27%
Source: C:\Program Files (x86)\SweetIM\Messenger\mghooking.dll	ReversingLabs: Detection: 33%
Source: C:\Program Files (x86)\SweetIM\Messenger\mglogger.dll	ReversingLabs: Detection: 29%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgsimcommon.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Messenger\mgxml_wrapper.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Messenger\resources\sqlite\mgSqlite3.dll	ReversingLabs: Detection: 20%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\ClearHist.exe	ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll	ReversingLabs: Detection: 28%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe	ReversingLabs: Detection: 31%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll	ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll	ReversingLabs: Detection: 27%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgcommon.dll	ReversingLabs: Detection: 24%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgconfig.dll	ReversingLabs: Detection: 27%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mghooking.dll	ReversingLabs: Detection: 24%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mglogger.dll	ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgsimcommon.dll	ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgxml_wrapper.dll	ReversingLabs: Detection: 24%
Source: C:\Users\user\AppData\Local\Temp\1714110143_4764500_750.tmp	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\1714110143_4764625_750.tmp	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe (copy)	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe (copy)	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}\mgSqlite3.dll	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\mgSqlite3.dll	ReversingLabs: Detection: 20%
Source: C:\Windows\Installer\MSIC547.tmp	ReversingLabs: Detection: 28%
Source: C:\Windows\Installer\MSID16F.tmp	ReversingLabs: Detection: 28%
Source: C:\Windows\Installer\MSID25A.tmp	ReversingLabs: Detection: 28%
Source: C:\Windows\Installer\MSID2C8.tmp	ReversingLabs: Detection: 28%
Source: C:\Windows\Installer\MSIEB08.tmp	ReversingLabs: Detection: 21%
Source: C:\Windows\Installer\MSIEF30.tmp	ReversingLabs: Detection: 24%
Source: C:\Windows\Installer\MSIF7EB.tmp	ReversingLabs: Detection: 21%
Source: C:\Windows\Installer\MSIF889.tmp	ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: BundleSweetIMSetup.exe	ReversingLabs: Detection: 50%
Source: BundleSweetIMSetup.exe	Virustotal: Detection: 37%			Perma Link

Phishing

Source: https://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}

HTTP Parser: No favicon

Compliance

Uses 32bit PE files

Source: BundleSweetIMSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Source: BundleSweetIMSetup.exe

Static PE information: certificate valid

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

File opened: C:\Program Files (x86)\SweetIM\Messenger\MSVCR71.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 13.249.98.125:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.249.98.125:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49771 version: TLS 1.2

Source: BundleSweetIMSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mgconfig.pdb source: mgconfig.dll0.3.dr
Source:	Binary string: C:\Imvent\Develop\Client\vc\SweetSDM\Release\SweetSDM.pdb source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\Release_bin\mgHelper.pdbh source: mgHelper.dll.3.dr
Source:	Binary string: c:\SimOlderVersions\SIM 3.6\Client\vc\output\Release\mgICQMessengerAdapter.pdb source: mgICQMessengerAdapter.dll.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mghooking.pdb source: mghooking.dll0.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mghooking.pdb source: mghooking.dll0.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\Release_bin\mgHelper.pdb source: mgHelper.dll.3.dr
Source:	Binary string: msvcp71.pdb source: SweetIM.exe, SweetIM.exe, 00000007.00000002.1895639481.000000007C3C1000.00000020.00000001.01000000.00000010.sdmp, msvcp71.dll.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\output\release\mgToolbarProxy.pdb source: mgToolbarProxy.dll.3.dr
Source:	Binary string: c:\SimOlderVersions\SIM 3.6\Client\vc\output\release\mgICQAuto.pdb source: mgICQAuto.dll.3.dr
Source:	Binary string: C:\Imvent\Develop\Client\vc\SweetSDM\Release\SweetSDM.pdb@ source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: msvcr71.pdb source: SweetIMSetup.exe, 00000001.00000002.1844516312.000000007C361000.00000020.00000001.01000000.00000011.sdmp, SweetIM.exe, SweetIM.exe, 00000007.00000002.1895440500.000000007C361000.00000020.00000001.01000000.00000011.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00413D18 __EH_prolog,GetTempPathA,FindFirstFileA,CompareFileTime,DeleteFileA,FindNextFileA,FindClose,	1_2_00413D18
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00422D97 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,	1_2_00422D97
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007B36A0 _IsDirectoryEmpty@4,wcslen,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,FindFirstFileW,wcscmp,wcscmp,wcscmp,FindNextFileW,FindClose,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,	7_2_007B36A0
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007B3800 DeleteFolder,wcslen,IsDirectoryFile,wcscpy,PathAddBackslashW,PathAddExtensionW,FindFirstFileW,FindNextFileW,wcscpy,PathAddBackslashW,wcscat,DeleteFileW,DeleteFolder,FindClose,RemoveDirectoryW,	7_2_007B3800
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_10007070 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,RegQueryValueExW,wcslen,wcscat,_IsFileExist@4,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,RegCloseKey,?GetShellFolderPath@@YG?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_IsFileExist@4,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,RegQueryValueExW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,wcslen,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,wcscpy,PathStripPathW,wcslen,wcslen,wcslen,?erase@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@II@Z,?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,FindClose,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB,wcslen,?erase@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@II@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG@Z,?SplitString@@YAHABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@0AAV?$vector@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@V?$allocator@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@@2@@2@H@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,	7_2_10007070
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C378DFA _wstat,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileW,wcspbrk,_wfullpath,wcslen,GetDriveTypeW,_errno,__doserrno,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	7_2_7C378DFA
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C376DCB _findfirst64,FindFirstFileA,GetLastError,_errno,_errno,_errno,strcpy,	7_2_7C376DCB
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C377ED3 _stat,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileA,_mbspbrk,_fullpath,strlen,GetDriveTypeA,_errno,__doserrno,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	7_2_7C377ED3
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C376FD6 _findfirsti64,FindFirstFileA,GetLastError,_errno,_errno,_errno,strcpy,	7_2_7C376FD6

Networking

Contains functionality to check if a connection to the internet is available

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

7_2_10016120

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 152.195.50.149
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.193.120.112
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

7_2_004C3CC0

Source: global traffic	HTTP traffic detected: GET /bi/track.gif?prodid=1&compid=35&actid=100&cargo=WV:6.2;SC:0;SSN:145695948050;C_FILEVER:1.3.0.3;C_BUILDTIME:1302091979;C_REPORT:;B_IMVER:3.6.0002;B_IEVER:4.2.0004;B_BUILDTIME:1318168523;B_INFO:;; HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: content.sweetim.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=6NvAnKL1OPtr5PT&MD=RuvlYw+b HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /bi/track.gif?prodid=1&compid=35&actid=102&cargo=WV:6.2;SC:0;SSN:145695948050;C_FILEVER:1.3.0.3;C_BUILDTIME:1302091979;C_REPORT:;B_IMVER:3.6.0002;B_IEVER:4.2.0004;B_BUILDTIME:1318168523;B_INFO:;; HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: content.sweetim.comConnection: Keep-AliveCookie: UserId=C0736790-038F-11EF-AAC5-BF869E32CC1E; UserData=2024-04-26T05%3A42%3A21.577Z
Source: global traffic	HTTP traffic detected: GET /installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588} HTTP/1.1Host: www.sweetim.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AfQPRnlSkk0SHkG5PXvb3F_Q7hH-5ddsxHHT56Cx-_JWux0fg0SnDHAT6sRgPwMxLj9QK3jdbgroAjU8smhTZreN3EjllobyDxCd6anURJdX2LwhsxiO4Wd9jGJUvOZjNG0AxlKa5b7kLavSfewVpsPdhgIchnuqABvb/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_24_4_1_2.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /search/images/homepage/button_bg.png HTTP/1.1Host: se-p-static-content.seccint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sweetim.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Search/SearchApplication/Resources/SpyGlass130x40.png HTTP/1.1Host: storage2.stgbssint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sweetim.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Search/SearchApplication/Resources/Images/Search/closeSprite.png HTTP/1.1Host: storage2.stgbssint.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sweetim.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.sweetim.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-arch: "x86"sec-ch-ua-platform-version: "10.0.0"dpr: 1downlink: 1.3sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-platform: "Windows"device-memory: 8rtt: 350sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36viewport-width: 1280sec-ch-ua-full-version: "117.0.5938.132"ect: 3gAccept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: UserId=D725A570-038F-11EF-AAC5-BF869E32CC1E; UserData=2024-04-26T05%3A42%3A59.655Z; st=SearchWeb; _hse=true
Source: global traffic	HTTP traffic detected: GET /search/images/homepage/button_bg.png HTTP/1.1Host: se-p-static-content.seccint.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Search/SearchApplication/Resources/SpyGlass130x40.png HTTP/1.1Host: storage2.stgbssint.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Search/SearchApplication/Resources/Images/Search/closeSprite.png HTTP/1.1Host: storage2.stgbssint.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.sweetim.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: UserId=D725A570-038F-11EF-AAC5-BF869E32CC1E; UserData=2024-04-26T05%3A42%3A59.655Z; st=SearchWeb; _hse=true
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /webstore/inlineinstall/detail/efaidnbmnnnibpcajpcglclefindmkaj HTTP/1.1Host: chrome.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=6NvAnKL1OPtr5PT&MD=RuvlYw+b HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /bi/track.gif?prodid=1&compid=35&actid=100&cargo=WV:6.2;SC:0;SSN:145695948050;C_FILEVER:1.3.0.3;C_BUILDTIME:1302091979;C_REPORT:;B_IMVER:3.6.0002;B_IEVER:4.2.0004;B_BUILDTIME:1318168523;B_INFO:;; HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: content.sweetim.com
Source: global traffic	HTTP traffic detected: GET /bi/track.gif?prodid=1&compid=35&actid=102&cargo=WV:6.2;SC:0;SSN:145695948050;C_FILEVER:1.3.0.3;C_BUILDTIME:1302091979;C_REPORT:;B_IMVER:3.6.0002;B_IEVER:4.2.0004;B_BUILDTIME:1318168523;B_INFO:;; HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: content.sweetim.comCookie: UserId=C0736790-038F-11EF-AAC5-BF869E32CC1E; UserData=2024-04-26T05%3A42%3A21.577Z
Source: global traffic	HTTP traffic detected: GET /installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588} HTTP/1.1Host: www.sweetim.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: toolbar.xml.3.dr	String found in binary or memory: <EXTERNAL_SEARCH target="sim_search_combo" engine="http://www.facebook.com/s.php" param="q=" encoding="65001"/> equals www.facebook.com (Facebook)
Source: toolbar.xml.3.dr	String found in binary or memory: <WEBJUMP name="doFacebookNewTab" href="http://www.facebook.com" targetwindow="newtab"/> equals www.facebook.com (Facebook)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920992518.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920858823.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}, equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe	String found in binary or memory: "],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https:/ equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920491757.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920281542.0000000004274000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}} equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}": equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1919261004.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919178794.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919315905.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}":i equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1916601668.0000000002B1C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919721396.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1921062510.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}i equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1916881361.000000000429A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}ru equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajap equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe	String found in binary or memory: fault"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeo equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe	String found in binary or memory: ml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google. equals www.youtube.com (Youtube)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1920760714.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920726981.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1922449222.00000000042C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}}, equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: content.sweetim.com
Source: global traffic	DNS traffic detected: DNS query: www.sweetim.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: storage2.stgbssint.com
Source: global traffic	DNS traffic detected: DNS query: se-p-static-content.seccint.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: chrome.google.com

Source: toolbar.xml.3.dr	String found in binary or memory: http://127.0.0.1/test/content-notifier.js
Source: toolbar.xml.3.dr	String found in binary or memory: http://127.0.0.1/test/locales34.xml
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://127.0.0.1/test/rc_tb.html
Source: addonlistener.js.10.dr, addonlistener.js0.10.dr	String found in binary or memory: http://adblockplus.org/blog/how-many-hacks-does-it-take-to-make-your-extension-install-without-a-res
Source: chromecache_795.15.dr	String found in binary or memory: http://api.autocompleteplus.com/?q=
Source: stringbundles.js1.10.dr, stringbundles.js0.10.dr	String found in binary or memory: http://books.mozdev.org/html/mozilla-chp-11-sect-3.html)
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/emoticons/mietb202p.html
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/fb/images/facebook.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/fb/m0100.html
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/animals.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/emoticons.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/gestures.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/glitters.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/love.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/icons/webmail/texticons.png
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/resources/fb/ieinfb.js
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/resources/fb/ieinfb_https.js
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=1
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=2
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=3
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=4
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=5
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/webmail/mietb20i.html?menu=7
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.content.sweetim.com/toolbar/winks/mietb202p.html
Source: toolbar.xml.3.dr	String found in binary or memory: http://cdn.triplegames.com/shared/apps/gamearcade/arcade.htm?publisherId=3205&sectionId=767997
Source: BundleSweetIMSetup.exe, 00000000.00000003.1674858263.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1969481685.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2062389261.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061074019.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2063830032.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068383399.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065296062.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065627810.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2069638260.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=100&8
Source: BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=100&cargo=WV:6.2;SC:0;SSN:145695948
Source: BundleSweetIMSetup.exe, 00000000.00000002.2076285085.0000000004281000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2069638260.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073166287.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065627810.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=102&cargo=WV:6.2;SC:0;SSN:145695948
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://content.sweetim.com/bi/track.gif?prodid=1&compid=actid=%d;;cargo=&irmaReportDownloadRemoteFil
Source: sweetim-contentmenu.xul0.10.dr, sweetim-contentmenu.xul.10.dr	String found in binary or memory: http://content.sweetim.com/sim/mfftb20.html
Source: MSIC4F8.tmp.3.dr, MSIDA99.tmp.3.dr, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, MSIE99E.tmp.3.dr, MSIF8B9.tmp.3.dr, MSIEAC8.tmp.3.dr	String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: MSIC4F8.tmp.3.dr, MSIDA99.tmp.3.dr, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, MSIE99E.tmp.3.dr, MSIF8B9.tmp.3.dr, MSIEAC8.tmp.3.dr	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: cookies.js0.10.dr, cookies.js1.10.dr, cookies.js.10.dr	String found in binary or memory: http://developer.mozilla.org/En/NsICookieService
Source: commands.js0.10.dr	String found in binary or memory: http://developer.mozilla.org/en/docs/Code_snippets:Cookies
Source: SIMAutoCompleteSearch.js1.10.dr, SIMAutoCompleteSearch.js.10.dr	String found in binary or memory: http://developer.mozilla.org/en/docs/How_to_implement_custom_autocomplete_search_component
Source: splitter.js0.10.dr	String found in binary or memory: http://developer.mozilla.org/en/docs/XUL_Tutorial:More_Event_Handlers
Source: install.js.10.dr	String found in binary or memory: http://developer.mozilla.org/en/docs/nsIFile:remove
Source: config.js0.10.dr	String found in binary or memory: http://developer.mozilla.org/en/docs/nsIPrefBranch
Source: bar.js1.3.dr	String found in binary or memory: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8
Source: SIMAutoCompleteSearch.js1.10.dr, SIMAutoCompleteSearch.js.10.dr	String found in binary or memory: http://forums.mozillazine.org/viewtopic.php?f=19&t=2070317)
Source: cookies.js0.10.dr, cookies.js1.10.dr, cookies.js.10.dr	String found in binary or memory: http://forums.mozillazine.org/viewtopic.php?f=27&t=656397
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1941745817.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931426271.0000000004295000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931108151.0000000004295000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942049041.00000000042A2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931392225.0000000004295000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931985408.000000000429C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931954475.000000000429A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945571211.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947052473.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1940929338.0000000004295000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931858184.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943390567.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947428250.00000000042A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.swee
Source: BundleSweetIMSetup.exe, 00000000.00000002.2076375666.00000000042A2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1949290499.00000000042A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.sweeA
Source: prefs.js.0.dr, globals.js0.10.dr	String found in binary or memory: http://home.sweetim.com
Source: BundleSweetIMSetup.exe, 00000000.00000003.1921147282.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: http://home.sweetim.com/?barid=
Source: toolbar.xml.3.dr	String found in binary or memory: http://home.sweetim.com/?st=1$amp_crg_equals_cargo;
Source: BundleSweetIMSetup.exe, 00000000.00000003.1969399479.0000000002A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.sweetim.com/cal
Source: BundleSweetIMSetup.exe, 00000000.00000003.1935736279.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936066195.00000000042BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.sweetim.com;
Source: mgsimcommon.dll.3.dr	String found in binary or memory: http://home.sweetim.com?barid=/&barid=&barid=?http://search.sweetim.com/search.asp?src=6&q=
Source: SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, MSIEB08.tmp.3.dr, MSIF7EB.tmp.3.dr	String found in binary or memory: http://home.sweetim.comPrevious.HKLM.Start
Source: 48c209.msi.3.dr, MSID16F.tmp.3.dr, MSID25A.tmp.3.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://home.sweetim.comSIMHPURLhttp://search.sweetim.com/?src=6&q=
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SweetIM.exe, 00000007.00000002.1893180868.00000000004A4000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://home.sweetim.comhttp://search.sweetim.com/search.asp?src=6&q=
Source: chromecache_795.15.dr	String found in binary or memory: http://info.sweetim.com
Source: chromecache_795.15.dr	String found in binary or memory: http://info.sweetim.com/aboutus/
Source: chromecache_795.15.dr	String found in binary or memory: http://info.sweetim.com/privacy-policy/
Source: chromecache_795.15.dr	String found in binary or memory: http://info.sweetim.com/terms/
Source: install.js.10.dr	String found in binary or memory: http://kb.mozillazine.org/Keyword.URL)
Source: install.js.10.dr	String found in binary or memory: http://kb.mozillazine.org/Search_Provider)
Source: mglogger.dll0.3.dr	String found in binary or memory: http://mguglielmi.free.fr
Source: MSIC4F8.tmp.3.dr, MSIDA99.tmp.3.dr, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, MSIE99E.tmp.3.dr, MSIF8B9.tmp.3.dr, MSIEAC8.tmp.3.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: mglogger.dll0.3.dr	String found in binary or memory: http://resource.jsmadeeasy.com/viewscript.asp?scriptid=507
Source: inject.js.10.dr, inject.js1.10.dr	String found in binary or memory: http://sc.sweetim.com/apps/in/fb/infb.js
Source: install.js.10.dr	String found in binary or memory: http://search.sweetim.
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SweetIM.exe, 00000007.00000002.1893761079.00000000007D7000.00000002.00000001.01000000.0000000E.sdmp, 48c209.msi.3.dr, install.js.10.dr, MSID16F.tmp.3.dr, SweetIESetup.msi.8.dr, MSID25A.tmp.3.dr, 48c20d.msi.3.dr, sweetim.xml.10.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://search.sweetim.com
Source: BundleSweetIMSetup.exe, 00000000.00000003.1942817662.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942781086.00000000042BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.sweetim.com/?src=6$1q=
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1945077551.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944736609.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945416513.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946637880.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942817662.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948776353.00000000042C0000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1941087262.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948421204.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1941207681.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943216817.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947394238.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943178865.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944813184.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1949217415.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945116548.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946152544.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946475050.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942957332.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944176269.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947806512.00000000042C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://search.sweetim.com/?src=6&q=
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://search.sweetim.com/?src=6&q=
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=1&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=1&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=10&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=11&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=12&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=13&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=14&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=15&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=15&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=16&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=17&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=2&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=2&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=3&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=3&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=4&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=4&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=5&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=5&q=%sim_search_combo
Source: toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=6&q=$sim_search_combo;
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=6&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=7&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=8&q=%sim_search_combo
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://search.sweetim.com/redir.asp?pid=9&q=%sim_search_combo
Source: globals.js1.10.dr, globals.js0.10.dr, toolbar.xml.3.dr	String found in binary or memory: http://search.sweetim.com/search.asp
Source: search.js0.10.dr	String found in binary or memory: http://search.sweetim.com/search.asp?src=1&q=%sim_search_combo
Source: mgHelper.dll.3.dr	String found in binary or memory: http://search.sweetim.com/search.asp?src=2&pdp=1000&q=%shttp://search.sweetim.com/search.asp?src=8&p
Source: MenuExt.html.3.dr	String found in binary or memory: http://search.sweetim.com/search.asp?src=4&q=
Source: BundleSweetIMSetup.exe, 00000000.00000003.1923091904.00000000042A2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1969287489.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1922482118.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1922236173.00000000042A1000.00000004.00000020.00020000.00000000.sdmp, SweetIM.exe, 48c209.msi.3.dr, MSID16F.tmp.3.dr, MSID25A.tmp.3.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://search.sweetim.com/search.asp?src=6&q=
Source: install.js.10.dr	String found in binary or memory: http://search.yahoo.com/
Source: addonlistener.js.10.dr, addonlistener.js0.10.dr	String found in binary or memory: http://stackoverflow.com/questions/6284051/in-my-firefox-extension-onuninstalled-event-doesnt-seem-t
Source: VistaCookiesCollector.exe, 00000005.00000002.1791302329.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, VistaCookiesCollector.exe, 00000005.00000002.1791260931.0000000000450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sweetim.com
Source: VistaCookiesCollector.exe, 00000005.00000002.1791302329.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sweetim.com/
Source: VistaCookiesCollector.exe, 00000005.00000002.1791302329.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sweetim.com/c77b0923665da6f1
Source: VistaCookiesCollector.exe, 00000005.00000002.1791537351.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sweetim.com2;C:
Source: 48c20d.msi.3.dr, MSIEB08.tmp.3.dr, MSIF7EB.tmp.3.dr	String found in binary or memory: http://sweetim.comAnalyzeCookieslogDllVersion.
Source: 48c209.msi.3.dr, MSID16F.tmp.3.dr, MSID25A.tmp.3.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://sweetim.comREFERRALID
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://sweetim.comREFERRALIDGetReferralCookieFound.
Source: toolbar.xml.3.dr	String found in binary or memory: http://tab.search.sweetim.com/tab.asp
Source: cookies.js0.10.dr, cookies.js1.10.dr, cookies.js.10.dr	String found in binary or memory: http://weblogs.mozillazine.org/doron/archives/2008/06/extensions_and_firefox_3_nsico.html
Source: 48c209.msi.3.dr, MSID16F.tmp.3.dr, MSID25A.tmp.3.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://www.aim.comSweetIM
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.hi5.com
Source: MSIC4F8.tmp.3.dr, MSIDA99.tmp.3.dr, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, MSIE99E.tmp.3.dr, MSIF8B9.tmp.3.dr, MSIEAC8.tmp.3.dr	String found in binary or memory: http://www.macrovision.com0
Source: install.rdf1.10.dr	String found in binary or memory: http://www.mozilla.org/2004/em-rdf#
Source: SweetIM.exe, 00000007.00000002.1893761079.00000000007D7000.00000002.00000001.01000000.0000000E.sdmp, 48c209.msi.3.dr, MSID16F.tmp.3.dr, SweetIESetup.msi.8.dr, MSID25A.tmp.3.dr, 48c20d.msi.3.dr, sweetim.xml.10.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.css.10.dr, bindings.xml0.10.dr, bindings.xml1.10.dr, sweetim-contentmenu.xul0.10.dr, sweetim-toolbar.xul1.10.dr, sweetim-contentmenu.xul.10.dr	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: bindings.xml1.10.dr	String found in binary or memory: http://www.mozilla.org/xbl
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.orkut.com
Source: 48c20b.rbs.3.dr, MSICDA5.tmp.3.dr, install.rdf1.10.dr, globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/about_overview.asp
Source: SweetIM.exe, 00000007.00000002.1894174346.0000000002630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sweetim.com/autoupdate/u.asp
Source: BundleSweetIMSetup.exe, 00000000.00000002.2073166287.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sweetim.com/cbi.gif
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.sweetim.com/cbi.gifSubmitTrackingPixel.
Source: SweetIM.exe, 00000007.00000002.1894174346.0000000002630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sweetim.com/download/install/SweetIMSetup.exeup.exe
Source: globals.js1.10.dr, globals.js0.10.dr, toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/eula.html#privacy
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/forum/
Source: BundleSweetIMSetup.exe, 00000000.00000003.1674858263.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1675117885.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2071455802.000000000045F000.00000040.00000001.01000000.00000003.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1674858263.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712010420.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1674811988.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr	String found in binary or memory: http://www.sweetim.com/help
Source: globals.js1.10.dr, globals.js0.10.dr, toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/help_contact.asp
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/help_simff.asp
Source: BundleSweetIMSetup.exe, 00000000.00000003.1674811988.0000000002A4D000.00000004.00000020.00020000.00000000.sdmp, toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/help_simie.asp
Source: BundleSweetIMSetup.exe, 00000000.00000003.1674858263.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1675117885.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2071455802.000000000045F000.00000040.00000001.01000000.00000003.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1674858263.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712010420.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr	String found in binary or memory: http://www.sweetim.com/help_simie.asp#inst
Source: BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sweetim.com/installbar.asp?barid=
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/installbar.asp?barid=$toolbar_id;
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/installbar.asp?barid=%toolbar_id
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.sweetim.com/installbar.asp?barid=GetSIMAppID
Source: 48c20d.msi.3.dr, MSIEB08.tmp.3.dr, MSIF7EB.tmp.3.dr	String found in binary or memory: http://www.sweetim.com/installbar.asp?barid=http://www.sweetim.com/uninstallbar.asp?barid=http://www
Source: sweetim-toolbar.xul.10.dr, sweetim-toolbar.xul1.10.dr	String found in binary or memory: http://www.sweetim.com/simffbar/rc.html
Source: install.rdf1.10.dr	String found in binary or memory: http://www.sweetim.com/simffbar/update.rdf?ff_version=%APP_VERSION%&toolbar_status=%ITEM_STATUS%
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/simiebar/
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/simiebar/download/toolbar.cab
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/uninstallbar.asp?barid=$toolbar_id;
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/uninstallbar.asp?barid=%toolbar_id
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.sweetim.com/uninstallbar.asp?barid=http://www.sweetim.com/updatebar.aspFinalizeSweetIESet
Source: toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/uninstallhelp.asp
Source: globals.js1.10.dr, globals.js0.10.dr	String found in binary or memory: http://www.sweetim.com/uninstallhelpff.asp
Source: 48c209.msi.3.dr, MSID16F.tmp.3.dr, MSID25A.tmp.3.dr, MSIC547.tmp.3.dr	String found in binary or memory: http://www.sweetim.com/uninstallim.asp?simappid=%sUPGRADINGPRODUCTCODEhttp://www.sweetim.com/downloa
Source: globals.js1.10.dr, globals.js0.10.dr, toolbar.xml.3.dr	String found in binary or memory: http://www.sweetim.com/updatebar.asp
Source: 48c209.msi.3.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	String found in binary or memory: http://www.sweetim.com0
Source: uninstallobserver.js1.10.dr, uninstallobserver.js0.10.dr	String found in binary or memory: http://xulsolutions.blogspot.com/2006/07/creating-uninstall-script-for.html
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1916707330.0000000004277000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1916707330.0000000004277000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.l
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.lga1.a
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.lga1.admark
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&c
Source: BundleSweetIMSetup.exe, 00000000.00000003.1948585972.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947911162.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946152544.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946475050.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942957332.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947694690.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942852451.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935924437.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934723785.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935593919.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944176269.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947806512.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946074746.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934003704.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942781086.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946308990.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947731414.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947620062.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934221488.0000000002B1C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944457193.00000000042C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943390567.0000000004296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.n
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?versio
Source: BundleSweetIMSetup.exe, 00000000.00000003.1947093299.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=169633223
Source: BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945077551.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936131977.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942817662.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946115163.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935736279.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944882361.00000000042B1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932917107.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948421204.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943216817.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947394238.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943178865.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935096471.00000000042B6000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945303103.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948205588.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934686053.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935997640.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947357892.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946975552.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936337518.00000000042BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: SIMAutoCompleteSearch.js1.10.dr, SIMAutoCompleteSearch.js.10.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=625319
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/asse
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icoht
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.0000000004295000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931240313.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931426271.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932093565.00000000042B1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932017591.00000000042AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appi0
Source: BundleSweetIMSetup.exe, 00000000.00000003.1969287489.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2069638260.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065627810.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content.sweetim.com/4
Source: BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=100&cargo=WV:6.2;SC:0;SSN:14569594
Source: BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2064156782.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068807066.0000000002A46000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2074530070.0000000002A48000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2066491581.0000000002A46000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061074019.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2064156782.0000000002A46000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073166287.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A46000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2069638260.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065627810.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content.sweetim.com/bi/track.gif?prodid=1&compid=35&actid=102&cargo=WV:6.2;SC:0;SSN:14569594
Source: BundleSweetIMSetup.exe, 00000000.00000003.1969287489.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2069638260.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2065627810.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content.sweetim.com/c
Source: BundleSweetIMSetup.exe, 00000000.00000003.1948585972.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947911162.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946152544.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946475050.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942957332.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947694690.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942852451.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935924437.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934723785.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935593919.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944176269.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947806512.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946074746.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934003704.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942781086.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946308990.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947731414.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947620062.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934221488.0000000002B1C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944457193.00000000042C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_
Source: BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945077551.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936131977.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942817662.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946115163.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935736279.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944882361.00000000042B1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932917107.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948421204.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943216817.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947394238.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943178865.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935096471.00000000042B6000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945303103.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948205588.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934686053.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935997640.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947357892.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946975552.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936337518.00000000042BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: tabinfo.js.10.dr	String found in binary or memory: https://developer.mozilla.org/en/Code_snippets/Tabbed_browser
Source: addonlistener.js.10.dr, addonlistener.js0.10.dr	String found in binary or memory: https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions)
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932818795.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931614131.00000000042C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.googl
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://docs.google.
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chro
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://docs.google.com/presentat
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932818795.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931614131.00000000042C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/in
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1919261004.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1916601668.0000000002B1C000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920924192.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1916881361.000000000429A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919178794.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919721396.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920491757.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1921062510.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932818795.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920992518.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920281542.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1919748111.0000000004274000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920858823.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931614131.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920760714.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1920726981.00000000042C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932818795.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1933055444.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1933341291.00000000042C3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931614131.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1933188058.00000000042C3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1933228210.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932983840.00000000042B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.go
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_d
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_defaul
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: BundleSweetIMSetup.exe, 00000000.00000003.1947357892.00000000042AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?
Source: BundleSweetIMSetup.exe, 00000000.00000003.1935924437.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935482180.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935593919.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935848149.00000000042AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7
Source: BundleSweetIMSetup.exe, 00000000.00000003.1947769791.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947178638.00000000042B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBU
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqmf
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9
Source: prefs.js.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://mail.google.com/mail/installwebapp
Source: BundleSweetIMSetup.exe, 00000000.00000003.1931108151.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931357660.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932783884.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932818795.00000000042C5000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1931614131.00000000042C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrom4
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://support.micr
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://www.amazon.
Source: BundleSweetIMSetup.exe, 00000000.00000002.2076466457.00000000042B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=G
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://www.amazon.com/?tag=admarketus-2
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=
Source: BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945077551.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936131977.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942817662.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946115163.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935736279.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944882361.00000000042B1000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1932917107.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948421204.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943216817.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947394238.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943178865.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935096471.00000000042B6000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945303103.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948205588.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934686053.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935997640.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947357892.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946975552.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1936337518.00000000042BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BundleSweetIMSetup.exe, 00000000.00000002.2075447475.000000000332C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: BundleSweetIMSetup.exe, 00000000.00000003.1945571211.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943390567.0000000004296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_U
Source: BundleSweetIMSetup.exe, 00000000.00000003.1947769791.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947178638.00000000042B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid
Source: BundleSweetIMSetup.exe, 00000000.00000003.1934475528.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMA
Source: BundleSweetIMSetup.exe, 00000000.00000003.1944544419.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945571211.0000000004296000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1943390567.0000000004296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEM
Source: BundleSweetIMSetup.exe	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL
Source: BundleSweetIMSetup.exe, 00000000.00000003.1936337518.00000000042BF000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948059516.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1945116548.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946819961.0000000004271000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1948585972.00000000042B4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947911162.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935188702.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946152544.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946475050.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942957332.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947694690.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942852451.00000000042C7000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935924437.00000000042AC000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934723785.00000000042B3000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1935593919.00000000042A4000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1944176269.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1947806512.00000000042C2000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946074746.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1934003704.00000000042A8000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1942781086.00000000042BD000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1946308990.00000000042BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918937740.000000000427A000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1918984515.000000000427A000.00000004.00000020.00020000.00000000.sdmp, Preferences.0.dr	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 13.249.98.125:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.249.98.125:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.193.120.112:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49771 version: TLS 1.2

Change of System Appearance

Changes the start page of internet explorer

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main Start Page

Jump to behavior

System Summary

Found suspicious ZIP file

Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/main.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/sweetim-toolbar.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/chevron.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/commands.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/config.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/contentmenu-handler.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/contentmenu.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/cookies.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/file.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/globals.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/highlight.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/history.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/install.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/logger.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/registry.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/release.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/search.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/searchguard.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/searchservice.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/splitter.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/stringbundles.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/tabinfo.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/tabinfo-array.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/tooltip.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/uninstallobserver.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/version.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/webprogresslistener.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/remote.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/dynamic.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/ppcbully.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/gui.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/inject.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/version-ff.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/findword.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/wait.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/addonlistener.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/addonmanager.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/global-namespace.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/messagebox.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/domainutils.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: chrome/sweetim-toolbar/content/generalobserver.js
Source: SweetIMToolbar.xpi.10.dr	Zip Entry: components/SIMAutoCompleteSearch.js

Contains functionality to call native functions

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081D66C GetLastError,GetCurrentProcessId,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,FindCloseChangeNotification,CloseHandle,OpenProcess,OpenProcess,GetCurrentProcess,DuplicateHandle,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,ReleaseMutex,CloseHandle,CloseHandle,SetLastError,	7_2_0081D66C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081C98C LocalAlloc,NtReplyWaitReceivePort,NtAcceptConnectPort,LocalFree,GetCurrentProcessId,LocalAlloc,NtAcceptConnectPort,LocalAlloc,LocalFree,NtCompleteConnectPort,CloseHandle,SetEvent,EnterCriticalSection,LeaveCriticalSection,LocalFree,NtAcceptConnectPort,LocalFree,LocalFree,LocalFree,	7_2_0081C98C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081CCDC InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalAlloc,NtCreatePort,LocalFree,EnterCriticalSection,LocalAlloc,CreateSemaphoreA,CreateThread,CreateThread,SetThreadPriority,SetThreadPriority,InitializeCriticalSection,LeaveCriticalSection,	7_2_0081CCDC
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081DC3A ReleaseSemaphore,NtConnectPort,WaitForSingleObject,TerminateThread,CloseHandle,WaitForSingleObject,TerminateThread,CloseHandle,SetEvent,WaitForSingleObject,TerminateThread,CloseHandle,CloseHandle,LocalFree,LocalFree,CloseHandle,CloseHandle,DeleteCriticalSection,LocalFree,	7_2_0081DC3A
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081D664 GetLastError,GetCurrentProcessId,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,NtConnectPort,CloseHandle,FindCloseChangeNotification,CloseHandle,OpenProcess,CloseHandle,SetLastError,	7_2_0081D664
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081CB86 LocalAlloc,NtReplyWaitReceivePort,NtAcceptConnectPort,LocalFree,ReleaseSemaphore,LocalFree,	7_2_0081CB86

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

7_2_007CCA30

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00421166 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,		1_2_00421166
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007CC6F0 ?Restart@CShutDownManager@@QAE_N_N@Z,ExitWindowsEx,		7_2_007CC6F0

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c209.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC380.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4F8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC547.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{A81A974F-8A22-43E6-9243-5198FF758DA1}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICDA5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A81A974F-8A22-43E6-9243-5198FF758DA1}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A81A974F-8A22-43E6-9243-5198FF758DA1}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c20c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c20c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID16F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID25A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID2C8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDA99.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c20d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE99E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAC8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB08.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB47.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c210.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c210.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF30.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF7EB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF889.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF8B9.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIC380.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Code function: 0_3_0429ED80	0_3_0429ED80
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00432106	1_2_00432106
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_0042C18D	1_2_0042C18D
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00428BF0	1_2_00428BF0
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00409C88	5_2_00409C88
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00406966	5_2_00406966
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00402580	5_2_00402580
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00404B7C	5_2_00404B7C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00492180	7_2_00492180
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007B1360	7_2_007B1360
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007CE660	7_2_007CE660
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007CE7A0	7_2_007CE7A0
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007CD950	7_2_007CD950
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008110B8	7_2_008110B8
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080C3F4	7_2_0080C3F4
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008098CC	7_2_008098CC
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080E9E8	7_2_0080E9E8
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080BB10	7_2_0080BB10
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00812D90	7_2_00812D90
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00808EBC	7_2_00808EBC
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_10012050	7_2_10012050
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C37DC27	7_2_7C37DC27
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C396FA7	7_2_7C396FA7

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: String function: 00404B30 appears 35 times
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: String function: 7C3630A4 appears 50 times
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: String function: 0080451C appears 65 times
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: String function: 008044F8 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: String function: 00427498 appears 243 times

Sample file is different than original file name gathered from version info

Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: P@...*OLESelfRegisterSpecialBuildProductVersionProductNamePrivateBuildOriginalFilenameLegalTrademarksLegalCopyrightInternalNameFileVersionFileDescriptionCompanyNameComments\VarFileInfo\TranslationUnknown@ vs BundleSweetIMSetup.exe
Source: BundleSweetIMSetup.exe, 00000000.00000002.2076548180.00000000042B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemgToolbarIE.dll$ vs BundleSweetIMSetup.exe

Uses 32bit PE files

Source: BundleSweetIMSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1714110143_4764703_750.tmp.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal60.phis.spyw.winEXE@39/504@21/9

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00421166 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	1_2_00421166
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007CC720 ?AdjustToken@CShutDownManager@@AAE_N_N@Z,GetCurrentProcess,OpenProcessToken,GetLastError,_CxxThrowException,LookupPrivilegeValueW,GetLastError,_CxxThrowException,AdjustTokenPrivileges,GetLastError,_CxxThrowException,wsprintfW,MessageBoxW,CloseHandle,	7_2_007CC720
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081E15C GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueA,LookupPrivilegeValueA,LookupPrivilegeValueA,AdjustTokenPrivileges,LocalFree,CloseHandle,FindCloseChangeNotification,	7_2_0081E15C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081E143 GetCurrentProcess,OpenProcessToken,GetTokenInformation,LocalAlloc,GetTokenInformation,LookupPrivilegeValueA,LookupPrivilegeValueA,LookupPrivilegeValueA,AdjustTokenPrivileges,LocalFree,CloseHandle,FindCloseChangeNotification,	7_2_0081E143

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_004207E4 LoadLibraryA,GetProcAddress,lstrcpyA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,FreeLibrary,

1_2_004207E4

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

7_2_007BE200

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_0040A454 FindResourceA,SizeofResource,LoadResource,LockResource,

1_2_0040A454

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\SweetIM

Jump to behavior

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track[1].htm

Jump to behavior

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{D564BB4E-74F6-4fd5-900A-313328F6DF9F}
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{EEE6C370-6118-11DC-9C72-001320C79847}

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

File created: C:\Users\user\AppData\Local\Temp\1714110139_4760671_41.tmp

Jump to behavior

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);name='%q'
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');sqlite_sequence
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 48c209.msi.3.dr, 1714110143_4764703_750.tmp.0.dr, SweetIESetup.msi.8.dr, 48c20d.msi.3.dr, mgSqlite3.dll.4.dr, mgSqlite3.dll.3.dr, mgSqlite3.dll.10.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 1714110143_4764703_750.tmp.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;U

Source: BundleSweetIMSetup.exe	ReversingLabs: Detection: 50%
Source: BundleSweetIMSetup.exe	Virustotal: Detection: 37%

Source: BundleSweetIMSetup.exe	String found in binary or memory: user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);
Source: BundleSweetIMSetup.exe	String found in binary or memory: "web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_d
Source: BundleSweetIMSetup.exe	String found in binary or memory: edpiccmgmieda":{"cohort":"1::","cohortname":"","dlrc":6120,"installdate":6120,"pf":"dcb37f49-aa68-4ebc-a8d4-14eaa556e331"}}},"web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_defaul
Source: BundleSweetIMSetup.exe	String found in binary or memory: 8f88011f783"); user_pref("app.update.auto.migrated", true); user_pref("app.update.background.rolledout", true); user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0); user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830)
Source: BundleSweetIMSetup.exe	String found in binary or memory: "],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https:/
Source: BundleSweetIMSetup.exe	String found in binary or memory: mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_
Source: BundleSweetIMSetup.exe	String found in binary or memory: japmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["htt
Source: BundleSweetIMSetup.exe	String found in binary or memory: s://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentat
Source: BundleSweetIMSetup.exe	String found in binary or memory: on/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chro
Source: BundleSweetIMSetup.exe	String found in binary or memory: om/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp
Source: BundleSweetIMSetup.exe	String found in binary or memory: 3-bf01-28f88011f783"); user_pref("app.update.auto.migrated", true); user_pref("app.update.background.rolledout", true); user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0); user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 169
Source: BundleSweetIMSetup.exe	String found in binary or memory: usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],
Source: BundleSweetIMSetup.exe	String found in binary or memory: hbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldo
Source: BundleSweetIMSetup.exe	String found in binary or memory: mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}},"web_apps":{"did_migrat
Source: BundleSweetIMSetup.exe	String found in binary or memory: eanup-thumbnails", 0); user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830); user_pr
Source: BundleSweetIMSetup.exe	String found in binary or memory: pdateTime.browser-cleanup-thumbnails", 0); user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1

Source: unknown	Process created: C:\Users\user\Desktop\BundleSweetIMSetup.exe "C:\Users\user\Desktop\BundleSweetIMSetup.exe"
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe /s /w /v" /qn SIMHP=0 SIMSP=0 "
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{8929CE83-143A-4A6A-A32A-AA9D4E2B602B}\SweetIMSetup.msi" /qn SIMHP=0 SIMSP=0 SETUPEXEDIR="C:\Users\user\AppData\Local\Temp"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A265C8E8A3BB4B1A10A4D9F720E583B6
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe http://sweetim.com,C:\Users\user\AppData\LocalLow\simcookies.dat
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe "C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe" -AutoStartIM
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe /s /w /v" /qn SIMOB=0 SIMADDREGIE={UserSelectedHP=1,UserSelectedDS=1} "
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{B3CA5B4C-F637-458C-81D6-CD8DADBE9841}\SweetIESetup.msi" /qn SIMOB=0 SIMADDREGIE={UserSelectedHP=1,UserSelectedDS=1} SETUPEXEDIR="C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F0CC6D3E1A3C8837D5C7D007B45C879F
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1960,i,7459701528248846225,13626864308159879949,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe /s /w /v" /qn SIMHP=0 SIMSP=0 "	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe /s /w /v" /qn SIMOB=0 SIMADDREGIE={UserSelectedHP=1,UserSelectedDS=1} "	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{8929CE83-143A-4A6A-A32A-AA9D4E2B602B}\SweetIMSetup.msi" /qn SIMHP=0 SIMSP=0 SETUPEXEDIR="C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A265C8E8A3BB4B1A10A4D9F720E583B6	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F0CC6D3E1A3C8837D5C7D007B45C879F	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe http://sweetim.com,C:\Users\user\AppData\LocalLow\simcookies.dat	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe "C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe" -AutoStartIM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{B3CA5B4C-F637-458C-81D6-CD8DADBE9841}\SweetIESetup.msi" /qn SIMOB=0 SIMADDREGIE={UserSelectedHP=1,UserSelectedDS=1} SETUPEXEDIR="C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1960,i,7459701528248846225,13626864308159879949,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgupdatesupport.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgcommon.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgconfig.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgadaptersproxy.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: msvcp71.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgsimcommon.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgcommunication.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgcommon.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mghooking.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgxml_wrapper.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgconfig.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: msvcp71.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mgxml_wrapper.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msvcr71.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msvcr71.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mgsimcommon.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mgcommon.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mgconfig.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mghooking.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mghelper.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mgcommon.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mgxml_wrapper.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msxml3.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mlang.dll

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

File written: C:\Users\user\AppData\Local\Temp\{8929CE83-143A-4A6A-A32A-AA9D4E2B602B}\Setup.INI

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Source: BundleSweetIMSetup.exe

Static PE information: certificate valid

Source: BundleSweetIMSetup.exe

Static file information: File size 4666160 > 1048576

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

File opened: C:\Program Files (x86)\SweetIM\Messenger\MSVCR71.dll

Jump to behavior

Source: BundleSweetIMSetup.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x465200

Source: BundleSweetIMSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mgconfig.pdb source: mgconfig.dll0.3.dr
Source:	Binary string: C:\Imvent\Develop\Client\vc\SweetSDM\Release\SweetSDM.pdb source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\Release_bin\mgHelper.pdbh source: mgHelper.dll.3.dr
Source:	Binary string: c:\SimOlderVersions\SIM 3.6\Client\vc\output\Release\mgICQMessengerAdapter.pdb source: mgICQMessengerAdapter.dll.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mghooking.pdb source: mghooking.dll0.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\output\release\mghooking.pdb source: mghooking.dll0.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\Release_bin\mgHelper.pdb source: mgHelper.dll.3.dr
Source:	Binary string: msvcp71.pdb source: SweetIM.exe, SweetIM.exe, 00000007.00000002.1895639481.000000007C3C1000.00000020.00000001.01000000.00000010.sdmp, msvcp71.dll.3.dr
Source:	Binary string: c:\Imvent\Develop\Client\vc\Toolbar\output\release\mgToolbarProxy.pdb source: mgToolbarProxy.dll.3.dr
Source:	Binary string: c:\SimOlderVersions\SIM 3.6\Client\vc\output\release\mgICQAuto.pdb source: mgICQAuto.dll.3.dr
Source:	Binary string: C:\Imvent\Develop\Client\vc\SweetSDM\Release\SweetSDM.pdb@ source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: msvcr71.pdb source: SweetIMSetup.exe, 00000001.00000002.1844516312.000000007C361000.00000020.00000001.01000000.00000011.sdmp, SweetIM.exe, SweetIM.exe, 00000007.00000002.1895440500.000000007C361000.00000020.00000001.01000000.00000011.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_004101BC __EH_prolog,lstrcpyA,lstrcpyA,lstrcpyA,LoadLibraryA,GetProcAddress,FreeLibrary,

1_2_004101BC

PE file contains sections with non-standard names

Source: 1714110143_4764703_750.tmp.0.dr	Static PE information: section name: .stab
Source: 1714110143_4764703_750.tmp.0.dr	Static PE information: section name: .stabstr
Source: mgAdaptersProxy.dll.3.dr	Static PE information: section name: .SHARDAT
Source: mgAdaptersProxy.dll.3.dr	Static PE information: section name: .SHARDAT
Source: mgHelper.dll.3.dr	Static PE information: section name: .SHARED
Source: mgToolbarIE.dll.3.dr	Static PE information: section name: .SHARED

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00427498 push eax; ret	1_2_004274B6
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00427BC0 push eax; ret	1_2_00427BEE
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00405940 push eax; ret	5_2_00405954
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00405940 push eax; ret	5_2_0040597C
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_00404B6B push ecx; ret	5_2_00404B7B
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_0040AF14 push eax; ret	5_2_0040AF32
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004080D7 push ecx; ret	7_2_004080E7
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00485987 push ecx; ret	7_2_00485997
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0049306F push ecx; ret	7_2_0049307F
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00492CF0 push eax; ret	7_2_00492D04
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00492CF0 push eax; ret	7_2_00492D2C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004A35E7 push ecx; ret	7_2_004A35F7
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004C4610 push eax; ret	7_2_004C4624
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004C4610 push eax; ret	7_2_004C464C
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004C48EF push ecx; ret	7_2_004C48FF
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004D7763 push ecx; ret	7_2_004D7773
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007D407B push ecx; ret	7_2_007D408B
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007D3C70 push eax; ret	7_2_007D3C84
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007D3C70 push eax; ret	7_2_007D3CAC
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007BCF50 push ecx; mov dword ptr [esp], 00000000h	7_2_007BCF66
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080D0D8 push 0080D104h; ret	7_2_0080D0FC
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008080E0 push 00808133h; ret	7_2_0080812B
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00807060 push 0080708Ch; ret	7_2_00807084
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00808138 push 00808165h; ret	7_2_0080815D
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081E4A0 push 0081E533h; ret	7_2_0081E52B
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008055E4 push 00805635h; ret	7_2_0080562D
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081E538 push 0081E56Ch; ret	7_2_0081E564
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0081E63C push 0081E662h; ret	7_2_0081E65A
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080589E push 008058CCh; ret	7_2_008058C4
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008058A0 push 008058CCh; ret	7_2_008058C4
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008058D8 push 00805904h; ret	7_2_008058FC

Source: msvcr90.dll.3.dr

Static PE information: section name: .text entropy: 6.922045894978299

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID16F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgAdaptersProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcm90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcp90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgcommon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\ContentPackagesActivationHandler.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgcommunication.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgxml_wrapper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF889.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgICQAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgYahooAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgconfig.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgUpdateSupport.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\1714110143_4764703_750.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgsimcommon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDA99.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4F8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF7EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mglogger.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID2C8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgArchive.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgsimcommon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgMsnAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB08.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}\mgSqlite3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcr90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgMediaPlayer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAC8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID25A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\ClearHist.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC380.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgcommon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgconfig.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\1714110143_4764500_750.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF30.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgICQMessengerAdapter.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\1714110143_4764625_750.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgSweetIM.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC547.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF8B9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgYahooMessengerAdapter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mglogger.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE99E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgFlashPlayer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mghooking.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgxml_wrapper.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\mgSqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File created: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mghooking.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\msvcp71.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\resources\sqlite\mgSqlite3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SweetIM\Messenger\mgMsnMessengerAdapter.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC547.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB08.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID16F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF8B9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAC8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDA99.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID25A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE99E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC380.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4F8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF7EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF889.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF30.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID2C8.tmp	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar {EEE6C35B-6118-11DC-9C72-001320C79847}
Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar {EEE6C35B-6118-11DC-9C72-001320C79847}
Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847} NULL
Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847} NULL
Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847} NoExplorer
Source: C:\Windows\SysWOW64\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847} NoExplorer

Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SweetIM			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SweetIM			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

1_2_00422B9D

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgArchive.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgMsnAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEB08.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID16F.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}\mgSqlite3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcr90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgMediaPlayer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcp90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcm90.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEAC8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID25A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\ClearHist.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\ContentPackagesActivationHandler.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC380.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF889.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgYahooAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgICQAuto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEF30.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgICQMessengerAdapter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgSweetIM.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC547.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF8B9.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1714110143_4764703_750.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mglogger.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgYahooMessengerAdapter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDA99.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE99E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgFlashPlayer.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\mgSqlite3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC4F8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF7EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mglogger.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\resources\sqlite\mgSqlite3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID2C8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SweetIM\Messenger\mgMsnMessengerAdapter.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Evaded block: after key decision

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	API coverage: 6.0 %
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	API coverage: 3.7 %

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SweetIESetup.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00413D18 __EH_prolog,GetTempPathA,FindFirstFileA,CompareFileTime,DeleteFileA,FindNextFileA,FindClose,	1_2_00413D18
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_00422D97 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,	1_2_00422D97
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007B36A0 _IsDirectoryEmpty@4,wcslen,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,FindFirstFileW,wcscmp,wcscmp,wcscmp,FindNextFileW,FindClose,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,	7_2_007B36A0
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_007B3800 DeleteFolder,wcslen,IsDirectoryFile,wcscpy,PathAddBackslashW,PathAddExtensionW,FindFirstFileW,FindNextFileW,wcscpy,PathAddBackslashW,wcscat,DeleteFileW,DeleteFolder,FindClose,RemoveDirectoryW,	7_2_007B3800
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_10007070 ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,RegQueryValueExW,wcslen,wcscat,_IsFileExist@4,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,RegCloseKey,?GetShellFolderPath@@YG?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_IsFileExist@4,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,RegQueryValueExW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,wcslen,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,wcscpy,PathStripPathW,wcslen,wcslen,wcslen,?erase@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@II@Z,?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,FindClose,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB,wcslen,?erase@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@II@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG@Z,?SplitString@@YAHABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@0AAV?$vector@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@V?$allocator@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@@2@@2@H@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,_wtoi,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,	7_2_10007070
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C378DFA _wstat,wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileW,wcspbrk,_wfullpath,wcslen,GetDriveTypeW,_errno,__doserrno,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	7_2_7C378DFA
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C376DCB _findfirst64,FindFirstFileA,GetLastError,_errno,_errno,_errno,strcpy,	7_2_7C376DCB
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C377ED3 _stat,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileA,_mbspbrk,_fullpath,strlen,GetDriveTypeA,_errno,__doserrno,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	7_2_7C377ED3
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_7C376FD6 _findfirsti64,FindFirstFileA,GetLastError,_errno,_errno,_errno,strcpy,	7_2_7C376FD6

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_0041AD16 GetVersionExA,GetSystemInfo,

1_2_0041AD16

Source: VistaCookiesCollector.exe, 00000005.00000002.1791302329.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: BundleSweetIMSetup.exe, 00000000.00000003.1726120393.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1736669295.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068998373.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2073522009.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2064156782.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2066491581.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1731561853.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712185619.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1969287489.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068807066.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BundleSweetIMSetup.exe, 00000000.00000003.1726120393.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1736669295.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2064156782.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2066491581.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1731561853.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2068807066.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000002.2074530070.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1712010420.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1720707154.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.2061543965.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&
Source: SweetIM.exe, 00000007.00000002.1893598487.0000000000516000.00000004.00000020.00020000.00000000.sdmp, SweetIM.exe, 00000007.00000003.1892322214.0000000000516000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_00404DE4 GetProcessHeap,LdrInitializeThunk,

1_2_00404DE4

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_004101BC __EH_prolog,lstrcpyA,lstrcpyA,lstrcpyA,LoadLibraryA,GetProcAddress,FreeLibrary,

1_2_004101BC

Contains functionality to read the PEB

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00817534 mov eax, dword ptr fs:[00000030h]	7_2_00817534
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_008179F5 mov eax, dword ptr fs:[00000030h]	7_2_008179F5
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_00817A00 mov eax, dword ptr fs:[00000030h]	7_2_00817A00
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_0080BDBC mov eax, dword ptr fs:[00000030h]	7_2_0080BDBC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_00404008 GetFileSize,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,ReadFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_00404008

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_0042E90F SetUnhandledExceptionFilter,	1_2_0042E90F
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: 1_2_0042E921 SetUnhandledExceptionFilter,	1_2_0042E921
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_0040480E SetUnhandledExceptionFilter,	5_2_0040480E
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: 5_2_004047FA SetUnhandledExceptionFilter,	5_2_004047FA

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.sweetim.com/installbar.asp?barid={C598706C-038F-11EF-8C2C-ECF4BBEA1588}			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe "C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe" -AutoStartIM			Jump to behavior

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

7_2_007B66A0

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

1_2_0042123B

Source: BundleSweetIMSetup.exe, BundleSweetIMSetup.exe, 00000000.00000003.1731380441.00000000042BB000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1731472873.00000000042C0000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1941087262.00000000042AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SweetIMSetup.exe, SweetIMSetup.exe, 00000001.00000002.1843428963.000000000043D000.00000008.00000001.01000000.0000000A.sdmp, SweetIMSetup.exe, 00000001.00000000.1745279311.000000000043D000.00000008.00000001.01000000.0000000A.sdmp, SweetIESetup.exe, 00000008.00000002.1913355012.000000000043D000.00000008.00000001.01000000.00000017.sdmp	Binary or memory string: Shell_TrayWnd
Source: BundleSweetIMSetup.exe, 00000000.00000003.1918020280.000000000429D000.00000004.00000020.00020000.00000000.sdmp, BundleSweetIMSetup.exe, 00000000.00000003.1917921416.0000000004296000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager!V
Source: BundleSweetIMSetup.exe, 00000000.00000002.2071455802.000000000045F000.00000040.00000001.01000000.00000003.sdmp, SweetIMSetup.exe, 00000001.00000002.1843428963.000000000043D000.00000008.00000001.01000000.0000000A.sdmp, SweetIMSetup.exe, 00000001.00000000.1745279311.000000000043D000.00000008.00000001.01000000.0000000A.sdmp	Binary or memory string: %sSetupLogFileNameSoftware\InstallShield\ISWI\7.0\SetupExeLogShell_TrayWndSplashTimeTahomaCancelMsi.dll%x,ALLCANCELDescriptionTitleMSlovenianBasquedefault%#04x0x0409.iniNoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXEDIRCertKeyCacheFolderCacheRootLocationTypeSuppressWrongOSSuppressReboot%.2lx" 00000000000000000000000000000000AM_OTP#xAM_CONTENTID="This program cannot be run in DOS mode.toys::file

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

Code function: 7_2_0080D74C cpuid

7_2_0080D74C

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: GetLocaleInfoA,	1_2_004213BE
Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe	Code function: GetLocaleInfoA,TranslateCharsetInfo,	1_2_00421361
Source: C:\Users\user\AppData\Local\Temp\{A81A974F-8A22-43E6-9243-5198FF758DA1}\VistaCookiesCollector.exe	Code function: GetLocaleInfoA,	5_2_00408CF8
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: GetLocaleInfoA,	7_2_00805570
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: ??0CWinOsInfo@@QAE@XZ,?GetPlatformId@CWinOsInfo@@QBEKXZ,?GetMajor@CWinOsInfo@@QBEKXZ,?GetMinor@CWinOsInfo@@QBEKXZ,?GetCSDString@CWinOsInfo@@QBEPBGXZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,wsprintfW,wsprintfW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,wsprintfW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,wsprintfW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,??1CWinOsInfo@@UAE@XZ,GetLocaleInfoW,GetLocaleInfoW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,??_V@YAXPAX@Z,	7_2_10005490
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,strcpy,_itoa,	7_2_7C370C1A
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: GetLocaleInfoA,atol,	7_2_7C370DCF
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: GetLastError,malloc,malloc,free,_strncpy,free,__crtGetLocaleInfoW,isdigit,	7_2_7C370FF0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

1_2_00413EA3

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe

7_2_7C372E79

Source: C:\Users\user\AppData\Local\Temp\SweetIMSetup.exe

Code function: 1_2_00415269 GetVersionExA,GetTempPathA,GetWindowsDirectoryA,wsprintfA,

1_2_00415269

Lowering of HIPS / PFW / Operating System Security Settings

Overwrites Mozilla Firefox settings

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\searchplugins\sweetim.xml
Source: C:\Windows\SysWOW64\msiexec.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\searchplugins\sweetim.xml

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\user.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\searchplugins\sweetim.xml
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies-wal	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\BundleSweetIMSetup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\user.js	Jump to behavior

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004C3B60 ?OnStopBinding@CBSCallbackImpl@@UAGJJPBG@Z,		7_2_004C3B60
Source: C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe	Code function: 7_2_004C3BA0 ?GetBindInfo@CBSCallbackImpl@@UAGJPAKPAU_tagBINDINFO@@@Z,		7_2_004C3BA0

ID:	1431987
Product:	CloudBasic
Start time:	07:41:28
Start date:	26.04.2024
Sample:	BundleSweetIMSetup.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	bcc96659d6a46536dbde959fb9d60f67
SHA1:	eb2352a46bf4d0112346814b406f2af3484cb93f
SHA256:	beb0423b1afe047964ad168060a8fd92c550814f6797b937ee0092004640aa18
Filetype:	Win32 Executable (generic) a (10002005/4) 99.39%

Windows Analysis Report BundleSweetIMSetup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Change of System Appearance

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
BundleSweetIMSetup.exe