Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs SweetIM

SweetIM

By JubileeX in Potentially Unwanted Programs

Threat Scorecard

Popularity Rank: 1,830
Threat Level: 20 % (Normal)
Infected Computers: 220,868
First Seen: May 3, 2010
Last Seen: January 23, 2026
OS(es) Affected: Windows

SweetIM Image

When PC security researchers see the message 'get free smilies', it immediately sets off multiple red flags. This is because the offer of free emoticons is one of the most common ways in which criminals entice inexperienced computer users into downloading and installing malware onto their computer system. SweetIM, associated with the website and toolbar search.sweetim.com, is one of many dodgy companies that lures its victims with the promise of free emoticons but delivers nothing but plenty of hassles and security risks. Because of this, security researchers strongly advise computer users to stay away from SweetIM or from the search.sweetim.com website. Contact with this 'free' service will do nothing but bring infections to your computer system and install a toolbar that cannot be removed through normal means.

The Main Problems with SweetIM

Computer users visiting websites that do not take care to make sure that advertisements they display are not associated with malware will often have come across obtrusive banner advertisements promising free emoticons for your computer. These obnoxious advertisements will often use pop-up windows or sound in order to obstruct computer users' normal online activity. SweetIM follows all of these tactics. If a computer user downloads SweetIM, SweetIM will immediately block all web browsers except Internet Explorer, since SweetIM is designed to take advantage of Internet Explorer's known vulnerabilities to Browser Helper Objects (that is, malicious toolbars designed to affect your web browser in some way or another). Then, once installed, SweetIM will not allow the victim to remove the SweetIM toolbar from the web browser through normal uninstall procedures. Since the search.sweetim.com toolbar has several obtrusive features (such as being associated with browser redirects and pop-ups, as well as containing elements that may be spying on your online activity), many computer users will quickly want to remove this obnoxious presence from the web browser.

Removing the SweetIM Toolbar

Since SweetIM does not allow removal through Internet Explorer's 'remove add-on' feature and it cannot be removed from the Control Panel, SweetIM may end up leaving a frown on many of its victims' faces. However, removing SweetIM can be done by downloading a particular tool which will erase this obtrusive presence from your computer system. Many anti-virus or anti-malware programs will not detect SweetIM for what SweetIM is, although some of the top anti-malware programs on the market will include tools that allow computer users to deal with infections similar to SweetIM. Downloading and installing the latest definitions for your anti-malware software should help in detecting any malware that may have entered your system as a result of installing SweetIM.

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
AVG Sweetim.4FB
AVG MalSign.BitCocktail.0E0
Sophos BitCocktail
TrendMicro TROJ_SPNR.16AM12
Comodo TrojWare.Win32.PkdKrap.Gx
Avast Win32:Downloader-MOM [Trj]
NOD32 a variant of Win32/Kryptik.ZBL
McAfee Artemis!B35054C47844
BitDefender Gen:Variant.Graftor.12959
NOD32 a variant of Win32/Kryptik.ZCE
Antiy-AVL Trojan/win32.agent.gen
McAfee-GW-Edition Heuristic.BehavesLike.Win32.ModifiedUPX.J!87
McAfee GenericTRA-AC!1B37D00E7204
AVG Generic26.ASSM
BitDefender Gen:Variant.Kazy.50515

SpyHunter Detects & Remove SweetIM

File System Details

SweetIM may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. dnkt.exe#C1E705B306E2D6BE b2cf341204e5ff0353f6421e2d3c8701 5,066
2. dnkt.exe.vir 1e1877ff0ece5d97b30c67470cea55ac 1,678
3. lmrn.dll.vir a1939f2c611e9ddd3d3d9083bbfd0c0b 728
4. Extension32.dll.vir 4c1d9f10981bc18417e73151a9d37716 597
5. ExtensionUpdaterService.exe.vir 388aed0bbe3b0d10297c52c9983df444 500
6. SweetNT.crx 189bf5cb9190caef035e00ca521433fb 374
7. QueblesAutoUpdate.exe d07a6925513f34272f0a8388ff25b7c6 357
8. USDownloader.exe 57c3d3cd8d2c2863ce09cd1f41836718 222
9. SweetPacksUpdateManager.exe 0c24f7ee670437f023612ff31cad22bb 149
10. Extension32.dll 0a6f5467b99a4724d1914694aafb9b80 144
11. SweetIMSetup.exe 3922583eb499ea4c003802ca9cd77e3d 72
12. unins000.exe 7efccf3c7cccda95a46d3d6002237307 32
13. xmxt.exe 9c23ecf21c7d5ac34bbacbf23f537b3a 27
14. hDNYrohYYsM.exe cc813c29bf35e72fa8c1724773b7c3e7 26
15. bclm.exe 8af4d2267051abe2f29769b0b64f6283 25
16. dnkt.exe 89ac1db015062b37f97f175e69ec57ee 12
17. SweetIM.exe 3c65a1e2a4ce6e4023da1a3de42e003b 11
18. mgHelper.dll c59d3f7d30d853f2202b3076b3a77958 10
19. Extension64.dll 56ca7193a4035792f39df4652be0d8c1 6
20. 264dsse2.dll 39fad13f5cd84e1eaae3659a278cf313 5
21. _ex-68.exe c6cf379023f8d74dd223477d01d2b5ea 4
22. xqfaji.exe ca6551e16849718240091a1f4e7ae490 4
23. ExtensionUpdaterService.exe e3ac6d88f6af116fbd767d6d9720be03 3
24. DevWebAgent.dll e61907120bcb10e1ba91dda5454f4973 2
25. 25.exe e92d2186100d900c7c56b4f875abf1de 2
26. crrss.exe 3bbea3f0047085ffee80bf0326840758 2
27. aopnaaguwewryg.exe b35054c47844740352fd12147a1335cb 2
28. ypmvzoag.dll 41f97c4c5a4c0b3139355fa846926ab9 2
29. vpsqac.exe 59585389d756e02184957340fb514efe 1
30. mgToolbarIE.dll b77b048b498b0bc09621b63f0247c4c0 1
31. C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
32. C:\Program Files\Macrogaming\
33. C:\Program Files\Macrogaming\SweetIMBarForIE\Greetingcards_23x18.bmp
34. C:\Program Files\Macrogaming\SweetIMBarForIE\SmileyWink.bmp
35. C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.crc
36. C:\Program Files\Macrogaming\SweetIMBarForIE\SmileySmile.bmp
37. C:\Program Files\Macrogaming\SweetIMBarForIE\
38. C:\Program Files\Macrogaming\SweetIMBarForIE\Mobile_23x18.bmp
39. C:\Program Files\Macrogaming\SweetIMBarForIE\version.txt
40. C:\Program Files\Macrogaming\SweetIMBarForIE\Thumbs.db
41. C:\Program Files\Macrogaming\SweetIMBarForIE\basis.xml
42. C:\Program Files\Macrogaming\SweetIMBarForIE\Cache\
43. C:\Program Files\Macrogaming\SweetIMBarForIE\Games_23x18.bmp
44. C:\Program Files\Macrogaming\SweetIMBarForIE\affid.dat
45. C:\Program Files\Macrogaming\SweetIMBarForIE\sweetimicons.bmp
46. C:\Program Files\Macrogaming\SweetIMBarForIE\Cache\cd2005c66fba47ff715ecc444d3bc1fb.xml
More files

Registry Details

SweetIM may create the following registry entry or registry entries:
CLSID
{1D5A4199-956E-49BC-B89F-6A35C57C0D13}
{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}
{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}
{82AC53B4-164C-4B07-A016-437A8388B81A}
{A36867C6-302D-49FC-9D8E-1EB037B5F1AB}
{A439801C-961D-452C-AB42-7848E9CBD289}
{A4A0CB15-8465-4F58-A7E5-73084EA2A064}
{DEDAF650-12B8-48F5-A843-BBA100716106}
{EEE6C358-6118-11DC-9C72-001320C79847}
{EEE6C359-6118-11DC-9C72-001320C79847}
{EEE6C35B-6118-11DC-9C72-001320C79847}
{EEE6C35C-6118-11DC-9C72-001320C79847}
{EEE6C35D-6118-11DC-9C72-001320C79847}
{EEE6C35E-6118-11DC-9C72-001320C79847}
{EEE6C35F-6118-11DC-9C72-001320C79847}
{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}
File name without path
Bubble Hit by GamePacks.lnk
Continue SweetIM Installation.lnk
sweetimsetup[1].7z
Regexp file mask
%TEMP%\[RANDOM CHARACTERS]sweetim[RANDOM CHARACTERS]
HKEY..\..\..\..{RegistryKeys}
SOFTWARE\Classes\Extension.ExtensionHelperObject
SOFTWARE\Classes\Extension.ExtensionHelperObject.1
SOFTWARE\Classes\Installer\Features\4340C4778499EED41AE496DC3D613EC6
SOFTWARE\Classes\Installer\Features\547B38670606DF14AA57B0BB83F3AE4D
SOFTWARE\Classes\Installer\Features\B2FD9C0A5B9838449838816A28001F4B
SOFTWARE\Classes\Installer\Products\4340C4778499EED41AE496DC3D613EC6
SOFTWARE\Classes\Installer\Products\547B38670606DF14AA57B0BB83F3AE4D
SOFTWARE\Classes\Installer\Products\B2FD9C0A5B9838449838816A28001F4B
SOFTWARE\Classes\Installer\UpgradeCodes\789034A89BAC50E4782F0A7BDBF75632
SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
SOFTWARE\Classes\SWEETIE.IEToolbar
SOFTWARE\Classes\SWEETIE.IEToolbar.1
SOFTWARE\Classes\SweetIM_URLSearchHook.ToolbarURLSearchHook
SOFTWARE\Classes\SweetIM_URLSearchHook.ToolbarURLSearchHook.1
SOFTWARE\Classes\Toolbar3.SWEETIE
SOFTWARE\Classes\Toolbar3.SWEETIE.1
SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Software\Microsoft\Internet Explorer\Stats\{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BUNDLESWEETIMSETUP.EXE
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWEETIMSETUP.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SweetIM.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7D4F1959-3F72-49D5-8E59-F02F8AA6815D}
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\789034A89BAC50E4782F0A7BDBF75632
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}
Software\Mozilla\Firefox\Extensions\{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}
SOFTWARE\Mozilla\Firefox\Extensions\{8E9E3331-D360-4f87-8803-52DE43566502}
Software\SweetIM
SOFTWARE\Updater By SweetPacks
SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{EEE6C35B-6118-11DC-9C72-001320C79847}
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}
Software\Wow6432Node\Mozilla\Firefox\Extensions\{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}
SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions\{8E9E3331-D360-4f87-8803-52DE43566502}
SOFTWARE\Wow6432Node\SweetIM
HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}
Bubble Hit Bundle by SweetPacks
Bubble Hit by GamePacks
free-for-download bundle
SweetIM Bundle by SweetPacks
{2F603A45-D956-496B-81B5-50D782424976}
{7683B745-6060-41FD-AA75-0BBB383FEAD4}
{774C0434-9948-4DEE-A14E-69CDD316E36C}
{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}_is1
{953AA732-9AFB-49C9-84A4-7F96CA0A08DA}
{A0C9DF2B-89B5-4483-8983-18A68200F1B4}
{B85C4CB2-B352-4BD8-818C-BCE353599107}
{C3E85EE9-5892-4142-B537-BCEB3DAC4C3D}
{F4E33CE5-A7AB-4F68-A7E7-F0AA84EF2D9E}

Directories

SweetIM may create the following directory or directories:

%ALLUSERSPROFILE%\Application Data\SweetIM
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\free-for-download bundle
%ALLUSERSPROFILE%\SweetIM
%LOCALAPPDATA%\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}
%PROGRAMFILES%\SweetIM
%PROGRAMFILES%\sweetpacks bundle uninstaller
%PROGRAMFILES(x86)%\SweetIM
%PROGRAMFILES(x86)%\sweetpacks bundle uninstaller
%ProgramFiles%\Updater By SweetPacks
%ProgramFiles(x86)%\Updater By SweetPacks
%UserProfile%\AppData\LocalLow\SweetIM
%UserProfile%\Local Settings\Application Data\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}
%WINDIR%\SysWOW64\mjcm
%WINDIR%\SysWOW64\tprb
%WINDIR%\System32\mjcm
%WINDIR%\System32\tprb

URLs

SweetIM may call the following URLs:

sweetpacks-search.com

Analysis Report

General information

Family Name: Adware.SweetIM
Signature status: No Signature

Known Samples

MD5: eaa1e5f3deaefa753c9697175435f792
SHA1: de2b18a0d2e961a1ffb9bfa5c9ca6e4f65e8832c
SHA256: A01193EAFD0268433404038E6C9238237236095990DD11876DAB4384F12B7298
File Size: 351.02 KB, 351024 bytes
MD5: 2a5187683cf09e53115c44fb3fec5ec6
SHA1: ce5274a039a47547c848a7fa7c81f6de740154a4
SHA256: 69781ACB19F504AB7DC22CBBF3367F997954364D909A49BF11688F0F851E12A0
File Size: 1.25 MB, 1253376 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments local setups
Company Name SweetIM Technologies Ltd.
File Description
  • JewelQuest3 Installer by SweetPacks
  • SweetIM Toolbar for Internet Explorer
File Version
  • 3, 4, 0, 10
  • 2, 0, 0, 9
Internal Name
  • SweetIM Toolbar
  • SweetSDM
Legal Copyright
  • Copyright © 2009 SweetIM Technologies Ltd.
  • Copyright © 2011 SweetIM Technologies Ltd.
Original Filename mgToolbarIE.dll
Private Build 2
Product Name
  • JewelQuest3 by SweetPacks
  • SweetIM Toolbar for Internet Explorer
Product Version
  • 3.4.0.10
  • 2, 0, 0, 9
X V I_ Compid 39
X V I_ Internal Prod Ver 10.0.0.11

Digital Signatures

Signer Root Status
SweetIM Technologies Ltd Class 3 Public Primary Certification Authority Root Not Trusted

File Traits

  • dll
  • x86

Block Information

Total Blocks: 3,979
Potentially Malicious Blocks: 359
Whitelisted Blocks: 2,870
Unknown Blocks: 750

Visual Map

0 0 0 0 0 0 ? 0 ? x x ? 0 ? 0 ? 0 ? x x x x x x ? x x x x x x x x x x x x x ? 0 ? 0 0 x ? x x x ? x x x x ? 0 ? 0 x x x x ? ? 0 ? 0 0 ? ? x x ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 ? ? ? ? 0 ? 0 ? 0 ? 0 0 ? 0 ? 0 ? 0 ? 0 ? ? 0 ? 0 ? 0 ? 0 ? 0 x ? 0 0 x ? ? 0 x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 0 0 ? ? 0 0 ? 0 ? 0 ? 0 ? 0 ? ? 0 ? 0 ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 ? 0 ? 0 ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 x 0 ? ? x x 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x ? 0 0 0 0 ? ? 0 ? ? 0 ? ? ? ? ? x ? 0 ? ? x 0 x ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 ? ? 0 0 0 ? 0 0 0 x x 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 ? 0 ? ? 0 ? 0 ? ? x 0 ? ? x ? ? ? ? ? ? ? 0 ? ? ? x x ? ? 0 0 ? 0 ? 0 0 ? x 0 ? 0 ? ? 0 ? 0 ? x x x x 0 x ? x x ? ? ? 0 ? 0 ? ? ? ? 0 ? 0 x x x 0 ? 0 x 0 x x x x ? 0 0 0 0 0 ? 0 0 ? ? ? x 0 ? 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 x 0 ? 0 x 0 0 0 0 ? 0 x 0 x 0 0 0 0 0 x ? ? ? 0 0 0 0 0 x x 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 x ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? x x 0 0 ? 0 0 0 0 0 ? 0 0 0 0 x ? 0 ? 0 x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 ? x 0 0 0 0 x 0 0 0 x 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x x x x x x ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x x ? 0 0 ? ? 0 0 0 0 0 0 0 0 ? x 0 0 x ? ? ? 0 0 ? ? ? ? ? 0 0 0 0 ? 0 0 0 ? ? ? ? x x x x x x x x ? ? ? ? ? ? ? x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 ? 0 0 0 ? 0 0 0 ? ? 0 x 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 ? 0 ? 0 ? ? 0 0 x 0 0 0 x 0 ? 0 x 0 x x 0 x 0 0 0 0 0 0 0 ? 0 0 x 0 0 0 x ? ? ? ? ? x 0 0 x 0 ? 0 x 0 x 0 0 0 0 ? x 0 0 ? 0 0 0 0 0 0 x 0 0 ? x 0 x 0 0 ? x 0 0 ? ? ? 0 0 ? ? 0 0 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? ? x 0 0 x 0 0 0 0 ? 0 0 ? 0 ? 0 ? 0 ? 0 0 ? 0 ? 0 0 0 0 ? 0 0 ? 0 ? 0 ? 0 ? 0 0 ? 0 ? 0 ? x 0 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? ? 0 0 ? 0 ? 0 0 ? x 0 0 ? 0 ? 0 0 0 0 ? x 0 0 ? x 0 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 0 ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? ? 0 ? ? 0 ? ? ? 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? ? ? ? ? ? 0 ? 0 ? 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 ? ? 0 ? ? 0 0 ? ? 0 ? ? x ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 ? ? ? 0 0 0 0 0 0 ? ? ? ? ? ? ? ? 0 0 ? ? ? ? ? 0 0 ? ? 0 ? 0 ? 0 ? ? ? ? 0 ? ? 0 ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\1755831383_561078_41.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1755831383_561140_467.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1755831383_561156_334.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1755831383_561156_500.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1755831383_561171_137.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1755831383_561171_582.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1755831383_561187_312.tmp Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\1755831383_561187_450.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1755831383_561187_896.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1755831383_561203_122.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1755831383_561203_622.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1755831383_561218_873.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\de2b18a0d2e961a1ffb9bfa5c9ca6e4f65e8832c_0000351024 Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerNameEx
  • GetUserObjectInformation
Keyboard Access
  • GetKeyState
Network Wininet
  • HttpQueryInfo
  • InternetOpen
  • InternetOpenUrl
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtQueryAttributesFile
Show More
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWriteFile
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ce5274a039a47547c848a7fa7c81f6de740154a4_0001253376.,LiQMAxHB

Related Posts

Trending

Most Viewed

Loading...