floxif | 742a1e53921514df24066cbd99bdcd8fc2ef4e8844e11081dec1d3fb9bd04271

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe
Size

22.3MB
MD5

32e8e24340fa0f8050e9fed244de8451
SHA1

ebddf519a2b0d78b515250f1eec465db4b6cdbfa
SHA256

742a1e53921514df24066cbd99bdcd8fc2ef4e8844e11081dec1d3fb9bd04271
SHA512

6149ab231a92316a8672ba8a01bb7c829ad0efd629b48706b097a8973d7b25a96773dac54efb2d4d9c07f5bd48eab48f8d26545e276c82a950fbf288ddcf576e
SSDEEP

393216:GXYKjHs4737sM3HgVrAmIQoLd28A+a0r/DdXLnEsRgcHcqcp0q3WI28d+olEj:GXYKLsstBg89xDdbn8c8qk3N2Qlu

Score

10^/10

floxif backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x00080000000120ff-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000120ff-1.dat	acprotect

Executes dropped EXE 13 IoCs

pid	Process
3012	ISBEW64.exe
2776	ISBEW64.exe
2616	ISBEW64.exe
2656	ISBEW64.exe
676	ISBEW64.exe
300	ISBEW64.exe
1292	ISBEW64.exe
1252	ISBEW64.exe
1528	ISBEW64.exe
2512	ISBEW64.exe
1860	ISBEW64.exe
852	qcmtusvc.exe
2852	DriverInstaller64.exe

Loads dropped DLL 26 IoCs

pid	Process
1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe
3056	msiexec.exe
1736	msiexec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
2872	MsiExec.exe
852	qcmtusvc.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
856	Process not Found
856	Process not Found
2852	DriverInstaller64.exe
1292	MsiExec.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\e:	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{433c9c41-2cb4-3788-ec46-e226a105a649}\serial\amd64\qcusbser.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{433c9c41-2cb4-3788-ec46-e226a105a649}\serial	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\qdss	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20a878ff-fbf9-4a44-7b6d-555c60c0bd21}\SET5330.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{20a878ff-fbf9-4a44-7b6d-555c60c0bd21}\SET5330.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20a878ff-fbf9-4a44-7b6d-555c60c0bd21}\serial\amd64	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\qdss\amd64\SET83A1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\qdbusb.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}\filter\amd64\SET2FBA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}\filter\amd64\SET2FBA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{433c9c41-2cb4-3788-ec46-e226a105a649}\SET3B0F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_neutral_da7c440389b70c99\qcwwan.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\qdbusb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\qdss\amd64\SET83A1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{433c9c41-2cb4-3788-ec46-e226a105a649}\SET3B0E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{433c9c41-2cb4-3788-ec46-e226a105a649}\qcser.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{20a878ff-fbf9-4a44-7b6d-555c60c0bd21}\SET5331.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20a878ff-fbf9-4a44-7b6d-555c60c0bd21}\serial	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4d1b89c3-11c1-094a-21f0-606c9417b118}\SET6B51.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\qdss\amd64\wdfcoinstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\SET83A3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_neutral_4ef97d5ab321c09e\qdbusb.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{433c9c41-2cb4-3788-ec46-e226a105a649}\serial\amd64\SET3B0D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{433c9c41-2cb4-3788-ec46-e226a105a649}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20a878ff-fbf9-4a44-7b6d-555c60c0bd21}\serial\amd64\qcusbser.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_neutral_df834dbe3a4f2ca5\qcmdm.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4d1b89c3-11c1-094a-21f0-606c9417b118}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}\SET2FA9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_5b0e44f80f8a8e2f\qcfilter.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4d1b89c3-11c1-094a-21f0-606c9417b118}\qcwwan.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\qdss\amd64\SET83A2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}\SET2FA8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}\qcfilter.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{433c9c41-2cb4-3788-ec46-e226a105a649}\qcser.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20a878ff-fbf9-4a44-7b6d-555c60c0bd21}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4d1b89c3-11c1-094a-21f0-606c9417b118}\SET6B52.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4d1b89c3-11c1-094a-21f0-606c9417b118}\ndis	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{433c9c41-2cb4-3788-ec46-e226a105a649}\SET3B0E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{20a878ff-fbf9-4a44-7b6d-555c60c0bd21}\qcmdm.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4d1b89c3-11c1-094a-21f0-606c9417b118}\ndis\6.2\amd64\SET6B53.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\qdss\amd64\SET83A2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}\SET2FA9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}\qcfilter.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_5b0e44f80f8a8e2f\qcfilter.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4d1b89c3-11c1-094a-21f0-606c9417b118}\ndis\6.2\amd64\SET6B53.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}\filter\amd64\qcusbfilter.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}\filter	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_neutral_011cf7b068aef58d\qcser.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4d1b89c3-11c1-094a-21f0-606c9417b118}\ndis\6.2\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\SET83B4.tmp	DrvInst.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120ff-1.dat	upx
behavioral1/memory/1732-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3056-9-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3056-10-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1736-12-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2872-17-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-63-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1736-75-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2872-76-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-77-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-82-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-90-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/852-191-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/852-194-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1292-197-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-424-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1292-429-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-522-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-716-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1292-750-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2872-751-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1736-752-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-753-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\i386\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\qdbusb.sys	msiexec.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\ReadMe.txt	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qdcfg.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\i386\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\amd64\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\logReader.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.sys	msiexec.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\oem4.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI27AE.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B87.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\Installer\f7722cd.ipi	msiexec.exe
File created	C:\Windows\Installer\f7722cf.msi	msiexec.exe
File created	C:\Windows\INF\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7722cd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI23E5.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DriverInstaller64.exe
File opened for modification	C:\Windows\Installer\f7722cc.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f7722cc.msi	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qcmtusvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4E77131D-3629-431C-9818-C5679DC83E81} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000000d13fa7c54db01	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductName = "Qualcomm USB Drivers For Windows"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Version = "16777256"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductIcon = "C:\\Windows\\Installer\\{D9FB7F91-9687-4B09-894D-072903CADEA4}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\PackageCode = "50F96F0F677D720429F0EAB3F42EA9A4"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\PackageName = "QualcommWindowsDriverInstaller.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe
2480	msiexec.exe
2480	msiexec.exe
1292	MsiExec.exe
1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe
Token: SeDebugPrivilege	3056	msiexec.exe
Token: SeShutdownPrivilege	3056	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3056	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeSecurityPrivilege	2480	msiexec.exe
Token: SeCreateTokenPrivilege	3056	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3056	msiexec.exe
Token: SeLockMemoryPrivilege	3056	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3056	msiexec.exe
Token: SeMachineAccountPrivilege	3056	msiexec.exe
Token: SeTcbPrivilege	3056	msiexec.exe
Token: SeSecurityPrivilege	3056	msiexec.exe
Token: SeTakeOwnershipPrivilege	3056	msiexec.exe
Token: SeLoadDriverPrivilege	3056	msiexec.exe
Token: SeSystemProfilePrivilege	3056	msiexec.exe
Token: SeSystemtimePrivilege	3056	msiexec.exe
Token: SeProfSingleProcessPrivilege	3056	msiexec.exe
Token: SeIncBasePriorityPrivilege	3056	msiexec.exe
Token: SeCreatePagefilePrivilege	3056	msiexec.exe
Token: SeCreatePermanentPrivilege	3056	msiexec.exe
Token: SeBackupPrivilege	3056	msiexec.exe
Token: SeRestorePrivilege	3056	msiexec.exe
Token: SeShutdownPrivilege	3056	msiexec.exe
Token: SeDebugPrivilege	3056	msiexec.exe
Token: SeAuditPrivilege	3056	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3056	msiexec.exe
Token: SeChangeNotifyPrivilege	3056	msiexec.exe
Token: SeRemoteShutdownPrivilege	3056	msiexec.exe
Token: SeUndockPrivilege	3056	msiexec.exe
Token: SeSyncAgentPrivilege	3056	msiexec.exe
Token: SeEnableDelegationPrivilege	3056	msiexec.exe
Token: SeManageVolumePrivilege	3056	msiexec.exe
Token: SeImpersonatePrivilege	3056	msiexec.exe
Token: SeCreateGlobalPrivilege	3056	msiexec.exe
Token: SeDebugPrivilege	1736	msiexec.exe
Token: SeShutdownPrivilege	1736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1736	msiexec.exe
Token: SeCreateTokenPrivilege	1736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1736	msiexec.exe
Token: SeLockMemoryPrivilege	1736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1736	msiexec.exe
Token: SeMachineAccountPrivilege	1736	msiexec.exe
Token: SeTcbPrivilege	1736	msiexec.exe
Token: SeSecurityPrivilege	1736	msiexec.exe
Token: SeTakeOwnershipPrivilege	1736	msiexec.exe
Token: SeLoadDriverPrivilege	1736	msiexec.exe
Token: SeSystemProfilePrivilege	1736	msiexec.exe
Token: SeSystemtimePrivilege	1736	msiexec.exe
Token: SeProfSingleProcessPrivilege	1736	msiexec.exe
Token: SeIncBasePriorityPrivilege	1736	msiexec.exe
Token: SeCreatePagefilePrivilege	1736	msiexec.exe
Token: SeCreatePermanentPrivilege	1736	msiexec.exe
Token: SeBackupPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	1736	msiexec.exe
Token: SeShutdownPrivilege	1736	msiexec.exe
Token: SeDebugPrivilege	1736	msiexec.exe
Token: SeAuditPrivilege	1736	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1736	msiexec.exe
Token: SeChangeNotifyPrivilege	1736	msiexec.exe
Token: SeRemoteShutdownPrivilege	1736	msiexec.exe
Token: SeUndockPrivilege	1736	msiexec.exe
Token: SeSyncAgentPrivilege	1736	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3056	msiexec.exe
3056	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe
2852	DriverInstaller64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 3056	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	30
PID 1732 wrote to memory of 3056	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	30
PID 1732 wrote to memory of 3056	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	30
PID 1732 wrote to memory of 3056	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	30
PID 1732 wrote to memory of 3056	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	30
PID 1732 wrote to memory of 3056	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	30
PID 1732 wrote to memory of 3056	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	30
PID 1732 wrote to memory of 1736	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	32
PID 1732 wrote to memory of 1736	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	32
PID 1732 wrote to memory of 1736	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	32
PID 1732 wrote to memory of 1736	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	32
PID 1732 wrote to memory of 1736	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	32
PID 1732 wrote to memory of 1736	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	32
PID 1732 wrote to memory of 1736	1732	2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe	32
PID 2480 wrote to memory of 2872	2480	msiexec.exe	33
PID 2480 wrote to memory of 2872	2480	msiexec.exe	33
PID 2480 wrote to memory of 2872	2480	msiexec.exe	33
PID 2480 wrote to memory of 2872	2480	msiexec.exe	33
PID 2480 wrote to memory of 2872	2480	msiexec.exe	33
PID 2480 wrote to memory of 2872	2480	msiexec.exe	33
PID 2480 wrote to memory of 2872	2480	msiexec.exe	33
PID 2872 wrote to memory of 3012	2872	MsiExec.exe	34
PID 2872 wrote to memory of 3012	2872	MsiExec.exe	34
PID 2872 wrote to memory of 3012	2872	MsiExec.exe	34
PID 2872 wrote to memory of 3012	2872	MsiExec.exe	34
PID 2872 wrote to memory of 2776	2872	MsiExec.exe	35
PID 2872 wrote to memory of 2776	2872	MsiExec.exe	35
PID 2872 wrote to memory of 2776	2872	MsiExec.exe	35
PID 2872 wrote to memory of 2776	2872	MsiExec.exe	35
PID 2872 wrote to memory of 2616	2872	MsiExec.exe	36
PID 2872 wrote to memory of 2616	2872	MsiExec.exe	36
PID 2872 wrote to memory of 2616	2872	MsiExec.exe	36
PID 2872 wrote to memory of 2616	2872	MsiExec.exe	36
PID 2872 wrote to memory of 2656	2872	MsiExec.exe	37
PID 2872 wrote to memory of 2656	2872	MsiExec.exe	37
PID 2872 wrote to memory of 2656	2872	MsiExec.exe	37
PID 2872 wrote to memory of 2656	2872	MsiExec.exe	37
PID 2872 wrote to memory of 676	2872	MsiExec.exe	38
PID 2872 wrote to memory of 676	2872	MsiExec.exe	38
PID 2872 wrote to memory of 676	2872	MsiExec.exe	38
PID 2872 wrote to memory of 676	2872	MsiExec.exe	38
PID 2872 wrote to memory of 300	2872	MsiExec.exe	39
PID 2872 wrote to memory of 300	2872	MsiExec.exe	39
PID 2872 wrote to memory of 300	2872	MsiExec.exe	39
PID 2872 wrote to memory of 300	2872	MsiExec.exe	39
PID 2872 wrote to memory of 1292	2872	MsiExec.exe	40
PID 2872 wrote to memory of 1292	2872	MsiExec.exe	40
PID 2872 wrote to memory of 1292	2872	MsiExec.exe	40
PID 2872 wrote to memory of 1292	2872	MsiExec.exe	40
PID 2872 wrote to memory of 1252	2872	MsiExec.exe	41
PID 2872 wrote to memory of 1252	2872	MsiExec.exe	41
PID 2872 wrote to memory of 1252	2872	MsiExec.exe	41
PID 2872 wrote to memory of 1252	2872	MsiExec.exe	41
PID 2872 wrote to memory of 1528	2872	MsiExec.exe	42
PID 2872 wrote to memory of 1528	2872	MsiExec.exe	42
PID 2872 wrote to memory of 1528	2872	MsiExec.exe	42
PID 2872 wrote to memory of 1528	2872	MsiExec.exe	42
PID 2872 wrote to memory of 2512	2872	MsiExec.exe	43
PID 2872 wrote to memory of 2512	2872	MsiExec.exe	43
PID 2872 wrote to memory of 2512	2872	MsiExec.exe	43
PID 2872 wrote to memory of 2512	2872	MsiExec.exe	43
PID 2872 wrote to memory of 1860	2872	MsiExec.exe	44
PID 2872 wrote to memory of 1860	2872	MsiExec.exe	44
PID 2872 wrote to memory of 1860	2872	MsiExec.exe	44

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_32e8e24340fa0f8050e9fed244de8451_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3056
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 858E158CF1033C382ECE89120F5385B7 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F680456F-CE7B-4496-8059-0846948D1D2A}
    3⤵
    - Executes dropped EXE
    PID:3012
- - C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C292D452-4210-4403-849A-F9A3D5A3E0B8}
    3⤵
    - Executes dropped EXE
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1950AE3E-1240-4B3A-AE88-2EF81BE436E2}
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1B225A88-6257-4178-9A45-A3C123FE1F19}
    3⤵
    - Executes dropped EXE
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5B23823B-0CDD-4974-8EA2-C7C51BB6B61A}
    3⤵
    - Executes dropped EXE
    PID:676
- - C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3B565826-5FC1-463A-8B7D-AE2CB114AA3F}
    3⤵
    - Executes dropped EXE
    PID:300
- - C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{29154596-23A5-42DA-9C0C-CC6B528B8215}
    3⤵
    - Executes dropped EXE
    PID:1292
- - C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6EC49DBF-DD30-4E8D-814B-E0495489518D}
    3⤵
    - Executes dropped EXE
    PID:1252
- - C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6DDB23CE-D77F-4AC2-8DB7-E70DA342D703}
    3⤵
    - Executes dropped EXE
    PID:1528
- - C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B75C7D2-5894-4199-A22E-DFB85BBD5D0F}
    3⤵
    - Executes dropped EXE
    PID:2512
- - C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F7D7EA8D-8284-4C21-9A17-D8467DFF4DAD}
    3⤵
    - Executes dropped EXE
    PID:1860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57B69863A4DB338CC25ED0DC5620AD46 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- - C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe
    "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe" "/I|0|C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2240

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D8" "00000000000004BC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:704

C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe
"C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:852

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{072254bb-2284-0129-582d-0d5c2e45611c}\qcfilter.inf" "9" "6342d598b" "00000000000005D8" "WinSta0\Default" "00000000000004BC" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1860
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{34879155-f45c-45b0-503f-2417c2c7774e} Global\{3a8bd0e3-a9f7-59b1-97db-bc676d5d3d4e} C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}\qcfilter.inf C:\Windows\System32\DriverStore\Temp\{17693c8c-355f-70c1-c93b-4014da526c21}\qcfilter.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:836

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0f8a2b3a-c9d2-5e0c-f016-a96a649a8a65}\qcser.inf" "9" "60f02979b" "00000000000004BC" "WinSta0\Default" "00000000000003C4" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{49a605a1-4a3c-6c58-8c14-732e7a8eaf5a} Global\{7f6a2eec-db86-7d38-c425-6f2cbf15dc01} C:\Windows\System32\DriverStore\Temp\{433c9c41-2cb4-3788-ec46-e226a105a649}\qcser.inf C:\Windows\System32\DriverStore\Temp\{433c9c41-2cb4-3788-ec46-e226a105a649}\qcser.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2608

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{110fad84-85d4-2ce5-7c5a-aa3ae9aace73}\qcmdm.inf" "9" "62223751f" "00000000000003C4" "WinSta0\Default" "00000000000005D0" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2992
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{154401a9-0c69-16b4-204e-00337422b25a} Global\{6aea6d4f-3d48-131f-9617-9a018b14a53c} C:\Windows\System32\DriverStore\Temp\{20a878ff-fbf9-4a44-7b6d-555c60c0bd21}\qcmdm.inf C:\Windows\System32\DriverStore\Temp\{20a878ff-fbf9-4a44-7b6d-555c60c0bd21}\qcser.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2024

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{405cf1f7-7304-409a-2276-e16527fbe512}\qcwwan.inf" "9" "64190a197" "00000000000005D0" "WinSta0\Default" "00000000000005D8" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2368
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{71386607-8ba9-17f1-4d73-0a1e123da359} Global\{447f0e60-ce48-2f7b-4b22-b431f625614b} C:\Windows\System32\DriverStore\Temp\{4d1b89c3-11c1-094a-21f0-606c9417b118}\qcwwan.inf C:\Windows\System32\DriverStore\Temp\{4d1b89c3-11c1-094a-21f0-606c9417b118}\qcwwan.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2832

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4ce5cc79-e014-5810-7cd9-f46fff14337b}\qdbusb.inf" "9" "6a7d91597" "00000000000005D8" "WinSta0\Default" "00000000000004BC" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:320
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{6dea4fbd-ed6f-6b70-3a8e-5411c9d0a664} Global\{31b79ba6-02ca-3f8a-9c9a-7b129837c844} C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\qdbusb.inf C:\Windows\System32\DriverStore\Temp\{7e171ad3-cd87-084b-1e68-a56205a0c763}\qdbusb.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7722ce.rbs

Filesize
36KB

MD5
8129226b9de942690976a85e54110229

SHA1
b80ca9454131674d76ca256e577df6a0cfb0d565

SHA256
4194b8c7ec5d78ec2c1470e98eb3076bce2d9a94b3c0d088d97c4349934d8127

SHA512
ecf08b2748c93f83dec56bd9d368be51be6864890875196bf21b7950fb3810063b597eeb6d364190324465a402e0b540a44ee9659e58417ede19b71f323c0d30

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\serial\amd64\qcusbser.sys

Filesize
240KB

MD5
a5a4cb5c986715796eb1285289b9c779

SHA1
549fafefb36d1df67d1b8b7817041e4f5677e6ed

SHA256
357eb980c5d7a9ab4cfa5892432dac41ee9c0f03420fa9b927d78119054f91f6

SHA512
032c45b2bba7c5dfafbd0583bc96e79c1710dd981775d6184c131d49835d2183aad7dbaaeda2f45f2b3f490c3a8158c0d901c5467f4ca3158ff01a61c59cc1b5

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe

Filesize
2.2MB

MD5
2e42457c54c0d281aa191c7ca8e7bc11

SHA1
33d5ad6b11cd681f956e5dc607c54c5eca168e19

SHA256
210f20b72fe67a1b12846aab7886b6bd9702a3caf31a3b6affab3a0dc60199ff

SHA512
434872af382e5a73570c1a13d18b9febc71bec25d2ce20fdcfa0fbd23afb103b136d91fa6b6e8b01736a0b59d1477e7296d8a6fda2b26aa0c679454c9246ec1e

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe

Filesize
81KB

MD5
537b58f4523aa9638859d88d61d3ff77

SHA1
522b5f172d44d84e7e72201fde56bad684832237

SHA256
e1a039481b5470841932f440864c14d0139991d22655da1673afcef33b07f82d

SHA512
c2348d6001c6819233a55b1e2ced1fbdbfb6db630c38ffa59185680c31bca8868dfc9ba06350d9d4e9b70f555d0b1e7afa4ba7b55718ee103df5d41e1ecc57a4

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.cat

Filesize
96KB

MD5
d7a950a11638dc52717d9270ef09e150

SHA1
ec1a37f5e70431b63609199a067784f4a63b2d5c

SHA256
0d2a9ef7f0bcdde3d7b5f548b29fed32f4aee8d253d3da41553b7a4dc87a57a0

SHA512
0af7bcaf1058d70790a97641a5f46706323b9a649e5731c51885fa1fe5f7d2474e9bbd907db3ae275bda8246951c7eef46c23076fcea1c8750fb2809dd51a0e4

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf

Filesize
37KB

MD5
c44f842ad6d69df37aa0dcf5b05d54b7

SHA1
62eeff99483ba72c0fb341e768124d74071855c5

SHA256
5a544fda42a991a970ea3417ab49f967cdcb9fe89a14ae53d6566707a328b730

SHA512
44743848307af8d47b978189ba6d192d7d1c39c98bf2d2efe123bc2afc6ed42bade0e101e0b7e8ccb729949ffe89626ce995937d17c8b217e472e45e3ea368fa

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.cat

Filesize
97KB

MD5
da65117158c5a4d005ad82a68e53e1e8

SHA1
78c0fb4c89a7cac5e3e36ce9e9c54b6507bc2e2a

SHA256
04390a6986d3809f81dbcb345481cd7bcc54430c041754b5464201dcbb6b9bf5

SHA512
5619d046b5047ba8620667835364724bf1c78ab91b74bcb8ade36ff5e8e6cc5c8dc2d56709b083c187ea5ed74679bb10ac3eba3d494dd6e1d7f889831eb4cc44

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf

Filesize
101KB

MD5
756d9f6aa85025335d121246e5262528

SHA1
54d28ffe46bb81c86ca498bd0c357d63416b2fa7

SHA256
c8fbd819931030b3800397643ce23bac7f9cb46a770c8c7e5104682afbd0571a

SHA512
3012c1b14700bd3dc91f79cd774a61d5b0849203ce6a3d9be742ad902f8d7b52700061fcbde85ce8df2b4ca04b48a66ba81f87616ae7c12028b1ad9699a1f08d

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA6DA.tmp

Filesize
1.3MB

MD5
526de93ee8ed331cf89a744c3aefc355

SHA1
c5e8410afc34ebde8372e0e1711e4155d34dece3

SHA256
f369ed198e835a3362d1c7d5ddf4b853f9339aafa6b5a6032fe13fb51c02c590

SHA512
b3b21ff3f4f98d8d5b14f191d04061addc4c44faf492a4788becfef5cbd55ecc82fc7eb373649fa825264d79b763955d708948412b47555b965ff9ea2d195a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

Filesize
20.9MB

MD5
fcf5ad3c6e3630c94858e8dd51d07e3a

SHA1
87f6a86b18d0133ca75e63948c85fdd7aef04003

SHA256
11d689580a499cc28048ded32bb408ce417e723787edb8eb4ac68336016c0539

SHA512
a1c19f0977a26468dd6125c8422aa154d4d16f20717be9aa9de95b81dfdc4bd21db52502f102906ba9c9f862a1908ff925a02f4e0f527d4a4328d13758d3e271

Download Submit
C:\Users\Admin\AppData\Local\Temp\{072254bb-2284-0129-582d-0d5c2e45611c}\filter\amd64\SET2F6C.tmp

Filesize
39KB

MD5
8438bd5302eed284de96cf98accdfda2

SHA1
7aacc6fcc500345e6df8cec8839cc63a890779f1

SHA256
0011975f3bad3d11747ca9ba4c24ea674d63131e679ac552d4af2b5ffd7f86dc

SHA512
406eee9d1450b1cf3a4f1b259182b2fb8f494e297498d4f24f45c5d61fd70c8869b3dc750c144da62d58f6985a2ff715e352be337aa623ecc676d471a3bd73bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{110fad84-85d4-2ce5-7c5a-aa3ae9aace73}\SET5307.tmp

Filesize
44KB

MD5
bfd724e1364eb3284822e0b27899d78c

SHA1
e95ff9e797d391ca0aa93b55f3cec5dfb9e95e5a

SHA256
f59f3b976a682c730201e2d4aa4e33f627f92595aa4fde117521a12f2ee8e305

SHA512
9ff0081d900b94cf12ac2b1dbec1fd5ebb108a5048068534a894a6f20c743be387522c45965fc3d68af81d113fa3cb23e5397ed62088641c46c2579a410d66fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{405cf1f7-7304-409a-2276-e16527fbe512}\ndis\6.2\amd64\qcusbwwan.sys

Filesize
535KB

MD5
d08431790b71fbd56875762df88185d9

SHA1
03a6fe5c60799a5c0a12f10e3aa837cddd026d81

SHA256
d6298128cfc0f56646340d8d67bf124412ea2e9852fe9342e36bff177a4a01b0

SHA512
1cceaddacaab89e76a350dcd96a1e329a1c2234ea6c33a5f48615f3f6d55f9aa62cb3690e6057df71df2191a98e5dfd712f2d5f3b6da410989adb40a521910ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{405cf1f7-7304-409a-2276-e16527fbe512}\qcwwan.cat

Filesize
96KB

MD5
1f367e482b4ad610667b425ec6fe8812

SHA1
49769d83232e2e366817691f03686e5ef0e70c65

SHA256
6476bf4f4f731a10e7766f24cec6d71db5140481ff16b87390b402fe8502786a

SHA512
5b0db6294b4305652341647036114ef5680be958a94744d9713fdf9e40254f9750f5649792bcce8b03bbf6cb5b533747a84894e1f82a35fc38c392f65ec48e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\{405cf1f7-7304-409a-2276-e16527fbe512}\qcwwan.inf

Filesize
73KB

MD5
5667cdc8aa7e89f575417aa5837f9202

SHA1
6449ecffb2a4aebaf4f05a69ac14fb202847f364

SHA256
363addf226aca987a56a2caa95ce19eea4dd86654d46e103f0d6184863ace934

SHA512
02f00e41469e9e9d76a3928ff5ce651f2977f236642f59e6e25fec3c78dfe3ecf7cc1e7253e1bf65ff6834566547172d175366d37d0dd711394f41e573340965

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4ce5cc79-e014-5810-7cd9-f46fff14337b}\SET8361.tmp

Filesize
97KB

MD5
7dc0850624be0d3e8def9d653c013291

SHA1
5ffe8a50771d9dd6d3a9d15f14575517bedfda5d

SHA256
070db359908f6955e129024d1de0acf4750790f21ced52fb333e056d2fdd7be7

SHA512
a51a447a8f9793691a9d0314b846c6e3555c22c693c7e0367307001c19744bd8b1ba72261de925c740af9d69a07cbb94a1e5a51b1128394a5a732e2fec1a040e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4ce5cc79-e014-5810-7cd9-f46fff14337b}\SET8362.tmp

Filesize
9KB

MD5
e7fb3e2ee6ae0890da972587516a8110

SHA1
93267d82c6564f618fafdd6f8a3edb5d8eff70bb

SHA256
94dd4e0aab352f69f7788a98563048f23f50402862e89376ca5ec5b742373eba

SHA512
6478515112c69674e54474a38b81fe8c1301fbfe64536b96162ade151e5baae22d1886230da2dd477a9d5448797b39f8f4fcb65d88fcb5bdb242a60868630edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4ce5cc79-e014-5810-7cd9-f46fff14337b}\qdss\amd64\SET835F.tmp

Filesize
46KB

MD5
0b13a08c6eaa6d7ad76bc43d64b9732b

SHA1
1e7e512dc690675b3814a879d17642d030ba4ac9

SHA256
08ec62ca5a4a64ac48f9963f8623b99d135b9fda6b658ade2564df15d822d950

SHA512
709a29c317a06c893a4efa334d0a9455876c592a659d081bee712a964fe48918af2cea8e9bb0e607ea3915bee6c6442615ffd6084fd9edfd8ae465440b003032

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4ce5cc79-e014-5810-7cd9-f46fff14337b}\qdss\amd64\SET8360.tmp

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\Windows\Installer\MSI27AE.tmp

Filesize
1.6MB

MD5
fba7113c8d1b7eecd0e731c184418f29

SHA1
9961d5ca567f32c703a6b953933ff5fc22fca396

SHA256
1d10c129f67a74e1d393bf3c71f76285d3082ce5aa2712e8ffc2c8e148d659d5

SHA512
9cad372e139e744a7ade1e7c1b1f50508a22f2c69a5f73417c5a1db588bde34767e402d7770986f758e7cd118f2d67f6be2bb3fa2765e4e7c0bad7e4a4acc631

Download Submit
C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_5b0e44f80f8a8e2f\qcfilter.PNF

Filesize
100KB

MD5
86f472c4d591a0b2adfdbd1a11568560

SHA1
dcde9c560a30151649500b1ac2e95dc9bc44912b

SHA256
6fe7fec69600ecdea5df1ea5af5547d58b4885d4e8877f240eaa4bd6fcf87282

SHA512
84e4442a819950b7987714ad87eb23a27e3b0fc74fd5bc4c44f7b53034f6f217bd58028b2ce97a52ef0571cc3ec80a0ba18822e72e4b3682b99a5c7d445eeb0a

Download Submit
C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_neutral_011cf7b068aef58d\qcser.PNF

Filesize
184KB

MD5
3bc5f2851275593184008da5ff5c225c

SHA1
f53a7cae7cbc19ecdf49a07bdc5533ed8e3d7e3f

SHA256
40d4a634d57f74e1ad3291b68f70534c19a14aaf4e3b1bb7958b8746f92c181e

SHA512
dddaaa4b3fbdee06f5c30a7766674c24a88230c6f935ffa08e021084f31798db6872ced4c52fe50f577810df106982d7b4dbb74ec7160856f1289e00ed2973ac

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
16a4254e90ee7e62bb473dd3f47665a6

SHA1
343b50c06c260509403fa7f13101cca2d3a51445

SHA256
0babff50d50e2cd7044419b75e918e13c4e83f13064a55f85b1c7458eba19df7

SHA512
cdcaf82d255963077ffd7d9c5eece33c48ce4d33431d38822bbb8dd26e727825e32ff11e692584ceb7b409e922486fe13c78acb0555fd43988c302849034507d

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
191KB

MD5
70578bd3fb58d26f1d980901e3655dbf

SHA1
e51bba13603af88693163ba2a8e568d30005736b

SHA256
bfb4ae8ba4aa49f1664605089b9cb1769e3712886be02ce46e63f25298f6dfac

SHA512
8fb0de57bafb2fa1c1989a317bcecaa8c53620c3306a5a2c3608a03fb0a2ba96f730611b82e871b1321f9d04ae721c46a2fffcfcc72a75adb3aff57fa5f2e0a8

Download Submit
C:\Windows\Temp\Cab3046.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar3059.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\amd64\DIFxAPI.dll

Filesize
507KB

MD5
9495b07f33ded991c65d9b04945d44c5

SHA1
db9d5ec47980eb0709faba0cda283ff99d643b7c

SHA256
bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e

SHA512
36ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISBEW64.exe

Filesize
146KB

MD5
c3b2acc07bb0610405fc786e3432bef9

SHA1
333d5f2b55bd00ad4311ba104af7db984f953924

SHA256
9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894

SHA512
2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

Download Submit
\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\ISRT.dll

Filesize
260KB

MD5
a93f625ef42b54c2b0f4d38201e67606

SHA1
cbfebc1f736ccfc65562ede79a5ae1a8afb116a1

SHA256
e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0

SHA512
805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

Download Submit
\Users\Admin\AppData\Local\Temp\{A2243976-DE5B-431A-9191-56112C191426}\_isres_0x0409.dll

Filesize
540KB

MD5
d6bbf7ff6984213c7f1f0f8f07c51e6a

SHA1
cfe933fc3b634f7333adec7ec124c14e9d19ac21

SHA256
6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2

SHA512
a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

Download Submit
memory/852-191-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/852-194-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1292-750-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1292-197-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1292-429-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-522-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-5-0x0000000000476000-0x0000000000479000-memory.dmp

Filesize
12KB

Download
memory/1732-716-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-77-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-63-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-753-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-424-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-90-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-82-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1736-75-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1736-12-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1736-752-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2024-500-0x000007FEF5DB0000-0x000007FEF5DEA000-memory.dmp

Filesize
232KB

Download
memory/2872-47-0x00000000034D0000-0x0000000003559000-memory.dmp

Filesize
548KB

Download
memory/2872-17-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2872-20-0x0000000002BC0000-0x0000000002D75000-memory.dmp

Filesize
1.7MB

Download
memory/2872-751-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2872-44-0x00000000032E0000-0x0000000003387000-memory.dmp

Filesize
668KB

Download
memory/2872-76-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3056-9-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3056-10-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download