floxif | 0806116764e3fe406f9f8905d43d3ffbd9af312ef8205de07acae8ebdb2d6133

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
Size

22.3MB
MD5

11e8ce1c130f56c79b70751cd7669d8c
SHA1

560ff3bdf4483fddbf948ac8e715d8cfaf2a42d0
SHA256

0806116764e3fe406f9f8905d43d3ffbd9af312ef8205de07acae8ebdb2d6133
SHA512

6f1d1c4584b18c3d0aab8821c7f22e558eecec356204a5a6cd92f361dad23041dc751c2d5083db210cf8d9117b1721b4012303ba2032e9e1e13ea514ca0b560f
SSDEEP

393216:GX9pjHs4737sM3HgVrAmIQoLd28A+a0r/DdXLnEsRgcHcqcp0q3WI28d+olEi:GX9pLsstBg89xDdbn8c8qk3N2QlX

Score

10^/10

floxif backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000d000000012267-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000d000000012267-1.dat	acprotect

Executes dropped EXE 13 IoCs

pid	Process
2860	ISBEW64.exe
3040	ISBEW64.exe
2624	ISBEW64.exe
2020	ISBEW64.exe
1028	ISBEW64.exe
2420	ISBEW64.exe
2856	ISBEW64.exe
1048	ISBEW64.exe
1016	ISBEW64.exe
824	ISBEW64.exe
2220	ISBEW64.exe
1028	qcmtusvc.exe
2856	DriverInstaller64.exe

Loads dropped DLL 26 IoCs

pid	Process
2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
2644	msiexec.exe
2568	msiexec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
2564	MsiExec.exe
1028	qcmtusvc.exe
800	MsiExec.exe
800	MsiExec.exe
800	MsiExec.exe
840	Process not Found
840	Process not Found
2856	DriverInstaller64.exe
800	MsiExec.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\e:	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\filter\amd64\SET7AFC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}\serial\amd64\qcusbser.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}\SET984A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\qcwwan.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\ndis	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\filter\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}\qcser.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_neutral_df834dbe3a4f2ca5\qcmdm.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_neutral_da7c440389b70c99\qcwwan.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}\SET984B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\SETB09A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_neutral_da7c440389b70c99\qcwwan.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_5b0e44f80f8a8e2f\qcfilter.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}\SET8087.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_neutral_011cf7b068aef58d\qcser.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}\SET8086.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}\qcmdm.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_neutral_df834dbe3a4f2ca5\qcmdm.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}\qcser.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}\serial\amd64\qcusbser.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}\SET984A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\SET7AFA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\ndis\6.2\amd64\SETB09C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}\serial\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}\SET984B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\ndis\6.2\amd64\SETB09C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\qcfilter.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\filter\amd64\SET7AFC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_neutral_011cf7b068aef58d\qcser.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\SETB09B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\ndis\6.2	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\qcfilter.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_5b0e44f80f8a8e2f\qcfilter.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}\serial\amd64\SET9849.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\SET7AFA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\qcwwan.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\SET7AFB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\filter\amd64\qcusbfilter.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\ndis\6.2\amd64\qcusbwwan.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\filter	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}\SET8086.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}\SET8087.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}\serial\amd64	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\SETB09B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}\serial\amd64\SET8085.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}\serial	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\SETB09A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000012267-1.dat	upx
behavioral1/memory/2716-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2644-9-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2644-11-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2568-13-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2564-18-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2716-65-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2568-76-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2564-77-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2716-78-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2716-83-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2716-88-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1028-194-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1028-197-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/800-200-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2716-434-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/800-508-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2716-623-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2716-674-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/800-698-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2564-700-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2568-701-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2716-702-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\logReader.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\ReadMe.txt	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\i386\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\i386\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcfilter.inf	msiexec.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qdcfg.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f776cc8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File created	C:\Windows\Installer\f776cca.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI70FD.tmp	msiexec.exe
File created	C:\Windows\INF\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\f776cc8.ipi	msiexec.exe
File created	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DriverInstaller64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6DC1.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIE0B1.tmp	msiexec.exe
File created	C:\Windows\Installer\f776cc7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f776cc7.msi	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qcmtusvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 01000000000000007096b57a5659db01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductIcon = "C:\\Windows\\Installer\\{D9FB7F91-9687-4B09-894D-072903CADEA4}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\PackageCode = "50F96F0F677D720429F0EAB3F42EA9A4"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Version = "16777256"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\PackageName = "QualcommWindowsDriverInstaller.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductName = "Qualcomm USB Drivers For Windows"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A\DefaultFeature	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
2692	msiexec.exe
2692	msiexec.exe
2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
Token: SeDebugPrivilege	2644	msiexec.exe
Token: SeShutdownPrivilege	2644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeSecurityPrivilege	2692	msiexec.exe
Token: SeCreateTokenPrivilege	2644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2644	msiexec.exe
Token: SeLockMemoryPrivilege	2644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2644	msiexec.exe
Token: SeMachineAccountPrivilege	2644	msiexec.exe
Token: SeTcbPrivilege	2644	msiexec.exe
Token: SeSecurityPrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeLoadDriverPrivilege	2644	msiexec.exe
Token: SeSystemProfilePrivilege	2644	msiexec.exe
Token: SeSystemtimePrivilege	2644	msiexec.exe
Token: SeProfSingleProcessPrivilege	2644	msiexec.exe
Token: SeIncBasePriorityPrivilege	2644	msiexec.exe
Token: SeCreatePagefilePrivilege	2644	msiexec.exe
Token: SeCreatePermanentPrivilege	2644	msiexec.exe
Token: SeBackupPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeShutdownPrivilege	2644	msiexec.exe
Token: SeDebugPrivilege	2644	msiexec.exe
Token: SeAuditPrivilege	2644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2644	msiexec.exe
Token: SeChangeNotifyPrivilege	2644	msiexec.exe
Token: SeRemoteShutdownPrivilege	2644	msiexec.exe
Token: SeUndockPrivilege	2644	msiexec.exe
Token: SeSyncAgentPrivilege	2644	msiexec.exe
Token: SeEnableDelegationPrivilege	2644	msiexec.exe
Token: SeManageVolumePrivilege	2644	msiexec.exe
Token: SeImpersonatePrivilege	2644	msiexec.exe
Token: SeCreateGlobalPrivilege	2644	msiexec.exe
Token: SeDebugPrivilege	2568	msiexec.exe
Token: SeShutdownPrivilege	2568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2568	msiexec.exe
Token: SeCreateTokenPrivilege	2568	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2568	msiexec.exe
Token: SeLockMemoryPrivilege	2568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2568	msiexec.exe
Token: SeMachineAccountPrivilege	2568	msiexec.exe
Token: SeTcbPrivilege	2568	msiexec.exe
Token: SeSecurityPrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeLoadDriverPrivilege	2568	msiexec.exe
Token: SeSystemProfilePrivilege	2568	msiexec.exe
Token: SeSystemtimePrivilege	2568	msiexec.exe
Token: SeProfSingleProcessPrivilege	2568	msiexec.exe
Token: SeIncBasePriorityPrivilege	2568	msiexec.exe
Token: SeCreatePagefilePrivilege	2568	msiexec.exe
Token: SeCreatePermanentPrivilege	2568	msiexec.exe
Token: SeBackupPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeShutdownPrivilege	2568	msiexec.exe
Token: SeDebugPrivilege	2568	msiexec.exe
Token: SeAuditPrivilege	2568	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2568	msiexec.exe
Token: SeChangeNotifyPrivilege	2568	msiexec.exe
Token: SeRemoteShutdownPrivilege	2568	msiexec.exe
Token: SeUndockPrivilege	2568	msiexec.exe
Token: SeSyncAgentPrivilege	2568	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2644	msiexec.exe
2644	msiexec.exe
2568	msiexec.exe
2568	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
2856	DriverInstaller64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2644	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	31
PID 2716 wrote to memory of 2644	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	31
PID 2716 wrote to memory of 2644	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	31
PID 2716 wrote to memory of 2644	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	31
PID 2716 wrote to memory of 2644	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	31
PID 2716 wrote to memory of 2644	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	31
PID 2716 wrote to memory of 2644	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	31
PID 2716 wrote to memory of 2568	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	33
PID 2716 wrote to memory of 2568	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	33
PID 2716 wrote to memory of 2568	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	33
PID 2716 wrote to memory of 2568	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	33
PID 2716 wrote to memory of 2568	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	33
PID 2716 wrote to memory of 2568	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	33
PID 2716 wrote to memory of 2568	2716	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	33
PID 2692 wrote to memory of 2564	2692	msiexec.exe	34
PID 2692 wrote to memory of 2564	2692	msiexec.exe	34
PID 2692 wrote to memory of 2564	2692	msiexec.exe	34
PID 2692 wrote to memory of 2564	2692	msiexec.exe	34
PID 2692 wrote to memory of 2564	2692	msiexec.exe	34
PID 2692 wrote to memory of 2564	2692	msiexec.exe	34
PID 2692 wrote to memory of 2564	2692	msiexec.exe	34
PID 2564 wrote to memory of 2860	2564	MsiExec.exe	35
PID 2564 wrote to memory of 2860	2564	MsiExec.exe	35
PID 2564 wrote to memory of 2860	2564	MsiExec.exe	35
PID 2564 wrote to memory of 2860	2564	MsiExec.exe	35
PID 2564 wrote to memory of 3040	2564	MsiExec.exe	36
PID 2564 wrote to memory of 3040	2564	MsiExec.exe	36
PID 2564 wrote to memory of 3040	2564	MsiExec.exe	36
PID 2564 wrote to memory of 3040	2564	MsiExec.exe	36
PID 2564 wrote to memory of 2624	2564	MsiExec.exe	37
PID 2564 wrote to memory of 2624	2564	MsiExec.exe	37
PID 2564 wrote to memory of 2624	2564	MsiExec.exe	37
PID 2564 wrote to memory of 2624	2564	MsiExec.exe	37
PID 2564 wrote to memory of 2020	2564	MsiExec.exe	38
PID 2564 wrote to memory of 2020	2564	MsiExec.exe	38
PID 2564 wrote to memory of 2020	2564	MsiExec.exe	38
PID 2564 wrote to memory of 2020	2564	MsiExec.exe	38
PID 2564 wrote to memory of 1028	2564	MsiExec.exe	39
PID 2564 wrote to memory of 1028	2564	MsiExec.exe	39
PID 2564 wrote to memory of 1028	2564	MsiExec.exe	39
PID 2564 wrote to memory of 1028	2564	MsiExec.exe	39
PID 2564 wrote to memory of 2420	2564	MsiExec.exe	40
PID 2564 wrote to memory of 2420	2564	MsiExec.exe	40
PID 2564 wrote to memory of 2420	2564	MsiExec.exe	40
PID 2564 wrote to memory of 2420	2564	MsiExec.exe	40
PID 2564 wrote to memory of 2856	2564	MsiExec.exe	41
PID 2564 wrote to memory of 2856	2564	MsiExec.exe	41
PID 2564 wrote to memory of 2856	2564	MsiExec.exe	41
PID 2564 wrote to memory of 2856	2564	MsiExec.exe	41
PID 2564 wrote to memory of 1048	2564	MsiExec.exe	42
PID 2564 wrote to memory of 1048	2564	MsiExec.exe	42
PID 2564 wrote to memory of 1048	2564	MsiExec.exe	42
PID 2564 wrote to memory of 1048	2564	MsiExec.exe	42
PID 2564 wrote to memory of 1016	2564	MsiExec.exe	43
PID 2564 wrote to memory of 1016	2564	MsiExec.exe	43
PID 2564 wrote to memory of 1016	2564	MsiExec.exe	43
PID 2564 wrote to memory of 1016	2564	MsiExec.exe	43
PID 2564 wrote to memory of 824	2564	MsiExec.exe	44
PID 2564 wrote to memory of 824	2564	MsiExec.exe	44
PID 2564 wrote to memory of 824	2564	MsiExec.exe	44
PID 2564 wrote to memory of 824	2564	MsiExec.exe	44
PID 2564 wrote to memory of 2220	2564	MsiExec.exe	45
PID 2564 wrote to memory of 2220	2564	MsiExec.exe	45
PID 2564 wrote to memory of 2220	2564	MsiExec.exe	45

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2644
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2568

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86FCAD15567D7EC259C1C9F3528CC0D9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{71378F35-6EA5-4308-A71E-E15141B8F9A8}
    3⤵
    - Executes dropped EXE
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B38966E2-68D0-46D9-B562-9796B1C7DA0B}
    3⤵
    - Executes dropped EXE
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66AB996C-B53D-4CB1-8A5D-5749654D8482}
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{255812C1-2381-422B-8BB0-9EDC89C60E98}
    3⤵
    - Executes dropped EXE
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3E25D935-EE49-4285-B0AC-FD2E072505E5}
    3⤵
    - Executes dropped EXE
    PID:1028
- - C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{53B5A8CA-9785-45B0-B0AD-BE59A20B762B}
    3⤵
    - Executes dropped EXE
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0BB28CB3-92D5-4798-8F06-5775C3D22802}
    3⤵
    - Executes dropped EXE
    PID:2856
- - C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{67082D78-CBAB-4668-B5AE-E46A1BF1FE77}
    3⤵
    - Executes dropped EXE
    PID:1048
- - C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B142147-F2FB-4706-9468-CF6B0A547C75}
    3⤵
    - Executes dropped EXE
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B2358356-5F79-4C63-B4A0-53276937CEA5}
    3⤵
    - Executes dropped EXE
    PID:824
- - C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{28F1570D-66AC-4846-9234-C9415FA4CC62}
    3⤵
    - Executes dropped EXE
    PID:2220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 72D017760F2DD171DB00299F740EA1C7 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:800
- - C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe
    "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe" "/I|0|C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2060

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000318" "00000000000005E8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3056

C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe
"C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1028

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{099b1747-1747-099b-3ee1-872160cd1d36}\qcfilter.inf" "9" "6342d598b" "00000000000005E8" "WinSta0\Default" "0000000000000320" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1928
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{20153d58-5a2d-6999-583d-15208b1dd710} Global\{44fb5cb5-2ab2-0310-edc1-6931c443476d} C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\qcfilter.inf C:\Windows\System32\DriverStore\Temp\{0008e4d5-d018-4eb5-df01-5b7f5c288a43}\qcfilter.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1244

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5f033797-bc01-3667-c45c-1853f9e8c15f}\qcser.inf" "9" "60f02979b" "0000000000000320" "WinSta0\Default" "0000000000000318" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2792
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3c8d8449-8cd6-124f-065e-ea2d1c7b6a76} Global\{52028581-9ca6-3bd2-5c79-f13cab468e36} C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}\qcser.inf C:\Windows\System32\DriverStore\Temp\{0d3b9d1c-2a88-1e19-4415-b450e63f0301}\qcser.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1820

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{66187df2-795e-518f-8b36-7e7917c47a73}\qcmdm.inf" "9" "62223751f" "0000000000000318" "WinSta0\Default" "00000000000004C8" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2408
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{135cc087-2b02-4d71-4873-3a03dfff257c} Global\{04c73eef-5c01-071b-b187-1300f998c801} C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}\qcmdm.inf C:\Windows\System32\DriverStore\Temp\{5abf8f99-7923-2334-c07f-14439d3d1678}\qcser.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2028

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{135c864f-03c3-596c-1fc9-431bf84a2069}\qcwwan.inf" "9" "64190a197" "00000000000004C8" "WinSta0\Default" "00000000000005E8" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2924
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3de1713e-a20b-0853-23b7-b6623bb92d33} Global\{31627159-8f71-6995-942d-504c1245684d} C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\qcwwan.inf C:\Windows\System32\DriverStore\Temp\{142c8147-e098-4823-d84d-dd110db47915}\qcwwan.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2344

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6ff916c8-8bdc-57fb-58a4-f72837da4037}\qdbusb.inf" "9" "6a7d91597" "00000000000005E8" "WinSta0\Default" "0000000000000320" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Modifies data under HKEY_USERS
PID:2444
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{6da91724-ee05-382c-2f62-640f5e493a76} Global\{3ad6680c-274b-7c7b-15c2-105fdb657b57} C:\Windows\System32\DriverStore\Temp\{70052c00-e17b-6993-6d5f-6c552c64dc27}\qdbusb.inf C:\Windows\System32\DriverStore\Temp\{70052c00-e17b-6993-6d5f-6c552c64dc27}\qdbusb.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f776cc9.rbs

Filesize
36KB

MD5
a145a835f214645ab30b8243d43813b9

SHA1
7b4a4e815e32255d8936aad7c1e7f7d87543ef11

SHA256
006d7f7552d6432d892bd01c9e3526ad180b844a58fcadc1677ce3d921cd6bbb

SHA512
721dfc3573df78fbdc2e3a4e73afaf684df10c1e3e2aa2d03cfc748bc40d172a4f89f6086abb32ee2b7230f13486c644740360830a92105eb336476b09739d96

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\filter\amd64\qcusbfilter.sys

Filesize
39KB

MD5
8438bd5302eed284de96cf98accdfda2

SHA1
7aacc6fcc500345e6df8cec8839cc63a890779f1

SHA256
0011975f3bad3d11747ca9ba4c24ea674d63131e679ac552d4af2b5ffd7f86dc

SHA512
406eee9d1450b1cf3a4f1b259182b2fb8f494e297498d4f24f45c5d61fd70c8869b3dc750c144da62d58f6985a2ff715e352be337aa623ecc676d471a3bd73bf

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\serial\amd64\qcusbser.sys

Filesize
240KB

MD5
a5a4cb5c986715796eb1285289b9c779

SHA1
549fafefb36d1df67d1b8b7817041e4f5677e6ed

SHA256
357eb980c5d7a9ab4cfa5892432dac41ee9c0f03420fa9b927d78119054f91f6

SHA512
032c45b2bba7c5dfafbd0583bc96e79c1710dd981775d6184c131d49835d2183aad7dbaaeda2f45f2b3f490c3a8158c0d901c5467f4ca3158ff01a61c59cc1b5

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DifxApi\amd64\difxapi.dll

Filesize
507KB

MD5
9495b07f33ded991c65d9b04945d44c5

SHA1
db9d5ec47980eb0709faba0cda283ff99d643b7c

SHA256
bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e

SHA512
36ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe

Filesize
2.2MB

MD5
2e42457c54c0d281aa191c7ca8e7bc11

SHA1
33d5ad6b11cd681f956e5dc607c54c5eca168e19

SHA256
210f20b72fe67a1b12846aab7886b6bd9702a3caf31a3b6affab3a0dc60199ff

SHA512
434872af382e5a73570c1a13d18b9febc71bec25d2ce20fdcfa0fbd23afb103b136d91fa6b6e8b01736a0b59d1477e7296d8a6fda2b26aa0c679454c9246ec1e

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe

Filesize
81KB

MD5
537b58f4523aa9638859d88d61d3ff77

SHA1
522b5f172d44d84e7e72201fde56bad684832237

SHA256
e1a039481b5470841932f440864c14d0139991d22655da1673afcef33b07f82d

SHA512
c2348d6001c6819233a55b1e2ced1fbdbfb6db630c38ffa59185680c31bca8868dfc9ba06350d9d4e9b70f555d0b1e7afa4ba7b55718ee103df5d41e1ecc57a4

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.cat

Filesize
96KB

MD5
d7a950a11638dc52717d9270ef09e150

SHA1
ec1a37f5e70431b63609199a067784f4a63b2d5c

SHA256
0d2a9ef7f0bcdde3d7b5f548b29fed32f4aee8d253d3da41553b7a4dc87a57a0

SHA512
0af7bcaf1058d70790a97641a5f46706323b9a649e5731c51885fa1fe5f7d2474e9bbd907db3ae275bda8246951c7eef46c23076fcea1c8750fb2809dd51a0e4

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf

Filesize
37KB

MD5
c44f842ad6d69df37aa0dcf5b05d54b7

SHA1
62eeff99483ba72c0fb341e768124d74071855c5

SHA256
5a544fda42a991a970ea3417ab49f967cdcb9fe89a14ae53d6566707a328b730

SHA512
44743848307af8d47b978189ba6d192d7d1c39c98bf2d2efe123bc2afc6ed42bade0e101e0b7e8ccb729949ffe89626ce995937d17c8b217e472e45e3ea368fa

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.cat

Filesize
97KB

MD5
da65117158c5a4d005ad82a68e53e1e8

SHA1
78c0fb4c89a7cac5e3e36ce9e9c54b6507bc2e2a

SHA256
04390a6986d3809f81dbcb345481cd7bcc54430c041754b5464201dcbb6b9bf5

SHA512
5619d046b5047ba8620667835364724bf1c78ab91b74bcb8ade36ff5e8e6cc5c8dc2d56709b083c187ea5ed74679bb10ac3eba3d494dd6e1d7f889831eb4cc44

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf

Filesize
101KB

MD5
756d9f6aa85025335d121246e5262528

SHA1
54d28ffe46bb81c86ca498bd0c357d63416b2fa7

SHA256
c8fbd819931030b3800397643ce23bac7f9cb46a770c8c7e5104682afbd0571a

SHA512
3012c1b14700bd3dc91f79cd774a61d5b0849203ce6a3d9be742ad902f8d7b52700061fcbde85ce8df2b4ca04b48a66ba81f87616ae7c12028b1ad9699a1f08d

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF383.tmp

Filesize
1.3MB

MD5
526de93ee8ed331cf89a744c3aefc355

SHA1
c5e8410afc34ebde8372e0e1711e4155d34dece3

SHA256
f369ed198e835a3362d1c7d5ddf4b853f9339aafa6b5a6032fe13fb51c02c590

SHA512
b3b21ff3f4f98d8d5b14f191d04061addc4c44faf492a4788becfef5cbd55ecc82fc7eb373649fa825264d79b763955d708948412b47555b965ff9ea2d195a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

Filesize
20.9MB

MD5
fcf5ad3c6e3630c94858e8dd51d07e3a

SHA1
87f6a86b18d0133ca75e63948c85fdd7aef04003

SHA256
11d689580a499cc28048ded32bb408ce417e723787edb8eb4ac68336016c0539

SHA512
a1c19f0977a26468dd6125c8422aa154d4d16f20717be9aa9de95b81dfdc4bd21db52502f102906ba9c9f862a1908ff925a02f4e0f527d4a4328d13758d3e271

Download Submit
C:\Users\Admin\AppData\Local\Temp\{135c864f-03c3-596c-1fc9-431bf84a2069}\ndis\6.2\amd64\qcusbwwan.sys

Filesize
535KB

MD5
d08431790b71fbd56875762df88185d9

SHA1
03a6fe5c60799a5c0a12f10e3aa837cddd026d81

SHA256
d6298128cfc0f56646340d8d67bf124412ea2e9852fe9342e36bff177a4a01b0

SHA512
1cceaddacaab89e76a350dcd96a1e329a1c2234ea6c33a5f48615f3f6d55f9aa62cb3690e6057df71df2191a98e5dfd712f2d5f3b6da410989adb40a521910ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{135c864f-03c3-596c-1fc9-431bf84a2069}\qcwwan.cat

Filesize
96KB

MD5
1f367e482b4ad610667b425ec6fe8812

SHA1
49769d83232e2e366817691f03686e5ef0e70c65

SHA256
6476bf4f4f731a10e7766f24cec6d71db5140481ff16b87390b402fe8502786a

SHA512
5b0db6294b4305652341647036114ef5680be958a94744d9713fdf9e40254f9750f5649792bcce8b03bbf6cb5b533747a84894e1f82a35fc38c392f65ec48e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\{135c864f-03c3-596c-1fc9-431bf84a2069}\qcwwan.inf

Filesize
73KB

MD5
5667cdc8aa7e89f575417aa5837f9202

SHA1
6449ecffb2a4aebaf4f05a69ac14fb202847f364

SHA256
363addf226aca987a56a2caa95ce19eea4dd86654d46e103f0d6184863ace934

SHA512
02f00e41469e9e9d76a3928ff5ce651f2977f236642f59e6e25fec3c78dfe3ecf7cc1e7253e1bf65ff6834566547172d175366d37d0dd711394f41e573340965

Download Submit
C:\Users\Admin\AppData\Local\Temp\{66187df2-795e-518f-8b36-7e7917c47a73}\SET9822.tmp

Filesize
44KB

MD5
bfd724e1364eb3284822e0b27899d78c

SHA1
e95ff9e797d391ca0aa93b55f3cec5dfb9e95e5a

SHA256
f59f3b976a682c730201e2d4aa4e33f627f92595aa4fde117521a12f2ee8e305

SHA512
9ff0081d900b94cf12ac2b1dbec1fd5ebb108a5048068534a894a6f20c743be387522c45965fc3d68af81d113fa3cb23e5397ed62088641c46c2579a410d66fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6ff916c8-8bdc-57fb-58a4-f72837da4037}\SETC89B.tmp

Filesize
97KB

MD5
7dc0850624be0d3e8def9d653c013291

SHA1
5ffe8a50771d9dd6d3a9d15f14575517bedfda5d

SHA256
070db359908f6955e129024d1de0acf4750790f21ced52fb333e056d2fdd7be7

SHA512
a51a447a8f9793691a9d0314b846c6e3555c22c693c7e0367307001c19744bd8b1ba72261de925c740af9d69a07cbb94a1e5a51b1128394a5a732e2fec1a040e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6ff916c8-8bdc-57fb-58a4-f72837da4037}\SETC89C.tmp

Filesize
9KB

MD5
e7fb3e2ee6ae0890da972587516a8110

SHA1
93267d82c6564f618fafdd6f8a3edb5d8eff70bb

SHA256
94dd4e0aab352f69f7788a98563048f23f50402862e89376ca5ec5b742373eba

SHA512
6478515112c69674e54474a38b81fe8c1301fbfe64536b96162ade151e5baae22d1886230da2dd477a9d5448797b39f8f4fcb65d88fcb5bdb242a60868630edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6ff916c8-8bdc-57fb-58a4-f72837da4037}\qdss\amd64\SETC899.tmp

Filesize
46KB

MD5
0b13a08c6eaa6d7ad76bc43d64b9732b

SHA1
1e7e512dc690675b3814a879d17642d030ba4ac9

SHA256
08ec62ca5a4a64ac48f9963f8623b99d135b9fda6b658ade2564df15d822d950

SHA512
709a29c317a06c893a4efa334d0a9455876c592a659d081bee712a964fe48918af2cea8e9bb0e607ea3915bee6c6442615ffd6084fd9edfd8ae465440b003032

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6ff916c8-8bdc-57fb-58a4-f72837da4037}\qdss\amd64\SETC89A.tmp

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\Windows\Installer\MSI70FD.tmp

Filesize
1.6MB

MD5
fba7113c8d1b7eecd0e731c184418f29

SHA1
9961d5ca567f32c703a6b953933ff5fc22fca396

SHA256
1d10c129f67a74e1d393bf3c71f76285d3082ce5aa2712e8ffc2c8e148d659d5

SHA512
9cad372e139e744a7ade1e7c1b1f50508a22f2c69a5f73417c5a1db588bde34767e402d7770986f758e7cd118f2d67f6be2bb3fa2765e4e7c0bad7e4a4acc631

Download Submit
C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_5b0e44f80f8a8e2f\qcfilter.PNF

Filesize
100KB

MD5
53abeaf4271e16d43396001f16384511

SHA1
1a2a6c860c083f517268e62f4f22cce41c50c3c4

SHA256
95e3870cbd94193b2de414a9f0ce73ed9fd8e24637b0eb3fcea321cc6b94b4f3

SHA512
a17154781aabbcb72d422ef212788b158e7f4d49d79b075e7ea3ca11f4b5655fefcbdc092335489949831a754012f55b15e299631d77f6acdd39a07d3a979807

Download Submit
C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_neutral_011cf7b068aef58d\qcser.PNF

Filesize
184KB

MD5
4624100d85e7091195a25d52a0b6e067

SHA1
9e4f3a731a8b8db4d9c4b12baa4eb63e63b237a7

SHA256
a6acdc6a9744e619870249fec21e7beb991ad9880c8a213d94b46c8c149dea85

SHA512
c78db3220a6b5b9f7f5fba02e785217e07915e0fbd632ea27678ad2c16a558b141478129826d911511927d1bad0eaa3fb3ef0fdcad4f01d0aa512f6e9e28907e

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
19fe98076d8b4a699799d8ba09eabd9b

SHA1
2feb2ec355f6ea1cdf682e33c9cc28f8cbd7b859

SHA256
f6383eff09dad5996c1e413551bde5518832986cf4e02b048ba844105ca3aaf5

SHA512
10d9de2a57c56f240b2550d5c47740247f1a259539d34baafd5d0fb8e9bf29245d5efc91339933eed8b0cde9781b77c3e6c15408b4466b9de856cff2e2c624ec

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
191KB

MD5
13ebfd0a9ebdfcde1ff9d54da61fbaac

SHA1
b874930a33d8fa2e7740d1f5d6c891aa08aeeec9

SHA256
c9ab927b4a3ccf6e77550a5603a6f761f4260580932fc3a0f1273922beeda791

SHA512
ab2f20ac18afca4545b41209e3f9d6cdf0a849eca6e8674fa4b103d2809d2f65e8d5d85fbd0d4fe9a310e0960d368b2c05254516015e1c0b5952d78c5d737a78

Download Submit
C:\Windows\Temp\Cab7B1B.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar7B2E.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISBEW64.exe

Filesize
146KB

MD5
c3b2acc07bb0610405fc786e3432bef9

SHA1
333d5f2b55bd00ad4311ba104af7db984f953924

SHA256
9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894

SHA512
2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

Download Submit
\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\ISRT.dll

Filesize
260KB

MD5
a93f625ef42b54c2b0f4d38201e67606

SHA1
cbfebc1f736ccfc65562ede79a5ae1a8afb116a1

SHA256
e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0

SHA512
805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

Download Submit
\Users\Admin\AppData\Local\Temp\{EDF035E3-63F8-4A59-BC9B-672E01499E26}\_isres_0x0409.dll

Filesize
540KB

MD5
d6bbf7ff6984213c7f1f0f8f07c51e6a

SHA1
cfe933fc3b634f7333adec7ec124c14e9d19ac21

SHA256
6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2

SHA512
a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

Download Submit
memory/800-508-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/800-698-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/800-200-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1028-197-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1028-194-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2028-509-0x000007FEF6900000-0x000007FEF693A000-memory.dmp

Filesize
232KB

Download
memory/2564-48-0x0000000003770000-0x00000000037F9000-memory.dmp

Filesize
548KB

Download
memory/2564-18-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2564-700-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2564-77-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2564-21-0x0000000002BE0000-0x0000000002D95000-memory.dmp

Filesize
1.7MB

Download
memory/2564-45-0x0000000003540000-0x00000000035E7000-memory.dmp

Filesize
668KB

Download
memory/2568-701-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2568-13-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2568-76-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2644-9-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2644-11-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2716-623-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2716-65-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2716-434-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2716-5-0x0000000000473000-0x0000000000477000-memory.dmp

Filesize
16KB

Download
memory/2716-674-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2716-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2716-78-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2716-83-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2716-88-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2716-702-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download