floxif | 0806116764e3fe406f9f8905d43d3ffbd9af312ef8205de07acae8ebdb2d6133

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
Size

22.3MB
MD5

11e8ce1c130f56c79b70751cd7669d8c
SHA1

560ff3bdf4483fddbf948ac8e715d8cfaf2a42d0
SHA256

0806116764e3fe406f9f8905d43d3ffbd9af312ef8205de07acae8ebdb2d6133
SHA512

6f1d1c4584b18c3d0aab8821c7f22e558eecec356204a5a6cd92f361dad23041dc751c2d5083db210cf8d9117b1721b4012303ba2032e9e1e13ea514ca0b560f
SSDEEP

393216:GX9pjHs4737sM3HgVrAmIQoLd28A+a0r/DdXLnEsRgcHcqcp0q3WI28d+olEi:GX9pLsstBg89xDdbn8c8qk3N2QlX

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x00080000000120f9-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000120f9-1.dat	acprotect

Executes dropped EXE 13 IoCs

pid	Process
2980	ISBEW64.exe
1764	ISBEW64.exe
2240	ISBEW64.exe
2164	ISBEW64.exe
2060	ISBEW64.exe
2844	ISBEW64.exe
924	ISBEW64.exe
2760	ISBEW64.exe
2964	ISBEW64.exe
492	ISBEW64.exe
1036	ISBEW64.exe
340	qcmtusvc.exe
2952	DriverInstaller64.exe

Loads dropped DLL 21 IoCs

pid	Process
1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2264	MsiExec.exe
2264	MsiExec.exe
864	Process not Found
864	Process not Found
2952	DriverInstaller64.exe
2264	MsiExec.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\e:	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c5468b7-7291-25b2-7c99-0a1fa0b1280f}\serial\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04cde69c-914d-44a9-d616-b6290260fe76}\qcser.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_neutral_da7c440389b70c99\qcwwan.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{10d62e6d-713a-3909-0442-d00497a6c356}\qcfilter.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{10d62e6d-713a-3909-0442-d00497a6c356}\filter\amd64\SET7AEC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{10d62e6d-713a-3909-0442-d00497a6c356}\filter	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1c5468b7-7291-25b2-7c99-0a1fa0b1280f}\SET8806.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\SETD0C9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{10d62e6d-713a-3909-0442-d00497a6c356}\SET7ADC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{10d62e6d-713a-3909-0442-d00497a6c356}\qcfilter.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\qdbusb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\qdbusb.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{10d62e6d-713a-3909-0442-d00497a6c356}\SET7ADB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fa8abb6-eb4c-297e-9757-7911caf5bf2d}\qcwwan.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1c5468b7-7291-25b2-7c99-0a1fa0b1280f}\SET8805.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\SETD0C9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{10d62e6d-713a-3909-0442-d00497a6c356}\SET7ADC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fa8abb6-eb4c-297e-9757-7911caf5bf2d}\ndis	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\qdss\amd64\SETD0B8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\qdss\amd64\SETD0B8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\qdss\amd64\wdfcoinstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_neutral_4ef97d5ab321c09e\qdbusb.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c5468b7-7291-25b2-7c99-0a1fa0b1280f}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_neutral_4ef97d5ab321c09e\qdbusb.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04cde69c-914d-44a9-d616-b6290260fe76}\serial\amd64\qcusbser.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04cde69c-914d-44a9-d616-b6290260fe76}\serial\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{10d62e6d-713a-3909-0442-d00497a6c356}\SET7ADB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_5b0e44f80f8a8e2f\qcfilter.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7fa8abb6-eb4c-297e-9757-7911caf5bf2d}\SETB867.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fa8abb6-eb4c-297e-9757-7911caf5bf2d}\qcwwan.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7fa8abb6-eb4c-297e-9757-7911caf5bf2d}\ndis\6.2\amd64\SETB878.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_neutral_da7c440389b70c99\qcwwan.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c5468b7-7291-25b2-7c99-0a1fa0b1280f}\serial\amd64\SET8804.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04cde69c-914d-44a9-d616-b6290260fe76}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_neutral_df834dbe3a4f2ca5\qcmdm.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fa8abb6-eb4c-297e-9757-7911caf5bf2d}\SETB867.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fa8abb6-eb4c-297e-9757-7911caf5bf2d}\ndis\6.2\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\qdss\amd64\SETD0B7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c5468b7-7291-25b2-7c99-0a1fa0b1280f}\serial	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04cde69c-914d-44a9-d616-b6290260fe76}\qcmdm.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\qdss\amd64\SETD0B7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\SETD0CA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c5468b7-7291-25b2-7c99-0a1fa0b1280f}\qcser.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04cde69c-914d-44a9-d616-b6290260fe76}\SETA037.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fa8abb6-eb4c-297e-9757-7911caf5bf2d}\SETB868.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fa8abb6-eb4c-297e-9757-7911caf5bf2d}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c5468b7-7291-25b2-7c99-0a1fa0b1280f}\serial\amd64\qcusbser.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04cde69c-914d-44a9-d616-b6290260fe76}\serial\amd64\SETA035.tmp	DrvInst.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1964-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x00080000000120f9-1.dat	upx
behavioral1/memory/1964-70-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1964-74-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1964-80-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1964-407-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1964-536-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1964-699-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1964-729-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\logReader.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qdcfg.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\amd64\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\i386\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\qdbusb.sys	msiexec.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f776f37.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DriverInstaller64.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIE8BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7021.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem4.inf	DrvInst.exe
File created	C:\Windows\INF\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\f776f38.ipi	msiexec.exe
File created	C:\Windows\Installer\f776f38.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI733F.tmp	msiexec.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f776f37.msi	msiexec.exe
File created	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\f776f3a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qcmtusvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000080ab417f5559db01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductIcon = "C:\\Windows\\Installer\\{D9FB7F91-9687-4B09-894D-072903CADEA4}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\PackageCode = "50F96F0F677D720429F0EAB3F42EA9A4"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Version = "16777256"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\PackageName = "QualcommWindowsDriverInstaller.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductName = "Qualcomm USB Drivers For Windows"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
2884	msiexec.exe
2884	msiexec.exe
1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
Token: SeShutdownPrivilege	2736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe
Token: SeSecurityPrivilege	2884	msiexec.exe
Token: SeCreateTokenPrivilege	2736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2736	msiexec.exe
Token: SeLockMemoryPrivilege	2736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2736	msiexec.exe
Token: SeMachineAccountPrivilege	2736	msiexec.exe
Token: SeTcbPrivilege	2736	msiexec.exe
Token: SeSecurityPrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeLoadDriverPrivilege	2736	msiexec.exe
Token: SeSystemProfilePrivilege	2736	msiexec.exe
Token: SeSystemtimePrivilege	2736	msiexec.exe
Token: SeProfSingleProcessPrivilege	2736	msiexec.exe
Token: SeIncBasePriorityPrivilege	2736	msiexec.exe
Token: SeCreatePagefilePrivilege	2736	msiexec.exe
Token: SeCreatePermanentPrivilege	2736	msiexec.exe
Token: SeBackupPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeShutdownPrivilege	2736	msiexec.exe
Token: SeDebugPrivilege	2736	msiexec.exe
Token: SeAuditPrivilege	2736	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2736	msiexec.exe
Token: SeChangeNotifyPrivilege	2736	msiexec.exe
Token: SeRemoteShutdownPrivilege	2736	msiexec.exe
Token: SeUndockPrivilege	2736	msiexec.exe
Token: SeSyncAgentPrivilege	2736	msiexec.exe
Token: SeEnableDelegationPrivilege	2736	msiexec.exe
Token: SeManageVolumePrivilege	2736	msiexec.exe
Token: SeImpersonatePrivilege	2736	msiexec.exe
Token: SeCreateGlobalPrivilege	2736	msiexec.exe
Token: SeShutdownPrivilege	2224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2224	msiexec.exe
Token: SeCreateTokenPrivilege	2224	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2224	msiexec.exe
Token: SeLockMemoryPrivilege	2224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2224	msiexec.exe
Token: SeMachineAccountPrivilege	2224	msiexec.exe
Token: SeTcbPrivilege	2224	msiexec.exe
Token: SeSecurityPrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeLoadDriverPrivilege	2224	msiexec.exe
Token: SeSystemProfilePrivilege	2224	msiexec.exe
Token: SeSystemtimePrivilege	2224	msiexec.exe
Token: SeProfSingleProcessPrivilege	2224	msiexec.exe
Token: SeIncBasePriorityPrivilege	2224	msiexec.exe
Token: SeCreatePagefilePrivilege	2224	msiexec.exe
Token: SeCreatePermanentPrivilege	2224	msiexec.exe
Token: SeBackupPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeShutdownPrivilege	2224	msiexec.exe
Token: SeDebugPrivilege	2224	msiexec.exe
Token: SeAuditPrivilege	2224	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2224	msiexec.exe
Token: SeChangeNotifyPrivilege	2224	msiexec.exe
Token: SeRemoteShutdownPrivilege	2224	msiexec.exe
Token: SeUndockPrivilege	2224	msiexec.exe
Token: SeSyncAgentPrivilege	2224	msiexec.exe
Token: SeEnableDelegationPrivilege	2224	msiexec.exe
Token: SeManageVolumePrivilege	2224	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2736	msiexec.exe
2736	msiexec.exe
2224	msiexec.exe
2224	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
2952	DriverInstaller64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2736	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	30
PID 1964 wrote to memory of 2736	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	30
PID 1964 wrote to memory of 2736	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	30
PID 1964 wrote to memory of 2736	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	30
PID 1964 wrote to memory of 2736	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	30
PID 1964 wrote to memory of 2736	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	30
PID 1964 wrote to memory of 2736	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	30
PID 1964 wrote to memory of 2224	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	32
PID 1964 wrote to memory of 2224	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	32
PID 1964 wrote to memory of 2224	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	32
PID 1964 wrote to memory of 2224	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	32
PID 1964 wrote to memory of 2224	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	32
PID 1964 wrote to memory of 2224	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	32
PID 1964 wrote to memory of 2224	1964	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	32
PID 2884 wrote to memory of 2544	2884	msiexec.exe	33
PID 2884 wrote to memory of 2544	2884	msiexec.exe	33
PID 2884 wrote to memory of 2544	2884	msiexec.exe	33
PID 2884 wrote to memory of 2544	2884	msiexec.exe	33
PID 2884 wrote to memory of 2544	2884	msiexec.exe	33
PID 2884 wrote to memory of 2544	2884	msiexec.exe	33
PID 2884 wrote to memory of 2544	2884	msiexec.exe	33
PID 2544 wrote to memory of 2980	2544	MsiExec.exe	34
PID 2544 wrote to memory of 2980	2544	MsiExec.exe	34
PID 2544 wrote to memory of 2980	2544	MsiExec.exe	34
PID 2544 wrote to memory of 2980	2544	MsiExec.exe	34
PID 2544 wrote to memory of 1764	2544	MsiExec.exe	35
PID 2544 wrote to memory of 1764	2544	MsiExec.exe	35
PID 2544 wrote to memory of 1764	2544	MsiExec.exe	35
PID 2544 wrote to memory of 1764	2544	MsiExec.exe	35
PID 2544 wrote to memory of 2240	2544	MsiExec.exe	36
PID 2544 wrote to memory of 2240	2544	MsiExec.exe	36
PID 2544 wrote to memory of 2240	2544	MsiExec.exe	36
PID 2544 wrote to memory of 2240	2544	MsiExec.exe	36
PID 2544 wrote to memory of 2164	2544	MsiExec.exe	37
PID 2544 wrote to memory of 2164	2544	MsiExec.exe	37
PID 2544 wrote to memory of 2164	2544	MsiExec.exe	37
PID 2544 wrote to memory of 2164	2544	MsiExec.exe	37
PID 2544 wrote to memory of 2060	2544	MsiExec.exe	38
PID 2544 wrote to memory of 2060	2544	MsiExec.exe	38
PID 2544 wrote to memory of 2060	2544	MsiExec.exe	38
PID 2544 wrote to memory of 2060	2544	MsiExec.exe	38
PID 2544 wrote to memory of 2844	2544	MsiExec.exe	39
PID 2544 wrote to memory of 2844	2544	MsiExec.exe	39
PID 2544 wrote to memory of 2844	2544	MsiExec.exe	39
PID 2544 wrote to memory of 2844	2544	MsiExec.exe	39
PID 2544 wrote to memory of 924	2544	MsiExec.exe	40
PID 2544 wrote to memory of 924	2544	MsiExec.exe	40
PID 2544 wrote to memory of 924	2544	MsiExec.exe	40
PID 2544 wrote to memory of 924	2544	MsiExec.exe	40
PID 2544 wrote to memory of 2760	2544	MsiExec.exe	41
PID 2544 wrote to memory of 2760	2544	MsiExec.exe	41
PID 2544 wrote to memory of 2760	2544	MsiExec.exe	41
PID 2544 wrote to memory of 2760	2544	MsiExec.exe	41
PID 2544 wrote to memory of 2964	2544	MsiExec.exe	42
PID 2544 wrote to memory of 2964	2544	MsiExec.exe	42
PID 2544 wrote to memory of 2964	2544	MsiExec.exe	42
PID 2544 wrote to memory of 2964	2544	MsiExec.exe	42
PID 2544 wrote to memory of 492	2544	MsiExec.exe	43
PID 2544 wrote to memory of 492	2544	MsiExec.exe	43
PID 2544 wrote to memory of 492	2544	MsiExec.exe	43
PID 2544 wrote to memory of 492	2544	MsiExec.exe	43
PID 2544 wrote to memory of 1036	2544	MsiExec.exe	44
PID 2544 wrote to memory of 1036	2544	MsiExec.exe	44
PID 2544 wrote to memory of 1036	2544	MsiExec.exe	44

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2736
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2EFCAD5EE92981BA10548552BB85DD12 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9E83C5B0-2EEB-40C9-B4B5-E55EFD280946}
    3⤵
    - Executes dropped EXE
    PID:2980
- - C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C517C29D-A8DF-44B7-8FEE-69CD3E7DE72E}
    3⤵
    - Executes dropped EXE
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F75FEBAE-0E90-44BB-9E92-D5FC9329F027}
    3⤵
    - Executes dropped EXE
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2E7D2EEB-0354-4960-B029-715DB00F9EC7}
    3⤵
    - Executes dropped EXE
    PID:2164
- - C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{400DBA48-D9BC-4BB3-B50A-17C7E8F111B2}
    3⤵
    - Executes dropped EXE
    PID:2060
- - C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4CABC388-E0F9-4A4C-A172-340B97774DD0}
    3⤵
    - Executes dropped EXE
    PID:2844
- - C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C540C099-7C8F-4DDD-8FE0-B9BBB69B63FA}
    3⤵
    - Executes dropped EXE
    PID:924
- - C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B7EBD15E-291E-4D5C-8FF4-38C298C18053}
    3⤵
    - Executes dropped EXE
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E9E1E95F-31D4-483F-B3FB-D033BF91D002}
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{50FE25DE-E6B5-4386-98E3-55623BB41CC1}
    3⤵
    - Executes dropped EXE
    PID:492
- - C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7F902D3B-64DF-43DA-917B-548A8EC2FF26}
    3⤵
    - Executes dropped EXE
    PID:1036
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 572463B68C7442CFA7D08E51C1C786AD M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2264
- - C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe
    "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe" "/I|0|C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:944

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "000000000000031C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2112

C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe
"C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:340

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0ed6f03a-45ec-3570-4724-882af4b4e405}\qcfilter.inf" "9" "6342d598b" "00000000000003BC" "WinSta0\Default" "00000000000005D0" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:600
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{62d27a3f-bc17-50f0-fa4c-fc036a9b4a5c} Global\{31d3f33e-d11d-02b5-f3ea-4d45fbd64b21} C:\Windows\System32\DriverStore\Temp\{10d62e6d-713a-3909-0442-d00497a6c356}\qcfilter.inf C:\Windows\System32\DriverStore\Temp\{10d62e6d-713a-3909-0442-d00497a6c356}\qcfilter.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1004

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{276a25d0-4688-15d2-3dd9-9a79e9f6d043}\qcser.inf" "9" "60f02979b" "00000000000005D0" "WinSta0\Default" "00000000000005DC" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2228
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{14bc68a1-37a9-45ed-7156-d378291b6673} Global\{24ed1a2b-7e3e-481f-c0ea-a82690ff6d77} C:\Windows\System32\DriverStore\Temp\{1c5468b7-7291-25b2-7c99-0a1fa0b1280f}\qcser.inf C:\Windows\System32\DriverStore\Temp\{1c5468b7-7291-25b2-7c99-0a1fa0b1280f}\qcser.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{63ad5d56-b5c3-0a07-8b83-7854170c6f6f}\qcmdm.inf" "9" "62223751f" "00000000000005DC" "WinSta0\Default" "000000000000031C" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2940
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{19f187b1-572d-6f8a-ab89-094947518907} Global\{5a4b5b35-e003-742b-065f-787843667646} C:\Windows\System32\DriverStore\Temp\{04cde69c-914d-44a9-d616-b6290260fe76}\qcmdm.inf C:\Windows\System32\DriverStore\Temp\{04cde69c-914d-44a9-d616-b6290260fe76}\qcser.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1256

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2feee2a2-acbf-305a-6bf2-8a265348211e}\qcwwan.inf" "9" "64190a197" "000000000000031C" "WinSta0\Default" "00000000000003BC" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1004
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{7480df3d-9cb4-3b9b-b20b-786b5696e26d} Global\{2f2e1de7-224f-4a5e-e126-3131a7fd2168} C:\Windows\System32\DriverStore\Temp\{7fa8abb6-eb4c-297e-9757-7911caf5bf2d}\qcwwan.inf C:\Windows\System32\DriverStore\Temp\{7fa8abb6-eb4c-297e-9757-7911caf5bf2d}\qcwwan.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2524

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{24f839d3-d022-4192-ef3c-546d8235b010}\qdbusb.inf" "9" "6a7d91597" "00000000000003BC" "WinSta0\Default" "00000000000005D0" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2400
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2f3c2d04-de7e-53e0-83fd-2848dc5a301a} Global\{7e714532-0a9a-625a-8f40-113b5f86030f} C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\qdbusb.inf C:\Windows\System32\DriverStore\Temp\{0deaa57d-02ae-2533-9404-d552377bb415}\qdbusb.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f776f39.rbs

Filesize
36KB

MD5
97632b34faf450103522c3cd8c73109f

SHA1
c61a7d2a6e2f4a128b8e0d40266bfa971044d529

SHA256
e6cee49f401e4b609a2be0ea0d8f69ca53003e4f0b657f5a7c973a0f645574c4

SHA512
79edb367440fb2f7f60b809341aabdeddb8b3fa00a8f1f7fe0f85562d57f37dfc72bfd17f0e439e51f9475e36105e45a0075a3415e9462b5f0b76d8177bc6c45

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\filter\amd64\qcusbfilter.sys

Filesize
39KB

MD5
8438bd5302eed284de96cf98accdfda2

SHA1
7aacc6fcc500345e6df8cec8839cc63a890779f1

SHA256
0011975f3bad3d11747ca9ba4c24ea674d63131e679ac552d4af2b5ffd7f86dc

SHA512
406eee9d1450b1cf3a4f1b259182b2fb8f494e297498d4f24f45c5d61fd70c8869b3dc750c144da62d58f6985a2ff715e352be337aa623ecc676d471a3bd73bf

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DifxApi\amd64\difxapi.dll

Filesize
507KB

MD5
9495b07f33ded991c65d9b04945d44c5

SHA1
db9d5ec47980eb0709faba0cda283ff99d643b7c

SHA256
bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e

SHA512
36ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe

Filesize
81KB

MD5
537b58f4523aa9638859d88d61d3ff77

SHA1
522b5f172d44d84e7e72201fde56bad684832237

SHA256
e1a039481b5470841932f440864c14d0139991d22655da1673afcef33b07f82d

SHA512
c2348d6001c6819233a55b1e2ced1fbdbfb6db630c38ffa59185680c31bca8868dfc9ba06350d9d4e9b70f555d0b1e7afa4ba7b55718ee103df5d41e1ecc57a4

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.cat

Filesize
96KB

MD5
d7a950a11638dc52717d9270ef09e150

SHA1
ec1a37f5e70431b63609199a067784f4a63b2d5c

SHA256
0d2a9ef7f0bcdde3d7b5f548b29fed32f4aee8d253d3da41553b7a4dc87a57a0

SHA512
0af7bcaf1058d70790a97641a5f46706323b9a649e5731c51885fa1fe5f7d2474e9bbd907db3ae275bda8246951c7eef46c23076fcea1c8750fb2809dd51a0e4

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf

Filesize
37KB

MD5
c44f842ad6d69df37aa0dcf5b05d54b7

SHA1
62eeff99483ba72c0fb341e768124d74071855c5

SHA256
5a544fda42a991a970ea3417ab49f967cdcb9fe89a14ae53d6566707a328b730

SHA512
44743848307af8d47b978189ba6d192d7d1c39c98bf2d2efe123bc2afc6ed42bade0e101e0b7e8ccb729949ffe89626ce995937d17c8b217e472e45e3ea368fa

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcmdm.inf

Filesize
44KB

MD5
bfd724e1364eb3284822e0b27899d78c

SHA1
e95ff9e797d391ca0aa93b55f3cec5dfb9e95e5a

SHA256
f59f3b976a682c730201e2d4aa4e33f627f92595aa4fde117521a12f2ee8e305

SHA512
9ff0081d900b94cf12ac2b1dbec1fd5ebb108a5048068534a894a6f20c743be387522c45965fc3d68af81d113fa3cb23e5397ed62088641c46c2579a410d66fd

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.cat

Filesize
97KB

MD5
da65117158c5a4d005ad82a68e53e1e8

SHA1
78c0fb4c89a7cac5e3e36ce9e9c54b6507bc2e2a

SHA256
04390a6986d3809f81dbcb345481cd7bcc54430c041754b5464201dcbb6b9bf5

SHA512
5619d046b5047ba8620667835364724bf1c78ab91b74bcb8ade36ff5e8e6cc5c8dc2d56709b083c187ea5ed74679bb10ac3eba3d494dd6e1d7f889831eb4cc44

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf

Filesize
101KB

MD5
756d9f6aa85025335d121246e5262528

SHA1
54d28ffe46bb81c86ca498bd0c357d63416b2fa7

SHA256
c8fbd819931030b3800397643ce23bac7f9cb46a770c8c7e5104682afbd0571a

SHA512
3012c1b14700bd3dc91f79cd774a61d5b0849203ce6a3d9be742ad902f8d7b52700061fcbde85ce8df2b4ca04b48a66ba81f87616ae7c12028b1ad9699a1f08d

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF373.tmp

Filesize
1.3MB

MD5
526de93ee8ed331cf89a744c3aefc355

SHA1
c5e8410afc34ebde8372e0e1711e4155d34dece3

SHA256
f369ed198e835a3362d1c7d5ddf4b853f9339aafa6b5a6032fe13fb51c02c590

SHA512
b3b21ff3f4f98d8d5b14f191d04061addc4c44faf492a4788becfef5cbd55ecc82fc7eb373649fa825264d79b763955d708948412b47555b965ff9ea2d195a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

Filesize
20.9MB

MD5
fcf5ad3c6e3630c94858e8dd51d07e3a

SHA1
87f6a86b18d0133ca75e63948c85fdd7aef04003

SHA256
11d689580a499cc28048ded32bb408ce417e723787edb8eb4ac68336016c0539

SHA512
a1c19f0977a26468dd6125c8422aa154d4d16f20717be9aa9de95b81dfdc4bd21db52502f102906ba9c9f862a1908ff925a02f4e0f527d4a4328d13758d3e271

Download Submit
C:\Users\Admin\AppData\Local\Temp\{24f839d3-d022-4192-ef3c-546d8235b010}\SETD0A6.tmp

Filesize
97KB

MD5
7dc0850624be0d3e8def9d653c013291

SHA1
5ffe8a50771d9dd6d3a9d15f14575517bedfda5d

SHA256
070db359908f6955e129024d1de0acf4750790f21ced52fb333e056d2fdd7be7

SHA512
a51a447a8f9793691a9d0314b846c6e3555c22c693c7e0367307001c19744bd8b1ba72261de925c740af9d69a07cbb94a1e5a51b1128394a5a732e2fec1a040e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{24f839d3-d022-4192-ef3c-546d8235b010}\SETD0A7.tmp

Filesize
9KB

MD5
e7fb3e2ee6ae0890da972587516a8110

SHA1
93267d82c6564f618fafdd6f8a3edb5d8eff70bb

SHA256
94dd4e0aab352f69f7788a98563048f23f50402862e89376ca5ec5b742373eba

SHA512
6478515112c69674e54474a38b81fe8c1301fbfe64536b96162ade151e5baae22d1886230da2dd477a9d5448797b39f8f4fcb65d88fcb5bdb242a60868630edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{24f839d3-d022-4192-ef3c-546d8235b010}\qdss\amd64\SETD094.tmp

Filesize
46KB

MD5
0b13a08c6eaa6d7ad76bc43d64b9732b

SHA1
1e7e512dc690675b3814a879d17642d030ba4ac9

SHA256
08ec62ca5a4a64ac48f9963f8623b99d135b9fda6b658ade2564df15d822d950

SHA512
709a29c317a06c893a4efa334d0a9455876c592a659d081bee712a964fe48918af2cea8e9bb0e607ea3915bee6c6442615ffd6084fd9edfd8ae465440b003032

Download Submit
C:\Users\Admin\AppData\Local\Temp\{24f839d3-d022-4192-ef3c-546d8235b010}\qdss\amd64\SETD095.tmp

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\Users\Admin\AppData\Local\Temp\{276a25d0-4688-15d2-3dd9-9a79e9f6d043}\serial\amd64\SET87AA.tmp

Filesize
240KB

MD5
a5a4cb5c986715796eb1285289b9c779

SHA1
549fafefb36d1df67d1b8b7817041e4f5677e6ed

SHA256
357eb980c5d7a9ab4cfa5892432dac41ee9c0f03420fa9b927d78119054f91f6

SHA512
032c45b2bba7c5dfafbd0583bc96e79c1710dd981775d6184c131d49835d2183aad7dbaaeda2f45f2b3f490c3a8158c0d901c5467f4ca3158ff01a61c59cc1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2feee2a2-acbf-305a-6bf2-8a265348211e}\ndis\6.2\amd64\qcusbwwan.sys

Filesize
535KB

MD5
d08431790b71fbd56875762df88185d9

SHA1
03a6fe5c60799a5c0a12f10e3aa837cddd026d81

SHA256
d6298128cfc0f56646340d8d67bf124412ea2e9852fe9342e36bff177a4a01b0

SHA512
1cceaddacaab89e76a350dcd96a1e329a1c2234ea6c33a5f48615f3f6d55f9aa62cb3690e6057df71df2191a98e5dfd712f2d5f3b6da410989adb40a521910ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2feee2a2-acbf-305a-6bf2-8a265348211e}\qcwwan.cat

Filesize
96KB

MD5
1f367e482b4ad610667b425ec6fe8812

SHA1
49769d83232e2e366817691f03686e5ef0e70c65

SHA256
6476bf4f4f731a10e7766f24cec6d71db5140481ff16b87390b402fe8502786a

SHA512
5b0db6294b4305652341647036114ef5680be958a94744d9713fdf9e40254f9750f5649792bcce8b03bbf6cb5b533747a84894e1f82a35fc38c392f65ec48e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2feee2a2-acbf-305a-6bf2-8a265348211e}\qcwwan.inf

Filesize
73KB

MD5
5667cdc8aa7e89f575417aa5837f9202

SHA1
6449ecffb2a4aebaf4f05a69ac14fb202847f364

SHA256
363addf226aca987a56a2caa95ce19eea4dd86654d46e103f0d6184863ace934

SHA512
02f00e41469e9e9d76a3928ff5ce651f2977f236642f59e6e25fec3c78dfe3ecf7cc1e7253e1bf65ff6834566547172d175366d37d0dd711394f41e573340965

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISBEW64.exe

Filesize
146KB

MD5
c3b2acc07bb0610405fc786e3432bef9

SHA1
333d5f2b55bd00ad4311ba104af7db984f953924

SHA256
9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894

SHA512
2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

Download Submit
C:\Windows\Installer\MSI733F.tmp

Filesize
1.6MB

MD5
fba7113c8d1b7eecd0e731c184418f29

SHA1
9961d5ca567f32c703a6b953933ff5fc22fca396

SHA256
1d10c129f67a74e1d393bf3c71f76285d3082ce5aa2712e8ffc2c8e148d659d5

SHA512
9cad372e139e744a7ade1e7c1b1f50508a22f2c69a5f73417c5a1db588bde34767e402d7770986f758e7cd118f2d67f6be2bb3fa2765e4e7c0bad7e4a4acc631

Download Submit
C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_5b0e44f80f8a8e2f\qcfilter.PNF

Filesize
100KB

MD5
62b6e0e531ce2def0c1c0da09575db66

SHA1
9f5dc6d9fea555ae6bab93f8a571dbade40f4775

SHA256
78a5c7ddd0f456a8a388c26dc9e9dc6bb705d84ba2d842e109aacd046f0c1b4e

SHA512
6778d6bfec16a8fc543f7c79810532ed04a3210de30aa1cfd8b8436620a44791b6031d38a85fbf4679fde587ca4fd7cdab24bbc96e31398f8aa83462f971337f

Download Submit
C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_neutral_011cf7b068aef58d\qcser.PNF

Filesize
184KB

MD5
739cbe790a3bf2b2564dc1c28b6f8877

SHA1
354ff731690b12ade0325fab8e96b1014df24aeb

SHA256
a181f92f7a69a2363b567d16c322258c19f7ad85ab4d53247da222e6dfd7cbe8

SHA512
507f01af3df5699a8589912ca24435c2a6680a1e1f4861a173fb46df3dd6dfd5edb18ac4797d1c21a46667094ef649a4801e903dfc92310801812fd877784876

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
52f97b1e542e3dd416b901bc4d331f43

SHA1
46b4a3d29691cf89fb320a61da20bc141906c856

SHA256
e25204dff855e123b4b43fafe4b677cbbf166087efa87c86cd6d62c79b65cabb

SHA512
305da9b0f7ba139fe4ada072a7aeb5b4b1ff8b28b4f9d64a9d60cefff17257a6adbb735192c8192bc2894a0a8928812bc2e99df4d3ecb98a2ee1f72b3fd286b5

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.5MB

MD5
9afb39f2e570b462401baf0f894f5126

SHA1
4e9f08827f9a462928eb0effacf2e9eafa1a6baf

SHA256
539ff47b7cedc58b16f4a5ba3dd09c498f127a407beca7b1db293e2c3bc2a8c6

SHA512
9beaabe3001b49816c188b4ab5e6f5669c8d50124a4fa2fbe20a1aa6ae8966067804e1b9c94df124f62843157c2ca80672b341cf313251ae9ed3db3f23d0062a

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
191KB

MD5
242804fdb97785e30a856a5675993ae4

SHA1
19f4850e9abb75e6fd1a10ef23e66a4492677503

SHA256
721d08593fd1236798606455e3a4da3963f613dd0d87566bc46965f909e271be

SHA512
3104fb72153f12191f6f27c6f8dceb3e1f72a7f286fe8af505414d6cc7b33b82a0f3e96955bc3d7919a3611c11803def8cf793d2e5678bbdd7aa84545cb9a823

Download Submit
C:\Windows\Temp\Cab7B0B.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar7B0E.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe

Filesize
2.2MB

MD5
2e42457c54c0d281aa191c7ca8e7bc11

SHA1
33d5ad6b11cd681f956e5dc607c54c5eca168e19

SHA256
210f20b72fe67a1b12846aab7886b6bd9702a3caf31a3b6affab3a0dc60199ff

SHA512
434872af382e5a73570c1a13d18b9febc71bec25d2ce20fdcfa0fbd23afb103b136d91fa6b6e8b01736a0b59d1477e7296d8a6fda2b26aa0c679454c9246ec1e

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\ISRT.dll

Filesize
260KB

MD5
a93f625ef42b54c2b0f4d38201e67606

SHA1
cbfebc1f736ccfc65562ede79a5ae1a8afb116a1

SHA256
e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0

SHA512
805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

Download Submit
\Users\Admin\AppData\Local\Temp\{3B9051C9-70F2-4B68-BCF2-CA49346E2EA6}\_isres_0x0409.dll

Filesize
540KB

MD5
d6bbf7ff6984213c7f1f0f8f07c51e6a

SHA1
cfe933fc3b634f7333adec7ec124c14e9d19ac21

SHA256
6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2

SHA512
a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

Download Submit
memory/1256-486-0x000007FEF5F00000-0x000007FEF5F3A000-memory.dmp

Filesize
232KB

Download
memory/1964-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1964-407-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1964-80-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1964-74-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1964-536-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1964-70-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1964-699-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1964-5-0x0000000000473000-0x0000000000477000-memory.dmp

Filesize
16KB

Download
memory/1964-729-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2544-43-0x0000000003320000-0x00000000033A9000-memory.dmp

Filesize
548KB

Download
memory/2544-40-0x0000000003110000-0x00000000031B7000-memory.dmp

Filesize
668KB

Download
memory/2544-12-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download