floxif | a3423bf9cd6d13981e3efb81bd2d4861b2606d1bfcca8472e1ade9a8f87bd905

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
Size

22.2MB
MD5

ef5b79d11d56ac638acea43040ba6e2e
SHA1

be50d85741ddf0c0b28b55e340b330824ec341e8
SHA256

a3423bf9cd6d13981e3efb81bd2d4861b2606d1bfcca8472e1ade9a8f87bd905
SHA512

6381b6c4ef8de0fc48c564c9e02f6df1d562434ad3ddf86fa4a456b9ca49847f3b8c3f14caecfc88aa2a340df055e6b7a10ca1f6db22ff2b67764192df283052
SSDEEP

393216:6XePsQXKIQ2A6p/jJicojuCXiv3vMBnz4CFxDqg9u4PS6n4CEJXE0wEKD3/LR:6XePsQXKx6liUCXk3EmCFpq4PznwXDwB

Score

10^/10

floxif backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0008000000012102-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000012102-1.dat	acprotect

Executes dropped EXE 13 IoCs

pid	Process
812	ISBEW64.exe
1432	ISBEW64.exe
564	ISBEW64.exe
2160	ISBEW64.exe
112	ISBEW64.exe
2952	ISBEW64.exe
2668	ISBEW64.exe
2980	ISBEW64.exe
2220	ISBEW64.exe
1584	ISBEW64.exe
1924	ISBEW64.exe
2200	qcmtusvc.exe
2508	DriverInstaller64.exe

Loads dropped DLL 26 IoCs

pid	Process
2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
2732	msiexec.exe
2652	msiexec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2728	MsiExec.exe
2200	qcmtusvc.exe
1700	MsiExec.exe
1700	MsiExec.exe
1700	MsiExec.exe
864	Process not Found
864	Process not Found
2508	DriverInstaller64.exe
1700	MsiExec.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\e:	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}\qcfilter.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}\filter\amd64\SETFD16.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e0e18fa-b16e-325d-9ca0-7a1b922fe774}\SET390A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3ed06fdc-d122-1a09-87f0-e8667cc5667c}\qdbusb.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c8f70fd-792a-0c9d-00e7-9a040b824230}\serial\amd64\qcusbser.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1c8f70fd-792a-0c9d-00e7-9a040b824230}\SET8AA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6464fc8f-cca2-6740-d6e0-a863e61b4106}\SET20DB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}\SETFD14.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_91142176ceafe65a\qcfilter.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6464fc8f-cca2-6740-d6e0-a863e61b4106}\SET20DA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6464fc8f-cca2-6740-d6e0-a863e61b4106}\qcser.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_neutral_dd21d0caf44e7fa8\qcmdm.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0e0e18fa-b16e-325d-9ca0-7a1b922fe774}\SET390B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3ed06fdc-d122-1a09-87f0-e8667cc5667c}\qdss\amd64\wdfcoinstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3ed06fdc-d122-1a09-87f0-e8667cc5667c}\qdss	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}\filter\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6464fc8f-cca2-6740-d6e0-a863e61b4106}\serial\amd64\qcusbser.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e0e18fa-b16e-325d-9ca0-7a1b922fe774}\ndis\6.2\amd64\qcusbwwan.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e0e18fa-b16e-325d-9ca0-7a1b922fe774}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3ed06fdc-d122-1a09-87f0-e8667cc5667c}\qdss\amd64\qdbusb.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}\filter\amd64\qcusbfilter.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}\filter	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6464fc8f-cca2-6740-d6e0-a863e61b4106}\SET20DB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e0e18fa-b16e-325d-9ca0-7a1b922fe774}\qcwwan.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c8f70fd-792a-0c9d-00e7-9a040b824230}\SET8A9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c8f70fd-792a-0c9d-00e7-9a040b824230}\qcser.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_91142176ceafe65a\qcfilter.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1c8f70fd-792a-0c9d-00e7-9a040b824230}\SET8A9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c8f70fd-792a-0c9d-00e7-9a040b824230}\serial\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_neutral_936d995a371b46f4\qcwwan.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c8f70fd-792a-0c9d-00e7-9a040b824230}\serial	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6464fc8f-cca2-6740-d6e0-a863e61b4106}\serial	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e0e18fa-b16e-325d-9ca0-7a1b922fe774}\SET390B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3ed06fdc-d122-1a09-87f0-e8667cc5667c}\SET516C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_neutral_c68a388aad774c96\qdbusb.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3ed06fdc-d122-1a09-87f0-e8667cc5667c}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}\filter\amd64\SETFD16.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c8f70fd-792a-0c9d-00e7-9a040b824230}\serial\amd64\SET8A8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_neutral_7d91b3baab562649\qcser.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e0e18fa-b16e-325d-9ca0-7a1b922fe774}\ndis\6.2\amd64\SET390C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3ed06fdc-d122-1a09-87f0-e8667cc5667c}\qdss\amd64\SET516A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}\qcfilter.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6464fc8f-cca2-6740-d6e0-a863e61b4106}\serial\amd64\SET20CA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6464fc8f-cca2-6740-d6e0-a863e61b4106}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}\SETFD15.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1c8f70fd-792a-0c9d-00e7-9a040b824230}\SET8AA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6464fc8f-cca2-6740-d6e0-a863e61b4106}\SET20DA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_neutral_936d995a371b46f4\qcwwan.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e0e18fa-b16e-325d-9ca0-7a1b922fe774}\ndis\6.2\amd64	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3ed06fdc-d122-1a09-87f0-e8667cc5667c}\SET516D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012102-1.dat	upx
behavioral1/memory/2816-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2732-8-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2732-9-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2652-12-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2728-16-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2816-63-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2652-74-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2728-75-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2816-76-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2816-81-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2816-86-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2200-192-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2200-195-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1700-198-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2816-425-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1700-428-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2816-573-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2816-715-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1700-749-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2728-750-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2652-752-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2816-753-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\amd64\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qdcfg.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriversInstallerCA.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\i386\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.pdb	msiexec.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DriverInstaller64.exe
File opened for modification	C:\Windows\INF\oem5.inf	DrvInst.exe
File created	C:\Windows\Installer\f76f152.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem4.inf	DrvInst.exe
File created	C:\Windows\INF\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI6951.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76f154.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76f151.msi	msiexec.exe
File created	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f76f152.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem4.inf	DrvInst.exe
File created	C:\Windows\INF\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF52A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76f151.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF23B.tmp	msiexec.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qcmtusvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Version = "16777253"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductName = "Qualcomm USB Drivers For Windows"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\PackageCode = "54605E80078F0E84081B971B66E8A6D7"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductIcon = "C:\\Windows\\Installer\\{D9FB7F91-9687-4B09-894D-072903CADEA4}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\PackageName = "QualcommWindowsDriverInstaller.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
2944	msiexec.exe
2944	msiexec.exe
2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
Token: SeDebugPrivilege	2732	msiexec.exe
Token: SeShutdownPrivilege	2732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeSecurityPrivilege	2944	msiexec.exe
Token: SeCreateTokenPrivilege	2732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2732	msiexec.exe
Token: SeLockMemoryPrivilege	2732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	msiexec.exe
Token: SeMachineAccountPrivilege	2732	msiexec.exe
Token: SeTcbPrivilege	2732	msiexec.exe
Token: SeSecurityPrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeLoadDriverPrivilege	2732	msiexec.exe
Token: SeSystemProfilePrivilege	2732	msiexec.exe
Token: SeSystemtimePrivilege	2732	msiexec.exe
Token: SeProfSingleProcessPrivilege	2732	msiexec.exe
Token: SeIncBasePriorityPrivilege	2732	msiexec.exe
Token: SeCreatePagefilePrivilege	2732	msiexec.exe
Token: SeCreatePermanentPrivilege	2732	msiexec.exe
Token: SeBackupPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeShutdownPrivilege	2732	msiexec.exe
Token: SeDebugPrivilege	2732	msiexec.exe
Token: SeAuditPrivilege	2732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2732	msiexec.exe
Token: SeChangeNotifyPrivilege	2732	msiexec.exe
Token: SeRemoteShutdownPrivilege	2732	msiexec.exe
Token: SeUndockPrivilege	2732	msiexec.exe
Token: SeSyncAgentPrivilege	2732	msiexec.exe
Token: SeEnableDelegationPrivilege	2732	msiexec.exe
Token: SeManageVolumePrivilege	2732	msiexec.exe
Token: SeImpersonatePrivilege	2732	msiexec.exe
Token: SeCreateGlobalPrivilege	2732	msiexec.exe
Token: SeDebugPrivilege	2652	msiexec.exe
Token: SeShutdownPrivilege	2652	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2652	msiexec.exe
Token: SeCreateTokenPrivilege	2652	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2652	msiexec.exe
Token: SeLockMemoryPrivilege	2652	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2652	msiexec.exe
Token: SeMachineAccountPrivilege	2652	msiexec.exe
Token: SeTcbPrivilege	2652	msiexec.exe
Token: SeSecurityPrivilege	2652	msiexec.exe
Token: SeTakeOwnershipPrivilege	2652	msiexec.exe
Token: SeLoadDriverPrivilege	2652	msiexec.exe
Token: SeSystemProfilePrivilege	2652	msiexec.exe
Token: SeSystemtimePrivilege	2652	msiexec.exe
Token: SeProfSingleProcessPrivilege	2652	msiexec.exe
Token: SeIncBasePriorityPrivilege	2652	msiexec.exe
Token: SeCreatePagefilePrivilege	2652	msiexec.exe
Token: SeCreatePermanentPrivilege	2652	msiexec.exe
Token: SeBackupPrivilege	2652	msiexec.exe
Token: SeRestorePrivilege	2652	msiexec.exe
Token: SeShutdownPrivilege	2652	msiexec.exe
Token: SeDebugPrivilege	2652	msiexec.exe
Token: SeAuditPrivilege	2652	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2652	msiexec.exe
Token: SeChangeNotifyPrivilege	2652	msiexec.exe
Token: SeRemoteShutdownPrivilege	2652	msiexec.exe
Token: SeUndockPrivilege	2652	msiexec.exe
Token: SeSyncAgentPrivilege	2652	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2732	msiexec.exe
2732	msiexec.exe
2652	msiexec.exe
2652	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
2508	DriverInstaller64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2732	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	30
PID 2816 wrote to memory of 2732	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	30
PID 2816 wrote to memory of 2732	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	30
PID 2816 wrote to memory of 2732	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	30
PID 2816 wrote to memory of 2732	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	30
PID 2816 wrote to memory of 2732	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	30
PID 2816 wrote to memory of 2732	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	30
PID 2816 wrote to memory of 2652	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	32
PID 2816 wrote to memory of 2652	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	32
PID 2816 wrote to memory of 2652	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	32
PID 2816 wrote to memory of 2652	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	32
PID 2816 wrote to memory of 2652	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	32
PID 2816 wrote to memory of 2652	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	32
PID 2816 wrote to memory of 2652	2816	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	32
PID 2944 wrote to memory of 2728	2944	msiexec.exe	33
PID 2944 wrote to memory of 2728	2944	msiexec.exe	33
PID 2944 wrote to memory of 2728	2944	msiexec.exe	33
PID 2944 wrote to memory of 2728	2944	msiexec.exe	33
PID 2944 wrote to memory of 2728	2944	msiexec.exe	33
PID 2944 wrote to memory of 2728	2944	msiexec.exe	33
PID 2944 wrote to memory of 2728	2944	msiexec.exe	33
PID 2728 wrote to memory of 812	2728	MsiExec.exe	34
PID 2728 wrote to memory of 812	2728	MsiExec.exe	34
PID 2728 wrote to memory of 812	2728	MsiExec.exe	34
PID 2728 wrote to memory of 812	2728	MsiExec.exe	34
PID 2728 wrote to memory of 1432	2728	MsiExec.exe	35
PID 2728 wrote to memory of 1432	2728	MsiExec.exe	35
PID 2728 wrote to memory of 1432	2728	MsiExec.exe	35
PID 2728 wrote to memory of 1432	2728	MsiExec.exe	35
PID 2728 wrote to memory of 564	2728	MsiExec.exe	36
PID 2728 wrote to memory of 564	2728	MsiExec.exe	36
PID 2728 wrote to memory of 564	2728	MsiExec.exe	36
PID 2728 wrote to memory of 564	2728	MsiExec.exe	36
PID 2728 wrote to memory of 2160	2728	MsiExec.exe	37
PID 2728 wrote to memory of 2160	2728	MsiExec.exe	37
PID 2728 wrote to memory of 2160	2728	MsiExec.exe	37
PID 2728 wrote to memory of 2160	2728	MsiExec.exe	37
PID 2728 wrote to memory of 112	2728	MsiExec.exe	38
PID 2728 wrote to memory of 112	2728	MsiExec.exe	38
PID 2728 wrote to memory of 112	2728	MsiExec.exe	38
PID 2728 wrote to memory of 112	2728	MsiExec.exe	38
PID 2728 wrote to memory of 2952	2728	MsiExec.exe	39
PID 2728 wrote to memory of 2952	2728	MsiExec.exe	39
PID 2728 wrote to memory of 2952	2728	MsiExec.exe	39
PID 2728 wrote to memory of 2952	2728	MsiExec.exe	39
PID 2728 wrote to memory of 2668	2728	MsiExec.exe	40
PID 2728 wrote to memory of 2668	2728	MsiExec.exe	40
PID 2728 wrote to memory of 2668	2728	MsiExec.exe	40
PID 2728 wrote to memory of 2668	2728	MsiExec.exe	40
PID 2728 wrote to memory of 2980	2728	MsiExec.exe	41
PID 2728 wrote to memory of 2980	2728	MsiExec.exe	41
PID 2728 wrote to memory of 2980	2728	MsiExec.exe	41
PID 2728 wrote to memory of 2980	2728	MsiExec.exe	41
PID 2728 wrote to memory of 2220	2728	MsiExec.exe	42
PID 2728 wrote to memory of 2220	2728	MsiExec.exe	42
PID 2728 wrote to memory of 2220	2728	MsiExec.exe	42
PID 2728 wrote to memory of 2220	2728	MsiExec.exe	42
PID 2728 wrote to memory of 1584	2728	MsiExec.exe	43
PID 2728 wrote to memory of 1584	2728	MsiExec.exe	43
PID 2728 wrote to memory of 1584	2728	MsiExec.exe	43
PID 2728 wrote to memory of 1584	2728	MsiExec.exe	43
PID 2728 wrote to memory of 1924	2728	MsiExec.exe	44
PID 2728 wrote to memory of 1924	2728	MsiExec.exe	44
PID 2728 wrote to memory of 1924	2728	MsiExec.exe	44

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2732
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2652

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B603C9C00554D0A0D0F5716ED93C42DF C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C66A15AE-9BBE-4D50-8915-AE51ACA1B640}
    3⤵
    - Executes dropped EXE
    PID:812
- - C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B9A6F8C-C16B-4945-B484-9600BE7B67EB}
    3⤵
    - Executes dropped EXE
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66262AE7-0FCA-4618-8233-B4EB2A0A4316}
    3⤵
    - Executes dropped EXE
    PID:564
- - C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5DAAFC5F-918D-4A6A-8DE8-4A0D73F40001}
    3⤵
    - Executes dropped EXE
    PID:2160
- - C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8E34CEC6-62AD-48DF-9E6B-8B3BEA8B2666}
    3⤵
    - Executes dropped EXE
    PID:112
- - C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4A9859C6-E585-4EBF-BE87-45E38D434B5A}
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8EC40706-7210-4AE9-8B48-6F965B5298D7}
    3⤵
    - Executes dropped EXE
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4DE26373-05B4-470C-8B35-A6F9C60C76F5}
    3⤵
    - Executes dropped EXE
    PID:2980
- - C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{69EC77F8-1F3B-4D4D-8C8D-5158862BC307}
    3⤵
    - Executes dropped EXE
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2B8E9FF5-13F1-4472-8545-6F4FCE049509}
    3⤵
    - Executes dropped EXE
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F90A127B-88D2-4544-81AD-18CFC16F1821}
    3⤵
    - Executes dropped EXE
    PID:1924
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B1D7F441DC8C7AB25124811C96DD5EBA M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1700
- - C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe
    "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe" "/I|0|C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:872

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B8" "0000000000000068"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2380

C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe
"C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2200

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{29775d6b-04b7-5186-fe11-f80463a4ea47}\qcfilter.inf" "9" "6342d598b" "0000000000000064" "WinSta0\Default" "0000000000000068" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2132
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{74eff000-2dbd-69a2-641a-51540943ec44} Global\{7d12211d-42a9-7162-1786-0541a56d350f} C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}\qcfilter.inf C:\Windows\System32\DriverStore\Temp\{5828a3e4-7e85-25fb-4aeb-5b29f55bf604}\qcfilter.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1636

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{58b78312-3fd0-7b12-322f-6b037cd39064}\qcser.inf" "9" "60f02979b" "0000000000000068" "WinSta0\Default" "00000000000003B8" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:588
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3bb0f95d-bc83-4fe4-33b2-96594a05cc45} Global\{12a76fbb-ff13-7195-c9b0-b67243ba4c63} C:\Windows\System32\DriverStore\Temp\{1c8f70fd-792a-0c9d-00e7-9a040b824230}\qcser.inf C:\Windows\System32\DriverStore\Temp\{1c8f70fd-792a-0c9d-00e7-9a040b824230}\qcser.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2860

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4276ae3f-b6f8-6b13-eaad-4b479b2c1133}\qcmdm.inf" "9" "62223751f" "00000000000003B8" "WinSta0\Default" "0000000000000578" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1380
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5d827942-edb7-7def-868e-957140f90609} Global\{071c88f2-ab66-3034-7c1f-d3028db19f69} C:\Windows\System32\DriverStore\Temp\{6464fc8f-cca2-6740-d6e0-a863e61b4106}\qcmdm.inf C:\Windows\System32\DriverStore\Temp\{6464fc8f-cca2-6740-d6e0-a863e61b4106}\qcser.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1660

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6c946878-17af-57f5-daaa-934444a7905d}\qcwwan.inf" "9" "64190a197" "0000000000000578" "WinSta0\Default" "0000000000000064" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2568
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{32c23485-18f2-5c56-84e5-2101ccd2b85b} Global\{49c4375f-2ff3-7e79-1875-8c66b87cf700} C:\Windows\System32\DriverStore\Temp\{0e0e18fa-b16e-325d-9ca0-7a1b922fe774}\qcwwan.inf C:\Windows\System32\DriverStore\Temp\{0e0e18fa-b16e-325d-9ca0-7a1b922fe774}\qcwwan.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2076

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3b788df2-e04c-1393-4f48-c512c3708071}\qdbusb.inf" "9" "6a7d91597" "0000000000000064" "WinSta0\Default" "0000000000000068" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1320
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{36e9ff80-40d1-699c-8a36-ca5e4b0e0313} Global\{355622fa-613a-7fb7-d090-c60c6a4d6c49} C:\Windows\System32\DriverStore\Temp\{3ed06fdc-d122-1a09-87f0-e8667cc5667c}\qdbusb.inf C:\Windows\System32\DriverStore\Temp\{3ed06fdc-d122-1a09-87f0-e8667cc5667c}\qdbusb.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76f153.rbs

Filesize
36KB

MD5
a9ad06e87f75ee0bc11cbf52445018da

SHA1
c9ebf9eb180ce94947e457dd5b34cfeef55b7edf

SHA256
c22c7421875d819c9ffab5361deebb9ba3b11c58320eaabae54657922937d01d

SHA512
21d8d2d9b79c548007bbcc49d605873c449bbc72e82414caf2bb098beda9ecb9efc49e8d8a7a6786450f15c78b840e1c815fe8c76ed89ac7dae4a4bb4371542e

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\filter\amd64\qcusbfilter.sys

Filesize
39KB

MD5
45ef50b1446371ec2411e6ec6f6dabab

SHA1
d2e78f2eba854b57626e69fd9298cd390d76f544

SHA256
65b7baabfcb0788147b1a5bb03083008f6040f6c321b6a5e2892680c5eec9abd

SHA512
5f0377571bd44c83fbd64b8406fcfcf47aef3cd5308d664193d364f978e87c67aa00fd456cc8647ce06381e6c9c6c621a16b5708330776091ca3c6b130957b37

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\serial\amd64\qcusbser.sys

Filesize
239KB

MD5
358bc4b7bf9bca41abea485058f9b360

SHA1
47974d8e6512497c9ad6a79919e1cd58366d5e97

SHA256
6fff206a1def97219541568d76d2077ac5db1daef2c6d995f6ac4a83e57ed898

SHA512
1d6de7f4db5f2320889f8e23176b8e6ebacd8ed03fb7bbb62841e105c83fcc6eaa571c89e605f3d41258fa629dd72c5e2305ea7c26855735b1baced84046404a

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe

Filesize
81KB

MD5
cf9a93ed8f3b472a9c1eb6acb619b9d4

SHA1
9725cb577b28f9a71d66af1f5c075423c3f2c66a

SHA256
b6d6cbf256f08fe397d23c989d41ff6f4bd60b11751f7e7585cfe5dc534b5e26

SHA512
d79581bb5a82a3b396faa20683f5afdcc2933ff525450722142541dbb9450b99f31910983c41420b47dc9b09f2507738d00bcd4047aabbfe23c9a325970394b4

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.cat

Filesize
94KB

MD5
184fb15f93f73790d5dfae0a22557ee4

SHA1
f3de31f1db7e76fd26d7ad4953b0a01c070da8ba

SHA256
2443015b8822a3793c141571135ef1cb79f324700d33266103e3ba599e1b6c21

SHA512
5e6e8a7fc5187f886e33769028f2f4aa5410615c681eb0aa0136ac08c81954c86d7a58b000004294dc60239d8f76c3bda9eafcfd3f1ad7d1c86bd3eb6ad2ea3e

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf

Filesize
36KB

MD5
4e8ff95823ed15cf1bb13489f88784f5

SHA1
f25210d6d26b842ae8a11e3b5c4e18835e4a3b13

SHA256
5fa46ab5487d00840642d82eb321aab0c716b19dc9cd21aaa4af74a7b47a5e2e

SHA512
6d2056e302c73e7092cbd5badb705ae52fb99b4279c174b524c3656d090434e45a2c0e9c4ed24f4215cff112bbe3ae317776bb00d58a7a27c99266c589bcc667

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.cat

Filesize
95KB

MD5
acdc05e308c96515b4b8eda582b1191a

SHA1
9ed26a48419a8435cb6982e6d1d86585213621ee

SHA256
550507c87bdd89d0619328529fefee2933736c85d239367c5e429e0d6febd07c

SHA512
1c7bbbc1144e66cc87977074f73bd6c86ba05ca21fadf7f8ac81088fca6776a20fb5d260c366006100adb766697f91e4f2cd4290d2662ec52b0db60dbff93963

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf

Filesize
100KB

MD5
66702ca8991184e99b39304cbe964bb3

SHA1
99d9453c89e7fedd06f12f3d96b9931e63bdec29

SHA256
717d8c9eb75808d711ec31ad97f5cf4699798c95d4336f57cc54ff09aab9ff6e

SHA512
e3efbb1be20fc84f31112f75fe412d8e7efaf980038a09e2e9a502810e173dbee0abc3ce4c3a6ac608a84ea9cdeafd5fb32ea44da3e5f39d184363e6167cb950

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

Filesize
20.7MB

MD5
cde633c7be2c8db52f0922f8a8e0c613

SHA1
a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f

SHA256
a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5

SHA512
e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3b788df2-e04c-1393-4f48-c512c3708071}\SET5159.tmp

Filesize
95KB

MD5
582be70e74fd908714af436aa546c119

SHA1
b8179d1f818322da5593d19646e646084ec846e7

SHA256
8c3208d04d1c5fe011659b97692a024df5a607f1a480072127bb0f47073aeffa

SHA512
dce438135be6786e57eda011b786596c751e3ab7bd15e5553ac7643f54d7014aff6d723c52732d306d70054c3a9980968e71fd14dd1480590290fe34f9134a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3b788df2-e04c-1393-4f48-c512c3708071}\SET515A.tmp

Filesize
8KB

MD5
028f4b4eea445e57839a0511736cb887

SHA1
55074bcd41bc4b90b52f89d7fd20b35885b3ad95

SHA256
248c3c0a0a6b2f2a7f7438120906d29c8adbb9ee447dd47d7eb16a7c260f531d

SHA512
7faeaccfbd89cfed6bd00fab215e906673505bb64baff4760e7c5fbc385b23b85131d2769bacbaa5f3af3d4cf078ff7d9e61986b5421fb256d64f4726efa7690

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3b788df2-e04c-1393-4f48-c512c3708071}\qdss\amd64\SET5148.tmp

Filesize
44KB

MD5
c6ea8d40d2bf25d9011c37e27d65c484

SHA1
9d00f36c1ba545c2c140aa12e6ff0b5917b17f8b

SHA256
ed89b3315d5ff28ccde22b90680d44c7ad8de630601baa2921c96c25d85aae3f

SHA512
b54d2e8dd7692ea4f9308be891330d277ba7b592e2a40b1a330176668d1e3aa7243cd792c70743d1f978bcf992116c4c6f28f2cb02fd4536d53cedc9a13e26ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3b788df2-e04c-1393-4f48-c512c3708071}\qdss\amd64\SET5149.tmp

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4276ae3f-b6f8-6b13-eaad-4b479b2c1133}\SET20C1.tmp

Filesize
44KB

MD5
f1ee860f01ef686168926b2eb70da7aa

SHA1
5000f8e9c765906819b7bc5ee7ba9a8de8c0f4ee

SHA256
db8c72dffd89b859c8d3b511d3c0452d031079c21648d94a8cdfb9c403e492dd

SHA512
12823e92a89b2b52d85388f732dcf57303b3bc3f03fa4332244f30d2a180458cb0e58f533c62608f5ac1613b99df4f4b873e8d663e5f5ca9d4cca379bda1e020

Download Submit
C:\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISBEW64.exe

Filesize
146KB

MD5
c3b2acc07bb0610405fc786e3432bef9

SHA1
333d5f2b55bd00ad4311ba104af7db984f953924

SHA256
9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894

SHA512
2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6c946878-17af-57f5-daaa-934444a7905d}\ndis\6.2\amd64\qcusbwwan.sys

Filesize
504KB

MD5
4999657681bacef73fd6c5162a3bbfb5

SHA1
5d062c1acc28c4e3852043bbbdd87266f22dc478

SHA256
2d759dfd3a6623edd3b2f1634e6192815c25952094ae72cfbbd9ea46d25f7226

SHA512
637295c1c467316268268c2a2b529e0a0175c471807c6cddedf83ddfa2537554720bc53cbabf3864d58c0fb7cd41669805b842c0c58a06caf5d6243143ece290

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6c946878-17af-57f5-daaa-934444a7905d}\qcwwan.cat

Filesize
94KB

MD5
a08b4295c74ebc18d6a5f281ca2c3eea

SHA1
9718561dd5f541854bb3dceb0554ee780f4cad43

SHA256
be76010e324e2fcd9990a82265ff8757375f45fc692202ebf5d974b85fcbc777

SHA512
170b32913c40c94ef7d32d2c2c011b6671feb64a91b1ba9c5f0ba44db79264b577871bedbc58ff308ea98926f767823432a86f0749208c1092460d6adb5c92f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6c946878-17af-57f5-daaa-934444a7905d}\qcwwan.inf

Filesize
72KB

MD5
be202547e7b7317e0eaacb373fb65034

SHA1
f286b1dff477e7bb1b89028d10ed2164f43ee1c1

SHA256
635ec113fb8682ccb237afae4de441882a3edd12526fd7d0f4e0450c54cf8bc6

SHA512
b6fab25bfbd1fef0ad4fa25b1f72829a189fcbb98abb1c36d484fa21acfd8cf71efc58dcb869c424ad8aea8469d224f71a653bd7d14fb82561c815ac1e534c1a

Download Submit
C:\Windows\Installer\MSIF52A.tmp

Filesize
1.6MB

MD5
ab8d1cf0de0c1594c2093ccf0128e0b8

SHA1
ddba6dc5c69ba72c879fb15cc109503adb759fdc

SHA256
2f975e52b9e6a99dd3515f7b9bc30e89d39cb44e9fb1a8f3e43ab330df42f0a4

SHA512
0a01b500ef221777ffeeacccf47794d1d468bf86a24f53a6558cd21d244dfb614f552047352f8c5c01682322fceab21089bc2a8bef6ad502c81b347b8f8c1fb9

Download Submit
C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_91142176ceafe65a\qcfilter.PNF

Filesize
97KB

MD5
3d4ca06ac8a908351d6b8c9983671735

SHA1
d6dc2a04cad1aad1e97d6a439aea9b8fe8df6058

SHA256
c5edc681ff3606e2d06d8a4204824a35bb5aa999b18cb16d8968aa9bc8eb6a3a

SHA512
a7db82510935843095a1a8dd7db0dad7d241c3428f707306557fb54fe5e1d6b88dee49b2570281db55c45478526c4c1caa889bf388f71a1c7b3e80a203fcd5e1

Download Submit
C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_neutral_7d91b3baab562649\qcser.PNF

Filesize
182KB

MD5
7c2f8fbd7c7bb4a4b6f15ceaef57dcc1

SHA1
d46a9275c7a209a8da1097f8c06a24689c28569a

SHA256
4f0841ba06eaf7416a133e42f15add15f7bb6d6d08be90e1826022c522b2772b

SHA512
ddf9df0d9215ba65075e7768ab7fb8230e8e426d2bc90a54dc38437f0920b926ef90e9159687d9d018862d3755e48f32a93c0a72893e3370daaf139d0eb590fa

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
52c8fecab8204d8703e0d90c77c6732a

SHA1
ba38670914a6feaa7cfd878c17788f4761d0578a

SHA256
d19511afbbddd859222ca43cb6663735a61901bf24e6310e126ad7824d653e34

SHA512
b39b22966ef798c4183f00678546299e21ee8e7f86280cfdba3122588b4530791239649aa6a431ef603515d0e3d99b9f1cf9b6965c7b0c82a59c397738baae4c

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
191KB

MD5
a3a2331fa86eb35833b7e36fdd563fb6

SHA1
c34a8da805a4aa0a07f1dc2070845d8a30296c08

SHA256
28d1e496d3bb338538c473ae43cedd4032ae3919539085d31bcd275e3634eca5

SHA512
314aa1f78b56df12585389f10d3a45c7edf7fcf9d6266f9510ecb417640b8aff0d92a69891965963f792645c8a86d95da8f9c47a7cc1f837c8d3625af91ed91e

Download Submit
C:\Windows\Temp\CabFD45.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarFD57.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\amd64\DIFxAPI.dll

Filesize
507KB

MD5
9495b07f33ded991c65d9b04945d44c5

SHA1
db9d5ec47980eb0709faba0cda283ff99d643b7c

SHA256
bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e

SHA512
36ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815

Download Submit
\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe

Filesize
2.2MB

MD5
6e0321ff9f386106d64e7b863e1866ea

SHA1
f9898d7bdd18691518ff1d615a693922bcc3a26c

SHA256
f0cbd9fb9abc814e470a4126d3f7b7bf2fc769c20593b402ad2cb979e4817625

SHA512
0449c4ee6fb9798d6dc24e08d70aabc8fb1ecec4696c34e42440ff8a93ae93f058a235b8cf0078699723cbc42a3a579519d048ace5add0bd28d5866fb4d3eb04

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7465.tmp

Filesize
1.3MB

MD5
ca189a2b762e64d61303bfd4d88fd0a6

SHA1
13bf55664fb0345d3931458f75b6039c1213f46a

SHA256
dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a

SHA512
31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf

Download Submit
\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\ISRT.dll

Filesize
260KB

MD5
a93f625ef42b54c2b0f4d38201e67606

SHA1
cbfebc1f736ccfc65562ede79a5ae1a8afb116a1

SHA256
e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0

SHA512
805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

Download Submit
\Users\Admin\AppData\Local\Temp\{43C61D38-EC1F-4FE1-887E-CEFFA8C67FD7}\_isres_0x0409.dll

Filesize
540KB

MD5
d6bbf7ff6984213c7f1f0f8f07c51e6a

SHA1
cfe933fc3b634f7333adec7ec124c14e9d19ac21

SHA256
6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2

SHA512
a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

Download Submit
memory/1660-499-0x000007FEF6B00000-0x000007FEF6B3A000-memory.dmp

Filesize
232KB

Download
memory/1700-749-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1700-198-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1700-428-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2200-192-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2200-195-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2652-74-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2652-12-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2652-752-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2728-16-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2728-750-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2728-46-0x0000000003720000-0x00000000037A9000-memory.dmp

Filesize
548KB

Download
memory/2728-19-0x0000000002C70000-0x0000000002E25000-memory.dmp

Filesize
1.7MB

Download
memory/2728-43-0x0000000003070000-0x0000000003117000-memory.dmp

Filesize
668KB

Download
memory/2728-75-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2732-9-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2732-8-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2816-63-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2816-76-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2816-573-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2816-715-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2816-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2816-81-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2816-425-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2816-86-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2816-753-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download