floxif | fad98b9ce764a79fb8af81dd2cbb131dea2c139f6259d1c430fdc45d956c5946

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
Size

22.2MB
MD5

951e5314b5dcda4113f3c901d0b0ca1a
SHA1

586bc2d30f18cb86da56d8543733ff50774ef51e
SHA256

fad98b9ce764a79fb8af81dd2cbb131dea2c139f6259d1c430fdc45d956c5946
SHA512

fdae534a86a8beb14045e8184d95da53ff8a1128e8cabe0f5be60030a7f1908a31b19fe5f7fa879f64b5b465f7b9843362784a8777c4cca2c93f86a202c250cc
SSDEEP

393216:XXe9sQXKIQ2A6p/jJicojuCXiv3vMBnz4CFxDqg9u4PS6n4CEJXE0wEKD3/LU:XXe9sQXKx6liUCXk3EmCFpq4PznwXDwk

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x00450000000120f4-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00450000000120f4-1.dat	acprotect

Executes dropped EXE 13 IoCs

pid	Process
3044	ISBEW64.exe
2740	ISBEW64.exe
2736	ISBEW64.exe
2580	ISBEW64.exe
1100	ISBEW64.exe
2908	ISBEW64.exe
1432	ISBEW64.exe
2928	ISBEW64.exe
1148	ISBEW64.exe
1852	ISBEW64.exe
348	ISBEW64.exe
1696	qcmtusvc.exe
1708	DriverInstaller64.exe

Loads dropped DLL 21 IoCs

pid	Process
2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
2972	MsiExec.exe
852	MsiExec.exe
852	MsiExec.exe
836	Process not Found
836	Process not Found
1708	DriverInstaller64.exe
852	MsiExec.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\e:	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{768eb577-5af8-54e7-6d52-316c079af26d}\serial\amd64\SET6114.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{768eb577-5af8-54e7-6d52-316c079af26d}\serial\amd64\qcusbser.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_neutral_dd21d0caf44e7fa8\qcmdm.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d009f5d-67dd-241d-b698-9e29a10b2034}\ndis\6.2	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{18aefee1-e03c-6edd-3883-9c5ebaff6830}\filter\amd64\SET4684.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}\serial\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}\serial	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_neutral_936d995a371b46f4\qcwwan.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\SETA99B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\qdbusb.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{18aefee1-e03c-6edd-3883-9c5ebaff6830}\SET4682.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_91142176ceafe65a\qcfilter.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{768eb577-5af8-54e7-6d52-316c079af26d}\serial\amd64\SET6114.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{768eb577-5af8-54e7-6d52-316c079af26d}\qcser.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{768eb577-5af8-54e7-6d52-316c079af26d}\serial	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}\SET78DA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d009f5d-67dd-241d-b698-9e29a10b2034}\ndis	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_neutral_c68a388aad774c96\qdbusb.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\qdss	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d009f5d-67dd-241d-b698-9e29a10b2034}\SET9129.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}\SET78D9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}\SET78DA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\qdss\amd64\SETA998.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{768eb577-5af8-54e7-6d52-316c079af26d}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_91142176ceafe65a\qcfilter.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_neutral_7d91b3baab562649\qcser.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}\serial\amd64\SET78D8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}\qcser.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7d009f5d-67dd-241d-b698-9e29a10b2034}\SET9129.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\qdss\amd64\SETA999.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18aefee1-e03c-6edd-3883-9c5ebaff6830}\filter\amd64\SET4684.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{768eb577-5af8-54e7-6d52-316c079af26d}\qcser.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_neutral_7d91b3baab562649\qcser.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\SETA99A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18aefee1-e03c-6edd-3883-9c5ebaff6830}\qcfilter.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\qdss\amd64\qdbusb.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18aefee1-e03c-6edd-3883-9c5ebaff6830}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}\SET78D9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d009f5d-67dd-241d-b698-9e29a10b2034}\qcwwan.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d009f5d-67dd-241d-b698-9e29a10b2034}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\qdss\amd64\SETA999.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\qdss\amd64\wdfcoinstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\SETA99B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18aefee1-e03c-6edd-3883-9c5ebaff6830}\SET4682.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18aefee1-e03c-6edd-3883-9c5ebaff6830}\filter	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}\serial\amd64\SET78D8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_neutral_dd21d0caf44e7fa8\qcmdm.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7d009f5d-67dd-241d-b698-9e29a10b2034}\ndis\6.2\amd64\qcusbwwan.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{768eb577-5af8-54e7-6d52-316c079af26d}\serial\amd64	DrvInst.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00450000000120f4-1.dat	upx
behavioral1/memory/2116-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-69-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-70-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-73-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-76-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-306-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-413-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-602-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2116-729-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\logReader.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.cat	msiexec.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qdcfg.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\ReadMe.txt	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriversInstallerCA.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\qdbusb.pdb	msiexec.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f77365d.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem6.inf	DrvInst.exe
File created	C:\Windows\Installer\f77365d.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3E88.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DriverInstaller64.exe
File created	C:\Windows\INF\oem5.inf	DrvInst.exe
File created	C:\Windows\Installer\f77365f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC120.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3801.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\INF\oem6.inf	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\INF\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f77365c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77365c.msi	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qcmtusvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DriverInstaller64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000040f7e1419b6ddb01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rundll32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\PackageName = "QualcommWindowsDriverInstaller.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\PackageCode = "54605E80078F0E84081B971B66E8A6D7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductName = "Qualcomm USB Drivers For Windows"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Version = "16777253"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductIcon = "C:\\Windows\\Installer\\{D9FB7F91-9687-4B09-894D-072903CADEA4}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AuthorizedLUAApp = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
2584	msiexec.exe
2584	msiexec.exe
2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
Token: SeShutdownPrivilege	2452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2584	msiexec.exe
Token: SeTakeOwnershipPrivilege	2584	msiexec.exe
Token: SeSecurityPrivilege	2584	msiexec.exe
Token: SeCreateTokenPrivilege	2452	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2452	msiexec.exe
Token: SeLockMemoryPrivilege	2452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2452	msiexec.exe
Token: SeMachineAccountPrivilege	2452	msiexec.exe
Token: SeTcbPrivilege	2452	msiexec.exe
Token: SeSecurityPrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeLoadDriverPrivilege	2452	msiexec.exe
Token: SeSystemProfilePrivilege	2452	msiexec.exe
Token: SeSystemtimePrivilege	2452	msiexec.exe
Token: SeProfSingleProcessPrivilege	2452	msiexec.exe
Token: SeIncBasePriorityPrivilege	2452	msiexec.exe
Token: SeCreatePagefilePrivilege	2452	msiexec.exe
Token: SeCreatePermanentPrivilege	2452	msiexec.exe
Token: SeBackupPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeShutdownPrivilege	2452	msiexec.exe
Token: SeDebugPrivilege	2452	msiexec.exe
Token: SeAuditPrivilege	2452	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2452	msiexec.exe
Token: SeChangeNotifyPrivilege	2452	msiexec.exe
Token: SeRemoteShutdownPrivilege	2452	msiexec.exe
Token: SeUndockPrivilege	2452	msiexec.exe
Token: SeSyncAgentPrivilege	2452	msiexec.exe
Token: SeEnableDelegationPrivilege	2452	msiexec.exe
Token: SeManageVolumePrivilege	2452	msiexec.exe
Token: SeImpersonatePrivilege	2452	msiexec.exe
Token: SeCreateGlobalPrivilege	2452	msiexec.exe
Token: SeShutdownPrivilege	2872	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2872	msiexec.exe
Token: SeCreateTokenPrivilege	2872	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2872	msiexec.exe
Token: SeLockMemoryPrivilege	2872	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2872	msiexec.exe
Token: SeMachineAccountPrivilege	2872	msiexec.exe
Token: SeTcbPrivilege	2872	msiexec.exe
Token: SeSecurityPrivilege	2872	msiexec.exe
Token: SeTakeOwnershipPrivilege	2872	msiexec.exe
Token: SeLoadDriverPrivilege	2872	msiexec.exe
Token: SeSystemProfilePrivilege	2872	msiexec.exe
Token: SeSystemtimePrivilege	2872	msiexec.exe
Token: SeProfSingleProcessPrivilege	2872	msiexec.exe
Token: SeIncBasePriorityPrivilege	2872	msiexec.exe
Token: SeCreatePagefilePrivilege	2872	msiexec.exe
Token: SeCreatePermanentPrivilege	2872	msiexec.exe
Token: SeBackupPrivilege	2872	msiexec.exe
Token: SeRestorePrivilege	2872	msiexec.exe
Token: SeShutdownPrivilege	2872	msiexec.exe
Token: SeDebugPrivilege	2872	msiexec.exe
Token: SeAuditPrivilege	2872	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2872	msiexec.exe
Token: SeChangeNotifyPrivilege	2872	msiexec.exe
Token: SeRemoteShutdownPrivilege	2872	msiexec.exe
Token: SeUndockPrivilege	2872	msiexec.exe
Token: SeSyncAgentPrivilege	2872	msiexec.exe
Token: SeEnableDelegationPrivilege	2872	msiexec.exe
Token: SeManageVolumePrivilege	2872	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2452	msiexec.exe
2452	msiexec.exe
2872	msiexec.exe
2872	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
1708	DriverInstaller64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2452	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	30
PID 2116 wrote to memory of 2452	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	30
PID 2116 wrote to memory of 2452	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	30
PID 2116 wrote to memory of 2452	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	30
PID 2116 wrote to memory of 2452	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	30
PID 2116 wrote to memory of 2452	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	30
PID 2116 wrote to memory of 2452	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	30
PID 2116 wrote to memory of 2872	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	32
PID 2116 wrote to memory of 2872	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	32
PID 2116 wrote to memory of 2872	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	32
PID 2116 wrote to memory of 2872	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	32
PID 2116 wrote to memory of 2872	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	32
PID 2116 wrote to memory of 2872	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	32
PID 2116 wrote to memory of 2872	2116	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	32
PID 2584 wrote to memory of 2972	2584	msiexec.exe	33
PID 2584 wrote to memory of 2972	2584	msiexec.exe	33
PID 2584 wrote to memory of 2972	2584	msiexec.exe	33
PID 2584 wrote to memory of 2972	2584	msiexec.exe	33
PID 2584 wrote to memory of 2972	2584	msiexec.exe	33
PID 2584 wrote to memory of 2972	2584	msiexec.exe	33
PID 2584 wrote to memory of 2972	2584	msiexec.exe	33
PID 2972 wrote to memory of 3044	2972	MsiExec.exe	34
PID 2972 wrote to memory of 3044	2972	MsiExec.exe	34
PID 2972 wrote to memory of 3044	2972	MsiExec.exe	34
PID 2972 wrote to memory of 3044	2972	MsiExec.exe	34
PID 2972 wrote to memory of 2740	2972	MsiExec.exe	35
PID 2972 wrote to memory of 2740	2972	MsiExec.exe	35
PID 2972 wrote to memory of 2740	2972	MsiExec.exe	35
PID 2972 wrote to memory of 2740	2972	MsiExec.exe	35
PID 2972 wrote to memory of 2736	2972	MsiExec.exe	36
PID 2972 wrote to memory of 2736	2972	MsiExec.exe	36
PID 2972 wrote to memory of 2736	2972	MsiExec.exe	36
PID 2972 wrote to memory of 2736	2972	MsiExec.exe	36
PID 2972 wrote to memory of 2580	2972	MsiExec.exe	37
PID 2972 wrote to memory of 2580	2972	MsiExec.exe	37
PID 2972 wrote to memory of 2580	2972	MsiExec.exe	37
PID 2972 wrote to memory of 2580	2972	MsiExec.exe	37
PID 2972 wrote to memory of 1100	2972	MsiExec.exe	38
PID 2972 wrote to memory of 1100	2972	MsiExec.exe	38
PID 2972 wrote to memory of 1100	2972	MsiExec.exe	38
PID 2972 wrote to memory of 1100	2972	MsiExec.exe	38
PID 2972 wrote to memory of 2908	2972	MsiExec.exe	39
PID 2972 wrote to memory of 2908	2972	MsiExec.exe	39
PID 2972 wrote to memory of 2908	2972	MsiExec.exe	39
PID 2972 wrote to memory of 2908	2972	MsiExec.exe	39
PID 2972 wrote to memory of 1432	2972	MsiExec.exe	40
PID 2972 wrote to memory of 1432	2972	MsiExec.exe	40
PID 2972 wrote to memory of 1432	2972	MsiExec.exe	40
PID 2972 wrote to memory of 1432	2972	MsiExec.exe	40
PID 2972 wrote to memory of 2928	2972	MsiExec.exe	41
PID 2972 wrote to memory of 2928	2972	MsiExec.exe	41
PID 2972 wrote to memory of 2928	2972	MsiExec.exe	41
PID 2972 wrote to memory of 2928	2972	MsiExec.exe	41
PID 2972 wrote to memory of 1148	2972	MsiExec.exe	42
PID 2972 wrote to memory of 1148	2972	MsiExec.exe	42
PID 2972 wrote to memory of 1148	2972	MsiExec.exe	42
PID 2972 wrote to memory of 1148	2972	MsiExec.exe	42
PID 2972 wrote to memory of 1852	2972	MsiExec.exe	43
PID 2972 wrote to memory of 1852	2972	MsiExec.exe	43
PID 2972 wrote to memory of 1852	2972	MsiExec.exe	43
PID 2972 wrote to memory of 1852	2972	MsiExec.exe	43
PID 2972 wrote to memory of 348	2972	MsiExec.exe	44
PID 2972 wrote to memory of 348	2972	MsiExec.exe	44
PID 2972 wrote to memory of 348	2972	MsiExec.exe	44

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2452
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2872

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8B29131894EBA71C915D49FE915B276 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F84CFFD-22A5-4DFD-8C1B-810E6EDB1B50}
    3⤵
    - Executes dropped EXE
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF0B04F2-2CC1-4F2A-9085-6381DE618807}
    3⤵
    - Executes dropped EXE
    PID:2740
- - C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A526C9BF-FB92-46D6-B70D-2E9D08A1B921}
    3⤵
    - Executes dropped EXE
    PID:2736
- - C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{57E6CF02-2766-4FB0-96FE-B0BF1032618B}
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{91F91057-F27D-4BE5-BDBA-E6A26A87C723}
    3⤵
    - Executes dropped EXE
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5334E7FD-4389-48A4-8A28-0EE9607B4018}
    3⤵
    - Executes dropped EXE
    PID:2908
- - C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1906D58C-CA36-4061-9E90-D81908D34830}
    3⤵
    - Executes dropped EXE
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{058C5862-D42C-41E5-9159-88CD35C32616}
    3⤵
    - Executes dropped EXE
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1789D9CC-8915-46E6-AAD7-13C66D7F1468}
    3⤵
    - Executes dropped EXE
    PID:1148
- - C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2CE78D7D-B668-49B2-83AA-86E1E515F7B4}
    3⤵
    - Executes dropped EXE
    PID:1852
- - C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3780EB75-F3E4-41D5-A1D4-CF5A7B6E4425}
    3⤵
    - Executes dropped EXE
    PID:348
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1CDBB65F00AA5143185EFC2EDF811B7D M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:852
- - C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe
    "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe" "/I|0|C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:1708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1900

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A4" "00000000000003AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:532

C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe
"C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{189a7f7d-38c4-29c3-58da-1d295532dd46}\qcfilter.inf" "9" "6342d598b" "00000000000003B8" "WinSta0\Default" "0000000000000320" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:288
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{15a401e8-664c-41b3-9cd7-1756f30a7447} Global\{43827082-56a5-5c9e-d27c-0d27838ac935} C:\Windows\System32\DriverStore\Temp\{18aefee1-e03c-6edd-3883-9c5ebaff6830}\qcfilter.inf C:\Windows\System32\DriverStore\Temp\{18aefee1-e03c-6edd-3883-9c5ebaff6830}\qcfilter.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:936

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{01724ea0-b3e0-3e46-7138-9b69bdac0d0d}\qcser.inf" "9" "60f02979b" "0000000000000320" "WinSta0\Default" "00000000000005A4" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2076
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{08329782-c498-6007-4204-f2104efd4c18} Global\{1fdeef53-52a2-49f9-c4af-9d0c74523c2e} C:\Windows\System32\DriverStore\Temp\{768eb577-5af8-54e7-6d52-316c079af26d}\qcser.inf C:\Windows\System32\DriverStore\Temp\{768eb577-5af8-54e7-6d52-316c079af26d}\qcser.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2804

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{20dd0b07-acce-625b-25da-142091ab7547}\qcmdm.inf" "9" "62223751f" "00000000000005A4" "WinSta0\Default" "00000000000003AC" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1240
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{1703c069-7771-1c35-e966-e750181a9f20} Global\{4fbac356-3997-706f-0b29-4826711c5c76} C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}\qcmdm.inf C:\Windows\System32\DriverStore\Temp\{33ab2f47-f316-182d-0d5f-64302b04944c}\qcser.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1216

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{788302e5-c921-780a-99ab-477b2e2d9523}\qcwwan.inf" "9" "64190a197" "00000000000003AC" "WinSta0\Default" "00000000000003B8" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:532
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{003b9937-a25c-40fe-1943-4a3c73bef85a} Global\{1ce2baa3-cb27-06ab-7d25-691e53844a58} C:\Windows\System32\DriverStore\Temp\{7d009f5d-67dd-241d-b698-9e29a10b2034}\qcwwan.inf C:\Windows\System32\DriverStore\Temp\{7d009f5d-67dd-241d-b698-9e29a10b2034}\qcwwan.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1228

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{38cefb9e-ef87-79b9-b74a-cf7df7737e36}\qdbusb.inf" "9" "6a7d91597" "00000000000003B8" "WinSta0\Default" "0000000000000320" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1904
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{1106e01d-b75a-4cd9-b02d-252486846000} Global\{48217782-453a-4a5b-702f-2c4f0b93f121} C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\qdbusb.inf C:\Windows\System32\DriverStore\Temp\{75bac458-205c-1b5e-6d49-995e3aab5a7a}\qdbusb.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77365e.rbs

Filesize
36KB

MD5
f65b695249021c8732953cf276a0b659

SHA1
561f058fcb76ec15ba270fb1552be3604d7e96a6

SHA256
a4e56cdb3a7cf00057e551fb0f152772e8edc42c709bcd713c93ff9a0c575ce6

SHA512
5c8c01a561f73cd478548c438558402531b8969066c52da692c5db5add74f0d59c175dba2d6b1cfb88685be5a35f7f2becbf745a6fe62396da7e85ac03739fa1

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DifxApi\amd64\difxapi.dll

Filesize
507KB

MD5
9495b07f33ded991c65d9b04945d44c5

SHA1
db9d5ec47980eb0709faba0cda283ff99d643b7c

SHA256
bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e

SHA512
36ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe

Filesize
81KB

MD5
cf9a93ed8f3b472a9c1eb6acb619b9d4

SHA1
9725cb577b28f9a71d66af1f5c075423c3f2c66a

SHA256
b6d6cbf256f08fe397d23c989d41ff6f4bd60b11751f7e7585cfe5dc534b5e26

SHA512
d79581bb5a82a3b396faa20683f5afdcc2933ff525450722142541dbb9450b99f31910983c41420b47dc9b09f2507738d00bcd4047aabbfe23c9a325970394b4

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.cat

Filesize
94KB

MD5
184fb15f93f73790d5dfae0a22557ee4

SHA1
f3de31f1db7e76fd26d7ad4953b0a01c070da8ba

SHA256
2443015b8822a3793c141571135ef1cb79f324700d33266103e3ba599e1b6c21

SHA512
5e6e8a7fc5187f886e33769028f2f4aa5410615c681eb0aa0136ac08c81954c86d7a58b000004294dc60239d8f76c3bda9eafcfd3f1ad7d1c86bd3eb6ad2ea3e

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf

Filesize
36KB

MD5
4e8ff95823ed15cf1bb13489f88784f5

SHA1
f25210d6d26b842ae8a11e3b5c4e18835e4a3b13

SHA256
5fa46ab5487d00840642d82eb321aab0c716b19dc9cd21aaa4af74a7b47a5e2e

SHA512
6d2056e302c73e7092cbd5badb705ae52fb99b4279c174b524c3656d090434e45a2c0e9c4ed24f4215cff112bbe3ae317776bb00d58a7a27c99266c589bcc667

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcmdm.inf

Filesize
44KB

MD5
f1ee860f01ef686168926b2eb70da7aa

SHA1
5000f8e9c765906819b7bc5ee7ba9a8de8c0f4ee

SHA256
db8c72dffd89b859c8d3b511d3c0452d031079c21648d94a8cdfb9c403e492dd

SHA512
12823e92a89b2b52d85388f732dcf57303b3bc3f03fa4332244f30d2a180458cb0e58f533c62608f5ac1613b99df4f4b873e8d663e5f5ca9d4cca379bda1e020

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.cat

Filesize
95KB

MD5
acdc05e308c96515b4b8eda582b1191a

SHA1
9ed26a48419a8435cb6982e6d1d86585213621ee

SHA256
550507c87bdd89d0619328529fefee2933736c85d239367c5e429e0d6febd07c

SHA512
1c7bbbc1144e66cc87977074f73bd6c86ba05ca21fadf7f8ac81088fca6776a20fb5d260c366006100adb766697f91e4f2cd4290d2662ec52b0db60dbff93963

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf

Filesize
100KB

MD5
66702ca8991184e99b39304cbe964bb3

SHA1
99d9453c89e7fedd06f12f3d96b9931e63bdec29

SHA256
717d8c9eb75808d711ec31ad97f5cf4699798c95d4336f57cc54ff09aab9ff6e

SHA512
e3efbb1be20fc84f31112f75fe412d8e7efaf980038a09e2e9a502810e173dbee0abc3ce4c3a6ac608a84ea9cdeafd5fb32ea44da3e5f39d184363e6167cb950

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB654.tmp

Filesize
1.3MB

MD5
ca189a2b762e64d61303bfd4d88fd0a6

SHA1
13bf55664fb0345d3931458f75b6039c1213f46a

SHA256
dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a

SHA512
31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

Filesize
20.7MB

MD5
cde633c7be2c8db52f0922f8a8e0c613

SHA1
a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f

SHA256
a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5

SHA512
e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{01724ea0-b3e0-3e46-7138-9b69bdac0d0d}\serial\amd64\SET608A.tmp

Filesize
239KB

MD5
358bc4b7bf9bca41abea485058f9b360

SHA1
47974d8e6512497c9ad6a79919e1cd58366d5e97

SHA256
6fff206a1def97219541568d76d2077ac5db1daef2c6d995f6ac4a83e57ed898

SHA512
1d6de7f4db5f2320889f8e23176b8e6ebacd8ed03fb7bbb62841e105c83fcc6eaa571c89e605f3d41258fa629dd72c5e2305ea7c26855735b1baced84046404a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{189a7f7d-38c4-29c3-58da-1d295532dd46}\filter\amd64\SET4646.tmp

Filesize
39KB

MD5
45ef50b1446371ec2411e6ec6f6dabab

SHA1
d2e78f2eba854b57626e69fd9298cd390d76f544

SHA256
65b7baabfcb0788147b1a5bb03083008f6040f6c321b6a5e2892680c5eec9abd

SHA512
5f0377571bd44c83fbd64b8406fcfcf47aef3cd5308d664193d364f978e87c67aa00fd456cc8647ce06381e6c9c6c621a16b5708330776091ca3c6b130957b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\{38cefb9e-ef87-79b9-b74a-cf7df7737e36}\SETA929.tmp

Filesize
95KB

MD5
582be70e74fd908714af436aa546c119

SHA1
b8179d1f818322da5593d19646e646084ec846e7

SHA256
8c3208d04d1c5fe011659b97692a024df5a607f1a480072127bb0f47073aeffa

SHA512
dce438135be6786e57eda011b786596c751e3ab7bd15e5553ac7643f54d7014aff6d723c52732d306d70054c3a9980968e71fd14dd1480590290fe34f9134a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\{38cefb9e-ef87-79b9-b74a-cf7df7737e36}\SETA92A.tmp

Filesize
8KB

MD5
028f4b4eea445e57839a0511736cb887

SHA1
55074bcd41bc4b90b52f89d7fd20b35885b3ad95

SHA256
248c3c0a0a6b2f2a7f7438120906d29c8adbb9ee447dd47d7eb16a7c260f531d

SHA512
7faeaccfbd89cfed6bd00fab215e906673505bb64baff4760e7c5fbc385b23b85131d2769bacbaa5f3af3d4cf078ff7d9e61986b5421fb256d64f4726efa7690

Download Submit
C:\Users\Admin\AppData\Local\Temp\{38cefb9e-ef87-79b9-b74a-cf7df7737e36}\qdss\amd64\SETA917.tmp

Filesize
44KB

MD5
c6ea8d40d2bf25d9011c37e27d65c484

SHA1
9d00f36c1ba545c2c140aa12e6ff0b5917b17f8b

SHA256
ed89b3315d5ff28ccde22b90680d44c7ad8de630601baa2921c96c25d85aae3f

SHA512
b54d2e8dd7692ea4f9308be891330d277ba7b592e2a40b1a330176668d1e3aa7243cd792c70743d1f978bcf992116c4c6f28f2cb02fd4536d53cedc9a13e26ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{38cefb9e-ef87-79b9-b74a-cf7df7737e36}\qdss\amd64\SETA918.tmp

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\Users\Admin\AppData\Local\Temp\{788302e5-c921-780a-99ab-477b2e2d9523}\ndis\6.2\amd64\qcusbwwan.sys

Filesize
504KB

MD5
4999657681bacef73fd6c5162a3bbfb5

SHA1
5d062c1acc28c4e3852043bbbdd87266f22dc478

SHA256
2d759dfd3a6623edd3b2f1634e6192815c25952094ae72cfbbd9ea46d25f7226

SHA512
637295c1c467316268268c2a2b529e0a0175c471807c6cddedf83ddfa2537554720bc53cbabf3864d58c0fb7cd41669805b842c0c58a06caf5d6243143ece290

Download Submit
C:\Users\Admin\AppData\Local\Temp\{788302e5-c921-780a-99ab-477b2e2d9523}\qcwwan.cat

Filesize
94KB

MD5
a08b4295c74ebc18d6a5f281ca2c3eea

SHA1
9718561dd5f541854bb3dceb0554ee780f4cad43

SHA256
be76010e324e2fcd9990a82265ff8757375f45fc692202ebf5d974b85fcbc777

SHA512
170b32913c40c94ef7d32d2c2c011b6671feb64a91b1ba9c5f0ba44db79264b577871bedbc58ff308ea98926f767823432a86f0749208c1092460d6adb5c92f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{788302e5-c921-780a-99ab-477b2e2d9523}\qcwwan.inf

Filesize
72KB

MD5
be202547e7b7317e0eaacb373fb65034

SHA1
f286b1dff477e7bb1b89028d10ed2164f43ee1c1

SHA256
635ec113fb8682ccb237afae4de441882a3edd12526fd7d0f4e0450c54cf8bc6

SHA512
b6fab25bfbd1fef0ad4fa25b1f72829a189fcbb98abb1c36d484fa21acfd8cf71efc58dcb869c424ad8aea8469d224f71a653bd7d14fb82561c815ac1e534c1a

Download Submit
C:\Windows\Installer\MSI3E88.tmp

Filesize
1.6MB

MD5
ab8d1cf0de0c1594c2093ccf0128e0b8

SHA1
ddba6dc5c69ba72c879fb15cc109503adb759fdc

SHA256
2f975e52b9e6a99dd3515f7b9bc30e89d39cb44e9fb1a8f3e43ab330df42f0a4

SHA512
0a01b500ef221777ffeeacccf47794d1d468bf86a24f53a6558cd21d244dfb614f552047352f8c5c01682322fceab21089bc2a8bef6ad502c81b347b8f8c1fb9

Download Submit
C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_neutral_91142176ceafe65a\qcfilter.PNF

Filesize
97KB

MD5
e031ac88fd5fee8ca2dceaee823bf1ec

SHA1
9ff09b85a8a174cd0944bbdc05d6b23ae9020522

SHA256
fd177fb9bdadc0f43df7e7986d41310d9173fd77faacfe62a74a7134b4885fe5

SHA512
c737f9109c26957295965f4574f8963a037c4472a0a6fab38fa718d19e16f23dcf60949ef2dd9d0935118a53b001ec1f5b9d61aa295c56a9910bc365cfa490b8

Download Submit
C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_neutral_7d91b3baab562649\qcser.PNF

Filesize
182KB

MD5
2acb3f62ebe616b6f113745d26b73f97

SHA1
58eb9e59b383c3f936e6b56a21e7e9c896e0291a

SHA256
b8be1cfeed2898c6c94f8365c77ab29682abd86ef98ea79e0c02df0a75f4cba7

SHA512
3eca6502fb2778d4a0ce7cb8e81b8bd94585534e6afc4a0f3dc3c668ebd38387ad6c6dd61fc13bc86e3c3a1f66f385776d86182dc8f87356c33b09fc0d79abbc

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
f85ecd3ebafffdcd7cfbfedce364f85d

SHA1
39575de7bc7e7f1e8d2e8161d566578a2e04f468

SHA256
28581e86d2383dcc75d54452a5adc715bc8c87902d310b04d46b6841825a66d5

SHA512
53304cb21d8bb065aab407e0da93cf590389df019019c5bdef25e2c20826635d56be206794d977a3a7a20767d2415e85ee7b39d0e09307e1aa366b6469651ef3

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.5MB

MD5
496b1e62f00384d3f8b82204a4389671

SHA1
c3c263d0efa7e0738ef5bbc8d679c77fa6965125

SHA256
e92030f009aac81ad99452194ae5d64f3121277d4ec12539569127e5ac87b26d

SHA512
ae04ec0b38d3a5089f49c6d9d73070b39db3043857b5ea11247c8c1f099164cd450253669a4014b6b2575c741946bafea8c0995af7f4427469208c0d780a7d53

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
194KB

MD5
9ed5d48302a177fcf84e7a55f71dc901

SHA1
fd6442d9f800060c4f3219493a0883dfe156ef8e

SHA256
cfee38f4fb06f997ceca53db950defba43e19739ce1c86703580279374ed382b

SHA512
83dafa056c500a13a8666ca21db70c3cd20540300e5038819579b679c0bb3ddf1247e80029ccf7213021643a895c1f1b7569e5934026320abe7bb08344a13bae

Download Submit
C:\Windows\Temp\Cab4710.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar4723.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe

Filesize
2.2MB

MD5
6e0321ff9f386106d64e7b863e1866ea

SHA1
f9898d7bdd18691518ff1d615a693922bcc3a26c

SHA256
f0cbd9fb9abc814e470a4126d3f7b7bf2fc769c20593b402ad2cb979e4817625

SHA512
0449c4ee6fb9798d6dc24e08d70aabc8fb1ecec4696c34e42440ff8a93ae93f058a235b8cf0078699723cbc42a3a579519d048ace5add0bd28d5866fb4d3eb04

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISBEW64.exe

Filesize
146KB

MD5
c3b2acc07bb0610405fc786e3432bef9

SHA1
333d5f2b55bd00ad4311ba104af7db984f953924

SHA256
9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894

SHA512
2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

Download Submit
\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\ISRT.dll

Filesize
260KB

MD5
a93f625ef42b54c2b0f4d38201e67606

SHA1
cbfebc1f736ccfc65562ede79a5ae1a8afb116a1

SHA256
e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0

SHA512
805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

Download Submit
\Users\Admin\AppData\Local\Temp\{CFE845C4-A57A-4E48-A21D-07401AB91B11}\_isres_0x0409.dll

Filesize
540KB

MD5
d6bbf7ff6984213c7f1f0f8f07c51e6a

SHA1
cfe933fc3b634f7333adec7ec124c14e9d19ac21

SHA256
6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2

SHA512
a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

Download Submit
memory/1216-486-0x000007FEF6A70000-0x000007FEF6AAA000-memory.dmp

Filesize
232KB

Download
memory/2116-69-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-70-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-306-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-73-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-602-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-76-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-413-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2116-729-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2972-42-0x00000000032B0000-0x0000000003339000-memory.dmp

Filesize
548KB

Download
memory/2972-39-0x0000000002EA0000-0x0000000002F47000-memory.dmp

Filesize
668KB

Download
memory/2972-15-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download