floxif | 0806116764e3fe406f9f8905d43d3ffbd9af312ef8205de07acae8ebdb2d6133

Analysis

max time kernel
92s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
Size

22.3MB
MD5

11e8ce1c130f56c79b70751cd7669d8c
SHA1

560ff3bdf4483fddbf948ac8e715d8cfaf2a42d0
SHA256

0806116764e3fe406f9f8905d43d3ffbd9af312ef8205de07acae8ebdb2d6133
SHA512

6f1d1c4584b18c3d0aab8821c7f22e558eecec356204a5a6cd92f361dad23041dc751c2d5083db210cf8d9117b1721b4012303ba2032e9e1e13ea514ca0b560f
SSDEEP

393216:GX9pjHs4737sM3HgVrAmIQoLd28A+a0r/DdXLnEsRgcHcqcp0q3WI28d+olEi:GX9pLsstBg89xDdbn8c8qk3N2QlX

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000a000000023bef-1.dat	floxif

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\0E163CB0FDCE9E468EAE5A9600402132643ADE48\Blob = 0300000001000000140000000e163cb0fdce9e468eae5a9600402132643ade480400000001000000100000007b1ffa43ba9dbac4b3893effd386d003140000000100000014000000f6aae1de13f29375ae855eaa0ec7f1526acfb0f719000000010000001000000014005b11663d5285ca9a734218bb60720f0000000100000020000000990c8a10329dc2652c3884245965026509222d4219e55405a1a0cf7a1db202d32000000001000000120500003082050e308203f6a00302010202102b13f4b6b65224ea499e5bf1f90f42b5300d06092a864886f70d01010b0500307f310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b3130302e0603550403132753796d616e74656320436c61737320332053484132353620436f6465205369676e696e67204341301e170d3135303531353030303030305a170d3137303531353233353935395a308194310b30090603550406130255533113301106035504080c0a43616c69666f726e69613112301006035504070c0953616e20446965676f311e301c060355040a0c155155414c434f4d4d20496e636f72706f7261746564311c301a060355040b0c135143542055534220486f737420447269766572311e301c06035504030c155155414c434f4d4d20496e636f72706f726174656430820122300d06092a864886f70d01010105000382010f003082010a0282010100c7c353c4328659cbd10802db6b6721e0dcebd0bfb0763d3663f561288216b040e894c1717eb8540e167a71b925c6a73e7f5772c8e4feb4e28e9bee6f91134db39873f97545ec98ebffad31a7036ecdb3a2051bb3440bceda2ff98c4ff7a5071eb2457e1ce31d20b0af7215fcf8f10bc2919b743d751aecf57de987f487a567cba87d6fb196dd5edaccb4ae11eb487961ab7a89340cf1b3c9651299bfab193e85bdd3cfbbbb8bc36c020d48b756101b3e3e10e95173c85610d74a8c98399655af13300f8e73c797cf6be3164200260cc0aa5e29eae91a5716cadce1a9774de776ac2ef6a436ff7339af9c0c48b5b42ce0afcf58afa5c6be95282b53166bb303870203010001a382016e3082016a30090603551d1304023000300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330660603551d20045f305d305b060b6086480186f84501071703304c302306082b06010505070201161768747470733a2f2f642e73796d63622e636f6d2f637073302506082b0601050507020230191a1768747470733a2f2f642e73796d63622e636f6d2f727061301f0603551d23041830168014963b53f0793397af7d83ef2e2bcccab7861e7266302b0603551d1f042430223020a01ea01c861a687474703a2f2f73762e73796d63622e636f6d2f73762e63726c305706082b06010505070101044b3049301f06082b060105050730018613687474703a2f2f73762e73796d63642e636f6d302606082b06010505073002861a687474703a2f2f73762e73796d63622e636f6d2f73762e637274301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010b0500038201010066d5d6f1c898c17d1cec0581ff7b84a9ef8828fe9b59caa3cf74a0ab66cbb36614298eec716a1c8acb1e971a6b2790210f09f7d7efa66bdf97a22b6887d876ae2781a168fe9fd68ef1933322c731ec3b93ab08e198b7a544a9d387b08951806e28e414d7decb106038dc3ee5bdb2845faf4cc5c6540a52fbeb5719965d523e321672919ecde1058e82292fb91885cc18a62c1c145453a8684fd6e26277e54dcb8043186adfe5a8f5124b4b826fe764c39c1d8431d4d05cbff409ed35d569f6ca8d0a13dc3c88f56eeac7b9fbd5e95cd2cc8fb99a61d75173d21d52e2fa160b6d1e5e7058d0bde5aca560ebfb2ffe00b08d7fb896211fd10037708e36fd4f3860	DrvInst.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023bef-1.dat	acprotect

Executes dropped EXE 13 IoCs

pid	Process
4044	ISBEW64.exe
4252	ISBEW64.exe
628	ISBEW64.exe
2076	ISBEW64.exe
2196	ISBEW64.exe
2692	ISBEW64.exe
4244	ISBEW64.exe
5116	ISBEW64.exe
1972	ISBEW64.exe
4112	ISBEW64.exe
1416	ISBEW64.exe
4372	qcmtusvc.exe
3448	DriverInstaller64.exe

Loads dropped DLL 9 IoCs

pid	Process
4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
3324	MsiExec.exe
3448	DriverInstaller64.exe
3324	MsiExec.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\e:	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_5b0e44f80f8a8e2f\qcfilter.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1990946e-abf8-8948-acb8-c2f8761fc10a}\serial\amd64\SET50EC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{df719024-08be-d541-a71c-a9a243ca78c6}\qdss\amd64\SET5A60.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7aee7126-7ce9-7644-949f-8910412087bb}\SET3989.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c22a99ce-e38c-db47-a083-058a920cfc89}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{df719024-08be-d541-a71c-a9a243ca78c6}	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	rundll32.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DriverInstaller64.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{df719024-08be-d541-a71c-a9a243ca78c6}\SET5B0E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7aee7126-7ce9-7644-949f-8910412087bb}\qcfilter.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1990946e-abf8-8948-acb8-c2f8761fc10a}\SET50CB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1990946e-abf8-8948-acb8-c2f8761fc10a}\serial\amd64\SET50EC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_011cf7b068aef58d\qcser.PNF	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7aee7126-7ce9-7644-949f-8910412087bb}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c22a99ce-e38c-db47-a083-058a920cfc89}\qcwwan.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d529df9-c45d-9a4c-a104-bf5bb7145cfe}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_df834dbe3a4f2ca5\qcmdm.PNF	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c22a99ce-e38c-db47-a083-058a920cfc89}\ndis\6.2\amd64\qcusbwwan.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	rundll32.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1990946e-abf8-8948-acb8-c2f8761fc10a}\serial\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1990946e-abf8-8948-acb8-c2f8761fc10a}\serial	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d529df9-c45d-9a4c-a104-bf5bb7145cfe}\SET535C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c22a99ce-e38c-db47-a083-058a920cfc89}\ndis	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7aee7126-7ce9-7644-949f-8910412087bb}\filter\amd64\qcusbfilter.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c22a99ce-e38c-db47-a083-058a920cfc89}\ndis\6.2\amd64	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{df719024-08be-d541-a71c-a9a243ca78c6}\qdss\amd64\SET5A70.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_df834dbe3a4f2ca5\qcser.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c22a99ce-e38c-db47-a083-058a920cfc89}\SET57C1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d529df9-c45d-9a4c-a104-bf5bb7145cfe}\SET532C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6d529df9-c45d-9a4c-a104-bf5bb7145cfe}\serial\amd64\qcusbser.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{c22a99ce-e38c-db47-a083-058a920cfc89}\SET57C1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_df834dbe3a4f2ca5\serial\amd64\qcusbser.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_4ef97d5ab321c09e\qdbusb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_da7c440389b70c99\qcwwan.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_4ef97d5ab321c09e\qdbusb.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{6d529df9-c45d-9a4c-a104-bf5bb7145cfe}\serial\amd64\SET537C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{c22a99ce-e38c-db47-a083-058a920cfc89}\SET57B0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c22a99ce-e38c-db47-a083-058a920cfc89}\ndis\6.2	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1990946e-abf8-8948-acb8-c2f8761fc10a}\SET50CC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_df834dbe3a4f2ca5\qcmdm.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c22a99ce-e38c-db47-a083-058a920cfc89}\qcwwan.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7aee7126-7ce9-7644-949f-8910412087bb}\SET3989.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7aee7126-7ce9-7644-949f-8910412087bb}\filter	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1990946e-abf8-8948-acb8-c2f8761fc10a}\qcser.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1990946e-abf8-8948-acb8-c2f8761fc10a}\SET50CC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_4ef97d5ab321c09e\qdbusb.PNF	DriverInstaller64.exe
File created	C:\Windows\System32\DriverStore\Temp\{7aee7126-7ce9-7644-949f-8910412087bb}\filter\amd64\SET39AB.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_5b0e44f80f8a8e2f\qcfilter.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c22a99ce-e38c-db47-a083-058a920cfc89}\SET57B0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{df719024-08be-d541-a71c-a9a243ca78c6}\qdbusb.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_4ef97d5ab321c09e\qdss\amd64\wdfcoinstaller01009.dll	DrvInst.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023bef-1.dat	upx
behavioral2/memory/4652-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4652-69-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4652-70-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4652-75-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4652-80-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4652-530-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\ReadMe.txt	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\i386\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qdcfg.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\amd64\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\qdbusb.pdb	msiexec.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.sys	msiexec.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e582a86.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\Installer\e582a86.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D21.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI30FF.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\inf\oem6.inf	DrvInst.exe
File created	C:\Windows\Installer\e582a88.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D9FB7F91-9687-4B09-894D-072903CADEA4}	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem7.inf	DrvInst.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BFD.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DriverInstaller64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem7.inf	DrvInst.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qcmtusvc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DriverInstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DriverInstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DriverInstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\PackageCode = "50F96F0F677D720429F0EAB3F42EA9A4"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\PackageName = "QualcommWindowsDriverInstaller.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductName = "Qualcomm USB Drivers For Windows"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Version = "16777256"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductIcon = "C:\\Windows\\Installer\\{D9FB7F91-9687-4B09-894D-072903CADEA4}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\InstanceType = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
3664	msiexec.exe
3664	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
Token: SeShutdownPrivilege	3588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3588	msiexec.exe
Token: SeSecurityPrivilege	3664	msiexec.exe
Token: SeCreateTokenPrivilege	3588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3588	msiexec.exe
Token: SeLockMemoryPrivilege	3588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3588	msiexec.exe
Token: SeMachineAccountPrivilege	3588	msiexec.exe
Token: SeTcbPrivilege	3588	msiexec.exe
Token: SeSecurityPrivilege	3588	msiexec.exe
Token: SeTakeOwnershipPrivilege	3588	msiexec.exe
Token: SeLoadDriverPrivilege	3588	msiexec.exe
Token: SeSystemProfilePrivilege	3588	msiexec.exe
Token: SeSystemtimePrivilege	3588	msiexec.exe
Token: SeProfSingleProcessPrivilege	3588	msiexec.exe
Token: SeIncBasePriorityPrivilege	3588	msiexec.exe
Token: SeCreatePagefilePrivilege	3588	msiexec.exe
Token: SeCreatePermanentPrivilege	3588	msiexec.exe
Token: SeBackupPrivilege	3588	msiexec.exe
Token: SeRestorePrivilege	3588	msiexec.exe
Token: SeShutdownPrivilege	3588	msiexec.exe
Token: SeDebugPrivilege	3588	msiexec.exe
Token: SeAuditPrivilege	3588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3588	msiexec.exe
Token: SeChangeNotifyPrivilege	3588	msiexec.exe
Token: SeRemoteShutdownPrivilege	3588	msiexec.exe
Token: SeUndockPrivilege	3588	msiexec.exe
Token: SeSyncAgentPrivilege	3588	msiexec.exe
Token: SeEnableDelegationPrivilege	3588	msiexec.exe
Token: SeManageVolumePrivilege	3588	msiexec.exe
Token: SeImpersonatePrivilege	3588	msiexec.exe
Token: SeCreateGlobalPrivilege	3588	msiexec.exe
Token: SeShutdownPrivilege	1436	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1436	msiexec.exe
Token: SeCreateTokenPrivilege	1436	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1436	msiexec.exe
Token: SeLockMemoryPrivilege	1436	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1436	msiexec.exe
Token: SeMachineAccountPrivilege	1436	msiexec.exe
Token: SeTcbPrivilege	1436	msiexec.exe
Token: SeSecurityPrivilege	1436	msiexec.exe
Token: SeTakeOwnershipPrivilege	1436	msiexec.exe
Token: SeLoadDriverPrivilege	1436	msiexec.exe
Token: SeSystemProfilePrivilege	1436	msiexec.exe
Token: SeSystemtimePrivilege	1436	msiexec.exe
Token: SeProfSingleProcessPrivilege	1436	msiexec.exe
Token: SeIncBasePriorityPrivilege	1436	msiexec.exe
Token: SeCreatePagefilePrivilege	1436	msiexec.exe
Token: SeCreatePermanentPrivilege	1436	msiexec.exe
Token: SeBackupPrivilege	1436	msiexec.exe
Token: SeRestorePrivilege	1436	msiexec.exe
Token: SeShutdownPrivilege	1436	msiexec.exe
Token: SeDebugPrivilege	1436	msiexec.exe
Token: SeAuditPrivilege	1436	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1436	msiexec.exe
Token: SeChangeNotifyPrivilege	1436	msiexec.exe
Token: SeRemoteShutdownPrivilege	1436	msiexec.exe
Token: SeUndockPrivilege	1436	msiexec.exe
Token: SeSyncAgentPrivilege	1436	msiexec.exe
Token: SeEnableDelegationPrivilege	1436	msiexec.exe
Token: SeManageVolumePrivilege	1436	msiexec.exe
Token: SeImpersonatePrivilege	1436	msiexec.exe
Token: SeCreateGlobalPrivilege	1436	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3588	msiexec.exe
3588	msiexec.exe
1436	msiexec.exe
1436	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
3448	DriverInstaller64.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 3588	4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	83
PID 4652 wrote to memory of 3588	4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	83
PID 4652 wrote to memory of 3588	4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	83
PID 4652 wrote to memory of 1436	4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	85
PID 4652 wrote to memory of 1436	4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	85
PID 4652 wrote to memory of 1436	4652	2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe	85
PID 3664 wrote to memory of 4976	3664	msiexec.exe	87
PID 3664 wrote to memory of 4976	3664	msiexec.exe	87
PID 3664 wrote to memory of 4976	3664	msiexec.exe	87
PID 4976 wrote to memory of 4044	4976	MsiExec.exe	88
PID 4976 wrote to memory of 4044	4976	MsiExec.exe	88
PID 4976 wrote to memory of 4252	4976	MsiExec.exe	89
PID 4976 wrote to memory of 4252	4976	MsiExec.exe	89
PID 4976 wrote to memory of 628	4976	MsiExec.exe	90
PID 4976 wrote to memory of 628	4976	MsiExec.exe	90
PID 4976 wrote to memory of 2076	4976	MsiExec.exe	91
PID 4976 wrote to memory of 2076	4976	MsiExec.exe	91
PID 4976 wrote to memory of 2196	4976	MsiExec.exe	92
PID 4976 wrote to memory of 2196	4976	MsiExec.exe	92
PID 4976 wrote to memory of 2692	4976	MsiExec.exe	93
PID 4976 wrote to memory of 2692	4976	MsiExec.exe	93
PID 4976 wrote to memory of 4244	4976	MsiExec.exe	94
PID 4976 wrote to memory of 4244	4976	MsiExec.exe	94
PID 4976 wrote to memory of 5116	4976	MsiExec.exe	95
PID 4976 wrote to memory of 5116	4976	MsiExec.exe	95
PID 4976 wrote to memory of 1972	4976	MsiExec.exe	96
PID 4976 wrote to memory of 1972	4976	MsiExec.exe	96
PID 4976 wrote to memory of 4112	4976	MsiExec.exe	97
PID 4976 wrote to memory of 4112	4976	MsiExec.exe	97
PID 4976 wrote to memory of 1416	4976	MsiExec.exe	98
PID 4976 wrote to memory of 1416	4976	MsiExec.exe	98
PID 3664 wrote to memory of 2972	3664	msiexec.exe	121
PID 3664 wrote to memory of 2972	3664	msiexec.exe	121
PID 3664 wrote to memory of 3324	3664	msiexec.exe	124
PID 3664 wrote to memory of 3324	3664	msiexec.exe	124
PID 3664 wrote to memory of 3324	3664	msiexec.exe	124
PID 3324 wrote to memory of 3448	3324	MsiExec.exe	125
PID 3324 wrote to memory of 3448	3324	MsiExec.exe	125
PID 4748 wrote to memory of 1780	4748	svchost.exe	128
PID 4748 wrote to memory of 1780	4748	svchost.exe	128
PID 1780 wrote to memory of 3808	1780	DrvInst.exe	129
PID 1780 wrote to memory of 3808	1780	DrvInst.exe	129
PID 4748 wrote to memory of 656	4748	svchost.exe	130
PID 4748 wrote to memory of 656	4748	svchost.exe	130
PID 4748 wrote to memory of 3292	4748	svchost.exe	131
PID 4748 wrote to memory of 3292	4748	svchost.exe	131
PID 4748 wrote to memory of 1980	4748	svchost.exe	132
PID 4748 wrote to memory of 1980	4748	svchost.exe	132
PID 4748 wrote to memory of 3276	4748	svchost.exe	133
PID 4748 wrote to memory of 3276	4748	svchost.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3588
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1436

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 21DB680FFCD970D71A3A3BD1684194C8 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3DD997B6-4C4D-40BC-BE32-A489E5775036}
    3⤵
    - Executes dropped EXE
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F9C72BF0-9ADD-49EA-A761-F9E2C328833C}
    3⤵
    - Executes dropped EXE
    PID:4252
- - C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C2042DFD-FB18-4A50-BFAD-E60840E1AA5A}
    3⤵
    - Executes dropped EXE
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1F97684A-5854-4614-A0D3-A1A5BDA50D83}
    3⤵
    - Executes dropped EXE
    PID:2076
- - C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4336E27A-EAF3-479F-8966-B9C95367793D}
    3⤵
    - Executes dropped EXE
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D6D468D9-8BE5-44D1-9E43-C73E496207B3}
    3⤵
    - Executes dropped EXE
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C6C0174F-2CD1-4421-B9B0-2BD5FD46F447}
    3⤵
    - Executes dropped EXE
    PID:4244
- - C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{55869528-90A6-4924-9DD3-A608C8E66D39}
    3⤵
    - Executes dropped EXE
    PID:5116
- - C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60E7B9C8-3265-4332-86A9-87C0B572236C}
    3⤵
    - Executes dropped EXE
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A469227F-D811-4DF6-9918-142899A6C916}
    3⤵
    - Executes dropped EXE
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{61472A8F-877F-431B-ACB3-CF0DB258CDD3}
    3⤵
    - Executes dropped EXE
    PID:1416
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BEF5CF4C9D46B79BAFD827260EEE9027 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe
    "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe" "/I|0|C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    PID:3448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4196

C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe
"C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf" "9" "4f0333d67" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{27ae74c5-af1c-a14b-b516-b2e77b0d10a4} Global\{0a5c77e1-8fc7-9748-bab7-b874ea44b299} C:\Windows\System32\DriverStore\Temp\{7aee7126-7ce9-7644-949f-8910412087bb}\qcfilter.inf C:\Windows\System32\DriverStore\Temp\{7aee7126-7ce9-7644-949f-8910412087bb}\qcfilter.cat
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3808
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf" "9" "4417f2877" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:656
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcmdm.inf" "9" "4f8e1879b" "0000000000000160" "WinSta0\Default" "0000000000000154" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3292
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcwwan.inf" "9" "47c727a63" "0000000000000154" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1980
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qdbusb.inf" "9" "4d5e0b807" "0000000000000158" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582a87.rbs

Filesize
37KB

MD5
abf66a66b4488b877c4f116afc292cd4

SHA1
70d1cc67778711c2a7453cfcfb313271a7b70888

SHA256
698b6102b041440d9b45703e581369ce5fb32029b3fc3fa13106cc35be77ab30

SHA512
d36db5e598fa04288c707c046eddd94c5d0470d1d9623af612e0b4321328c24bed5a9f8dee464b283b3cf7a9793d09dd5b4894bcef628a54503e5761ee10d883

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\filter\amd64\qcusbfilter.sys

Filesize
39KB

MD5
8438bd5302eed284de96cf98accdfda2

SHA1
7aacc6fcc500345e6df8cec8839cc63a890779f1

SHA256
0011975f3bad3d11747ca9ba4c24ea674d63131e679ac552d4af2b5ffd7f86dc

SHA512
406eee9d1450b1cf3a4f1b259182b2fb8f494e297498d4f24f45c5d61fd70c8869b3dc750c144da62d58f6985a2ff715e352be337aa623ecc676d471a3bd73bf

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\ndis\6.2\amd64\qcusbwwan.sys

Filesize
535KB

MD5
d08431790b71fbd56875762df88185d9

SHA1
03a6fe5c60799a5c0a12f10e3aa837cddd026d81

SHA256
d6298128cfc0f56646340d8d67bf124412ea2e9852fe9342e36bff177a4a01b0

SHA512
1cceaddacaab89e76a350dcd96a1e329a1c2234ea6c33a5f48615f3f6d55f9aa62cb3690e6057df71df2191a98e5dfd712f2d5f3b6da410989adb40a521910ad

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qcfilter.cat

Filesize
96KB

MD5
d7a950a11638dc52717d9270ef09e150

SHA1
ec1a37f5e70431b63609199a067784f4a63b2d5c

SHA256
0d2a9ef7f0bcdde3d7b5f548b29fed32f4aee8d253d3da41553b7a4dc87a57a0

SHA512
0af7bcaf1058d70790a97641a5f46706323b9a649e5731c51885fa1fe5f7d2474e9bbd907db3ae275bda8246951c7eef46c23076fcea1c8750fb2809dd51a0e4

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qcser.cat

Filesize
97KB

MD5
da65117158c5a4d005ad82a68e53e1e8

SHA1
78c0fb4c89a7cac5e3e36ce9e9c54b6507bc2e2a

SHA256
04390a6986d3809f81dbcb345481cd7bcc54430c041754b5464201dcbb6b9bf5

SHA512
5619d046b5047ba8620667835364724bf1c78ab91b74bcb8ade36ff5e8e6cc5c8dc2d56709b083c187ea5ed74679bb10ac3eba3d494dd6e1d7f889831eb4cc44

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qcwwan.cat

Filesize
96KB

MD5
1f367e482b4ad610667b425ec6fe8812

SHA1
49769d83232e2e366817691f03686e5ef0e70c65

SHA256
6476bf4f4f731a10e7766f24cec6d71db5140481ff16b87390b402fe8502786a

SHA512
5b0db6294b4305652341647036114ef5680be958a94744d9713fdf9e40254f9750f5649792bcce8b03bbf6cb5b533747a84894e1f82a35fc38c392f65ec48e89

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qdbusb.cat

Filesize
97KB

MD5
7dc0850624be0d3e8def9d653c013291

SHA1
5ffe8a50771d9dd6d3a9d15f14575517bedfda5d

SHA256
070db359908f6955e129024d1de0acf4750790f21ced52fb333e056d2fdd7be7

SHA512
a51a447a8f9793691a9d0314b846c6e3555c22c693c7e0367307001c19744bd8b1ba72261de925c740af9d69a07cbb94a1e5a51b1128394a5a732e2fec1a040e

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qdss\amd64\qdbusb.sys

Filesize
46KB

MD5
0b13a08c6eaa6d7ad76bc43d64b9732b

SHA1
1e7e512dc690675b3814a879d17642d030ba4ac9

SHA256
08ec62ca5a4a64ac48f9963f8623b99d135b9fda6b658ade2564df15d822d950

SHA512
709a29c317a06c893a4efa334d0a9455876c592a659d081bee712a964fe48918af2cea8e9bb0e607ea3915bee6c6442615ffd6084fd9edfd8ae465440b003032

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qdss\amd64\wdfcoinstaller01009.dll

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\serial\amd64\qcusbser.sys

Filesize
240KB

MD5
a5a4cb5c986715796eb1285289b9c779

SHA1
549fafefb36d1df67d1b8b7817041e4f5677e6ed

SHA256
357eb980c5d7a9ab4cfa5892432dac41ee9c0f03420fa9b927d78119054f91f6

SHA512
032c45b2bba7c5dfafbd0583bc96e79c1710dd981775d6184c131d49835d2183aad7dbaaeda2f45f2b3f490c3a8158c0d901c5467f4ca3158ff01a61c59cc1b5

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DifxApi\amd64\difxapi.dll

Filesize
507KB

MD5
9495b07f33ded991c65d9b04945d44c5

SHA1
db9d5ec47980eb0709faba0cda283ff99d643b7c

SHA256
bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e

SHA512
36ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe

Filesize
2.2MB

MD5
2e42457c54c0d281aa191c7ca8e7bc11

SHA1
33d5ad6b11cd681f956e5dc607c54c5eca168e19

SHA256
210f20b72fe67a1b12846aab7886b6bd9702a3caf31a3b6affab3a0dc60199ff

SHA512
434872af382e5a73570c1a13d18b9febc71bec25d2ce20fdcfa0fbd23afb103b136d91fa6b6e8b01736a0b59d1477e7296d8a6fda2b26aa0c679454c9246ec1e

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe

Filesize
81KB

MD5
537b58f4523aa9638859d88d61d3ff77

SHA1
522b5f172d44d84e7e72201fde56bad684832237

SHA256
e1a039481b5470841932f440864c14d0139991d22655da1673afcef33b07f82d

SHA512
c2348d6001c6819233a55b1e2ced1fbdbfb6db630c38ffa59185680c31bca8868dfc9ba06350d9d4e9b70f555d0b1e7afa4ba7b55718ee103df5d41e1ecc57a4

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf

Filesize
37KB

MD5
c44f842ad6d69df37aa0dcf5b05d54b7

SHA1
62eeff99483ba72c0fb341e768124d74071855c5

SHA256
5a544fda42a991a970ea3417ab49f967cdcb9fe89a14ae53d6566707a328b730

SHA512
44743848307af8d47b978189ba6d192d7d1c39c98bf2d2efe123bc2afc6ed42bade0e101e0b7e8ccb729949ffe89626ce995937d17c8b217e472e45e3ea368fa

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcmdm.inf

Filesize
44KB

MD5
bfd724e1364eb3284822e0b27899d78c

SHA1
e95ff9e797d391ca0aa93b55f3cec5dfb9e95e5a

SHA256
f59f3b976a682c730201e2d4aa4e33f627f92595aa4fde117521a12f2ee8e305

SHA512
9ff0081d900b94cf12ac2b1dbec1fd5ebb108a5048068534a894a6f20c743be387522c45965fc3d68af81d113fa3cb23e5397ed62088641c46c2579a410d66fd

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf

Filesize
101KB

MD5
756d9f6aa85025335d121246e5262528

SHA1
54d28ffe46bb81c86ca498bd0c357d63416b2fa7

SHA256
c8fbd819931030b3800397643ce23bac7f9cb46a770c8c7e5104682afbd0571a

SHA512
3012c1b14700bd3dc91f79cd774a61d5b0849203ce6a3d9be742ad902f8d7b52700061fcbde85ce8df2b4ca04b48a66ba81f87616ae7c12028b1ad9699a1f08d

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcwwan.inf

Filesize
73KB

MD5
5667cdc8aa7e89f575417aa5837f9202

SHA1
6449ecffb2a4aebaf4f05a69ac14fb202847f364

SHA256
363addf226aca987a56a2caa95ce19eea4dd86654d46e103f0d6184863ace934

SHA512
02f00e41469e9e9d76a3928ff5ce651f2977f236642f59e6e25fec3c78dfe3ecf7cc1e7253e1bf65ff6834566547172d175366d37d0dd711394f41e573340965

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qdbusb.inf

Filesize
9KB

MD5
e7fb3e2ee6ae0890da972587516a8110

SHA1
93267d82c6564f618fafdd6f8a3edb5d8eff70bb

SHA256
94dd4e0aab352f69f7788a98563048f23f50402862e89376ca5ec5b742373eba

SHA512
6478515112c69674e54474a38b81fe8c1301fbfe64536b96162ade151e5baae22d1886230da2dd477a9d5448797b39f8f4fcb65d88fcb5bdb242a60868630edb

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9124.tmp

Filesize
1.3MB

MD5
526de93ee8ed331cf89a744c3aefc355

SHA1
c5e8410afc34ebde8372e0e1711e4155d34dece3

SHA256
f369ed198e835a3362d1c7d5ddf4b853f9339aafa6b5a6032fe13fb51c02c590

SHA512
b3b21ff3f4f98d8d5b14f191d04061addc4c44faf492a4788becfef5cbd55ecc82fc7eb373649fa825264d79b763955d708948412b47555b965ff9ea2d195a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

Filesize
20.9MB

MD5
fcf5ad3c6e3630c94858e8dd51d07e3a

SHA1
87f6a86b18d0133ca75e63948c85fdd7aef04003

SHA256
11d689580a499cc28048ded32bb408ce417e723787edb8eb4ac68336016c0539

SHA512
a1c19f0977a26468dd6125c8422aa154d4d16f20717be9aa9de95b81dfdc4bd21db52502f102906ba9c9f862a1908ff925a02f4e0f527d4a4328d13758d3e271

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISBEW64.exe

Filesize
146KB

MD5
c3b2acc07bb0610405fc786e3432bef9

SHA1
333d5f2b55bd00ad4311ba104af7db984f953924

SHA256
9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894

SHA512
2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\ISRT.dll

Filesize
260KB

MD5
a93f625ef42b54c2b0f4d38201e67606

SHA1
cbfebc1f736ccfc65562ede79a5ae1a8afb116a1

SHA256
e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0

SHA512
805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CC656AE6-7A73-4246-A068-C55E0BFE6D11}\_isres_0x0409.dll

Filesize
540KB

MD5
d6bbf7ff6984213c7f1f0f8f07c51e6a

SHA1
cfe933fc3b634f7333adec7ec124c14e9d19ac21

SHA256
6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2

SHA512
a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

Download Submit
C:\Windows\Installer\MSI30FF.tmp

Filesize
1.6MB

MD5
fba7113c8d1b7eecd0e731c184418f29

SHA1
9961d5ca567f32c703a6b953933ff5fc22fca396

SHA256
1d10c129f67a74e1d393bf3c71f76285d3082ce5aa2712e8ffc2c8e148d659d5

SHA512
9cad372e139e744a7ade1e7c1b1f50508a22f2c69a5f73417c5a1db588bde34767e402d7770986f758e7cd118f2d67f6be2bb3fa2765e4e7c0bad7e4a4acc631

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
45b0c2431cb3289ddea44488d93b8de4

SHA1
62cff512573c46193133897c0e6442cf6768c98f

SHA256
2d80cc23f7c9e27b20151f752498ab0e91f86782ecd13f80558dd329e1d1883a

SHA512
0446a2e658ffd70fdab919fc9c8da79744783e7d0f2f5bb3f2471a71c440661b52f3cc1c54a86372c2e3114b8bb69a54d7f5e7742cc0d30bd538fb3a2696989a

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
0f46d1839d794f43033e4307db475b04

SHA1
cd6896364ffbb93291f87cc8a18ff3c8651d3b43

SHA256
dbd76d1302390dc1f06f2ad8db86e4ad83e7dd82508fed7f486a7ac9a0e4e7cd

SHA512
4b717ee9d8ae549d41cc172447bf6a20d08cdae42a37437d2be7bb17a86a6c699974994c1d7ba7febc9708a54b6e3f3f461e817831206ac01474c41502cdf891

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
9a067067bdd265a97d2fba2a1c46142c

SHA1
251c7e921ff0c575bb7829a48fae47f38c8fa02e

SHA256
02a98d05c15ca9a190ce6b1bf746e3399d5d7f2aad75e2fb93b572df314be97b

SHA512
716c1f2c603b7f3bb9ebade485c366e8d20966b5ab67257bdde31e55e38dd1ee14bcaf869f8044d85932fcc3f9667e534b360ce7a58bae97108eb4ee1e0c4a7e

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
b31f75e9b6afbf605fa962e50bee8123

SHA1
60d1ae15399e81190f166d3a0ed91ef3cfea69da

SHA256
8b9eb173ab8e2b4569f7f4acc9554d8c3c061d0412128cb987128287f2c8b50e

SHA512
b9c369bf51af3294f13765f4238d12c1f1d1eb705c912828160654bde254164f54d75a6f65e13be7a1dabcddd616e92713efb83863f2b211c417b8b36b5fff83

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
5c67d531488dcc4e5ca22ca38101bfd9

SHA1
1a327b2a65a801170feeb4404fcf11b97a357415

SHA256
3a1a6ad2682cdf8520db25a6112c0d522be5db69bf8130f06aa7de7d725e1d26

SHA512
2b1618c16cfe1906902376454267686f9efff706ef325bc8cf373dfcddcb315193c47a8b6001c42445e6f1cc0dd1cefebd3eeb27ac79de2443d5750893932444

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
ddf591c0a6a74e8e4be6704923053783

SHA1
45ffa891e156d842660d964fc704378f10296f19

SHA256
fde0f803b67d811ed1b810f5a9576667f6e751896ee1753d80ff2e49f38ea7a0

SHA512
de6457f2f8a51aeec8fbf7d75f71d87e26b3e0be1c2a9c16f495023c3445e0a7173c6533f4ed9c22cc63ee48698f75b1557c1a68a494a8559883e842326887ee

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
9779e3e618e914b859a72d611134758a

SHA1
f18f34eb1ace032b4a584f1080aa6f28588e3205

SHA256
ebeedd49b791bff1c6eb9d68f91b3b6396c79c8fb4c38f488782ebf6277a191c

SHA512
0b5567b41ca9e0bc539eedcba9c7010c59c2adce349eda94b0f443591ff346fe59cf5db07d31946fc4332c81973a52af4680121ab685afb22b92375dc086ca47

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
38KB

MD5
ea78adf2b2adc1272bed647702ab936c

SHA1
97c4278dbf5852beebccc9acb502cf001dc6e6c9

SHA256
5e59e209c693ca82f4161061d52f4d9433c3c693ea7d5e65938030baa67353ef

SHA512
72a070e6dbbc6fed980615844c1fab97adf3c574d9b753d4746ecd2a986a4a8eb352d4154e7c22f611311faa9a4e1f33c4fe82d7660d3b66ec580811a3c9a09c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
38KB

MD5
9b049932f720105b51f2b24dfb80b63b

SHA1
1f1dfdb771e7cd30c673b1c8793f2256fc53222a

SHA256
372188c95c81b747d56930612f14ec64cc4024b482189cf4454d1f992ec6c346

SHA512
e2466b0a0d230c306965c6fbb324759564e4936456af13277fd64d0ea7ec72b839b1d0bf0355e03c9476d0ad09cc5b5d3ddbee02e3528dddc9301aa2781a6ae9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
29870e99479a2c7f15fa545ca9cd1f55

SHA1
311d23100f9d0fc7eec22c922bb1f098e8a9ab36

SHA256
3055b54588b92d55bdd0156dd1ab96c548337bb0395082183ad964dd85f9fb7d

SHA512
941598d43593d01d364b29509a6ec0f21bf75e2bffc1e6752160e2a0a7609efb8cf91695fd678f2d59ff6954e5f360b339836dd1a617dd6e25211f349006e303

Download Submit
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ca2c24c9-88c9-4c75-b5ae-2562e2865364}_OnDiskSnapshotProp

Filesize
6KB

MD5
c42cc3f975c0a6ec60cb6419edac5f56

SHA1
dcb9c8ce5ed0b0beff6c33d82b6c32e8b0fbb64e

SHA256
5a7f58725b70b530af7cb89a3bf6910da78dd21cafc72e88342a4c05961be1a7

SHA512
7e8a05a6da2eeaf6875b7108e3467dbaa51fea7ea500dae5717f0d35dadef2c74e5d45fb3ebe2853e71031acc92e9474d075acf5867a2909aff534154ee7238e

Download Submit
memory/4652-70-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4652-75-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4652-530-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4652-6-0x0000000000473000-0x0000000000477000-memory.dmp

Filesize
16KB

Download
memory/4652-80-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4652-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4652-69-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4976-17-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/4976-41-0x0000000002A80000-0x0000000002B27000-memory.dmp

Filesize
668KB

Download
memory/4976-40-0x0000000002A80000-0x0000000002B27000-memory.dmp

Filesize
668KB

Download
memory/4976-46-0x0000000002CA0000-0x0000000002D29000-memory.dmp

Filesize
548KB

Download