Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
Resource
win7-20240903-en
General
-
Target
2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe
-
Size
22.3MB
-
MD5
11e8ce1c130f56c79b70751cd7669d8c
-
SHA1
560ff3bdf4483fddbf948ac8e715d8cfaf2a42d0
-
SHA256
0806116764e3fe406f9f8905d43d3ffbd9af312ef8205de07acae8ebdb2d6133
-
SHA512
6f1d1c4584b18c3d0aab8821c7f22e558eecec356204a5a6cd92f361dad23041dc751c2d5083db210cf8d9117b1721b4012303ba2032e9e1e13ea514ca0b560f
-
SSDEEP
393216:GX9pjHs4737sM3HgVrAmIQoLd28A+a0r/DdXLnEsRgcHcqcp0q3WI28d+olEi:GX9pLsstBg89xDdbn8c8qk3N2QlX
Malware Config
Signatures
-
Floxif family
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x000c000000023b71-1.dat floxif -
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\0E163CB0FDCE9E468EAE5A9600402132643ADE48\Blob = 0300000001000000140000000e163cb0fdce9e468eae5a9600402132643ade480400000001000000100000007b1ffa43ba9dbac4b3893effd386d003140000000100000014000000f6aae1de13f29375ae855eaa0ec7f1526acfb0f719000000010000001000000014005b11663d5285ca9a734218bb60720f0000000100000020000000990c8a10329dc2652c3884245965026509222d4219e55405a1a0cf7a1db202d32000000001000000120500003082050e308203f6a00302010202102b13f4b6b65224ea499e5bf1f90f42b5300d06092a864886f70d01010b0500307f310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b3130302e0603550403132753796d616e74656320436c61737320332053484132353620436f6465205369676e696e67204341301e170d3135303531353030303030305a170d3137303531353233353935395a308194310b30090603550406130255533113301106035504080c0a43616c69666f726e69613112301006035504070c0953616e20446965676f311e301c060355040a0c155155414c434f4d4d20496e636f72706f7261746564311c301a060355040b0c135143542055534220486f737420447269766572311e301c06035504030c155155414c434f4d4d20496e636f72706f726174656430820122300d06092a864886f70d01010105000382010f003082010a0282010100c7c353c4328659cbd10802db6b6721e0dcebd0bfb0763d3663f561288216b040e894c1717eb8540e167a71b925c6a73e7f5772c8e4feb4e28e9bee6f91134db39873f97545ec98ebffad31a7036ecdb3a2051bb3440bceda2ff98c4ff7a5071eb2457e1ce31d20b0af7215fcf8f10bc2919b743d751aecf57de987f487a567cba87d6fb196dd5edaccb4ae11eb487961ab7a89340cf1b3c9651299bfab193e85bdd3cfbbbb8bc36c020d48b756101b3e3e10e95173c85610d74a8c98399655af13300f8e73c797cf6be3164200260cc0aa5e29eae91a5716cadce1a9774de776ac2ef6a436ff7339af9c0c48b5b42ce0afcf58afa5c6be95282b53166bb303870203010001a382016e3082016a30090603551d1304023000300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330660603551d20045f305d305b060b6086480186f84501071703304c302306082b06010505070201161768747470733a2f2f642e73796d63622e636f6d2f637073302506082b0601050507020230191a1768747470733a2f2f642e73796d63622e636f6d2f727061301f0603551d23041830168014963b53f0793397af7d83ef2e2bcccab7861e7266302b0603551d1f042430223020a01ea01c861a687474703a2f2f73762e73796d63622e636f6d2f73762e63726c305706082b06010505070101044b3049301f06082b060105050730018613687474703a2f2f73762e73796d63642e636f6d302606082b06010505073002861a687474703a2f2f73762e73796d63622e636f6d2f73762e637274301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010b0500038201010066d5d6f1c898c17d1cec0581ff7b84a9ef8828fe9b59caa3cf74a0ab66cbb36614298eec716a1c8acb1e971a6b2790210f09f7d7efa66bdf97a22b6887d876ae2781a168fe9fd68ef1933322c731ec3b93ab08e198b7a544a9d387b08951806e28e414d7decb106038dc3ee5bdb2845faf4cc5c6540a52fbeb5719965d523e321672919ecde1058e82292fb91885cc18a62c1c145453a8684fd6e26277e54dcb8043186adfe5a8f5124b4b826fe764c39c1d8431d4d05cbff409ed35d569f6ca8d0a13dc3c88f56eeac7b9fbd5e95cd2cc8fb99a61d75173d21d52e2fa160b6d1e5e7058d0bde5aca560ebfb2ffe00b08d7fb896211fd10037708e36fd4f3860 DrvInst.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000c000000023b71-1.dat acprotect -
Executes dropped EXE 13 IoCs
pid Process 2296 ISBEW64.exe 4448 ISBEW64.exe 2924 ISBEW64.exe 2376 ISBEW64.exe 2412 ISBEW64.exe 3572 ISBEW64.exe 1560 ISBEW64.exe 3676 ISBEW64.exe 644 ISBEW64.exe 2136 ISBEW64.exe 3792 ISBEW64.exe 2160 qcmtusvc.exe 3048 DriverInstaller64.exe -
Loads dropped DLL 9 IoCs
pid Process 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 4264 MsiExec.exe 4264 MsiExec.exe 4264 MsiExec.exe 4264 MsiExec.exe 4264 MsiExec.exe 3668 MsiExec.exe 3048 DriverInstaller64.exe 3668 MsiExec.exe -
Enumerates connected drives 3 TTPs 47 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\e: 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{ca0a4763-df63-5b4e-a0e6-35dd12b16e90}\SET44F3.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{ca0a4763-df63-5b4e-a0e6-35dd12b16e90}\SET4514.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca0a4763-df63-5b4e-a0e6-35dd12b16e90}\ndis\6.2 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_4ef97d5ab321c09e\qdss\amd64\qdbusb.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_4ef97d5ab321c09e\qdbusb.cat DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db rundll32.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{63eeae56-d2e7-c645-9d29-3dc9b5d24d4c}\qdss\amd64 DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7ce464a5-50ca-1742-a9d2-a0615b0b7f0d}\SET3AC2.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d6a68d88-7f4c-8646-ae0c-9cde8ed91be2}\serial\amd64 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c2854cd1-4517-714d-a36d-c0e21bf96092}\serial DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca0a4763-df63-5b4e-a0e6-35dd12b16e90}\ndis\6.2\amd64\qcusbwwan.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_4ef97d5ab321c09e\qdbusb.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7ce464a5-50ca-1742-a9d2-a0615b0b7f0d}\SET3AC3.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db rundll32.exe File created C:\Windows\System32\DriverStore\Temp\{d6a68d88-7f4c-8646-ae0c-9cde8ed91be2}\SET42B2.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_da7c440389b70c99\qcwwan.PNF DriverInstaller64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c2854cd1-4517-714d-a36d-c0e21bf96092}\SET408F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c2854cd1-4517-714d-a36d-c0e21bf96092}\serial\amd64\SET40BF.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c2854cd1-4517-714d-a36d-c0e21bf96092}\serial\amd64\qcusbser.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d6a68d88-7f4c-8646-ae0c-9cde8ed91be2}\serial\amd64\SET42B3.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{63eeae56-d2e7-c645-9d29-3dc9b5d24d4c}\qdss\amd64\SET47B3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{63eeae56-d2e7-c645-9d29-3dc9b5d24d4c} DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db rundll32.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_5b0e44f80f8a8e2f\qcfilter.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca0a4763-df63-5b4e-a0e6-35dd12b16e90}\SET4514.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{63eeae56-d2e7-c645-9d29-3dc9b5d24d4c}\qdss\amd64\SET47B2.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d6a68d88-7f4c-8646-ae0c-9cde8ed91be2} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7ce464a5-50ca-1742-a9d2-a0615b0b7f0d}\filter DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7ce464a5-50ca-1742-a9d2-a0615b0b7f0d} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d6a68d88-7f4c-8646-ae0c-9cde8ed91be2}\qcmdm.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d6a68d88-7f4c-8646-ae0c-9cde8ed91be2}\serial DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca0a4763-df63-5b4e-a0e6-35dd12b16e90}\SET44F3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca0a4763-df63-5b4e-a0e6-35dd12b16e90}\ndis DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c2854cd1-4517-714d-a36d-c0e21bf96092}\serial\amd64 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_df834dbe3a4f2ca5\qcser.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d6a68d88-7f4c-8646-ae0c-9cde8ed91be2}\qcser.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_4ef97d5ab321c09e\qdss\amd64\wdfcoinstaller01009.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{63eeae56-d2e7-c645-9d29-3dc9b5d24d4c}\SET4823.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db rundll32.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_5b0e44f80f8a8e2f\qcfilter.PNF DriverInstaller64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d6a68d88-7f4c-8646-ae0c-9cde8ed91be2}\serial\amd64\qcusbser.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_da7c440389b70c99\qcwwan.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{63eeae56-d2e7-c645-9d29-3dc9b5d24d4c}\qdss\amd64\wdfcoinstaller01009.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{63eeae56-d2e7-c645-9d29-3dc9b5d24d4c}\SET4823.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7ce464a5-50ca-1742-a9d2-a0615b0b7f0d}\qcfilter.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7ce464a5-50ca-1742-a9d2-a0615b0b7f0d}\filter\amd64\SET3AD4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7ce464a5-50ca-1742-a9d2-a0615b0b7f0d}\filter\amd64\qcusbfilter.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_5b0e44f80f8a8e2f\filter\amd64\qcusbfilter.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_011cf7b068aef58d\qcser.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d6a68d88-7f4c-8646-ae0c-9cde8ed91be2}\serial\amd64\SET42B3.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_011cf7b068aef58d\qcser.PNF DriverInstaller64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{c2854cd1-4517-714d-a36d-c0e21bf96092}\SET407F.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca0a4763-df63-5b4e-a0e6-35dd12b16e90}\ndis\6.2\amd64 DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db rundll32.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_5b0e44f80f8a8e2f\qcfilter.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_df834dbe3a4f2ca5\qcmdm.PNF DriverInstaller64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca0a4763-df63-5b4e-a0e6-35dd12b16e90}\qcwwan.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca0a4763-df63-5b4e-a0e6-35dd12b16e90}\qcwwan.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7ce464a5-50ca-1742-a9d2-a0615b0b7f0d}\SET3AC2.tmp DrvInst.exe -
resource yara_rule behavioral2/files/0x000c000000023b71-1.dat upx behavioral2/memory/5024-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/5024-66-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/5024-69-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/5024-74-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/5024-79-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/5024-528-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.inf msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcser.cat msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.inf msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.cat msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\qdbusb.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\logReader.exe msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\qdbusb.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\amd64\qcusbfilter.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.cat msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.cat msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.cat msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\i386\DIFxAPI.dll msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.cat msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.inf msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe msiexec.exe File created \??\c:\program files\common files\system\symsrv.dll.000 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcfilter.inf msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.cat msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\qdbusb.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\amd64\DIFxAPI.dll msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcmdm.inf msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.inf msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\ReadMe.txt msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\amd64\qcusbfilter.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcfilter.cat msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcfilter.inf msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcmdm.inf msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriversInstallerCA.dll msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.inf msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\qdbusb.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.pdb msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.sys msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.inf msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.inf msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.cat msiexec.exe File created C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files\Common Files\System\symsrv.dll 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File created C:\Windows\inf\oem6.inf DrvInst.exe File opened for modification C:\Windows\inf\oem7.inf DrvInst.exe File created C:\Windows\Installer\SourceHash{D9FB7F91-9687-4B09-894D-072903CADEA4} msiexec.exe File created C:\Windows\inf\oem7.inf DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Installer\MSI4AC2.tmp msiexec.exe File created C:\Windows\Installer\e582c9b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3341.tmp msiexec.exe File opened for modification C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI2E20.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DriverInstaller64.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\Installer\e582c99.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\inf\oem5.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File created C:\Windows\Installer\e582c99.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem6.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qcmtusvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DriverInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DriverInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags DriverInstaller64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DriverInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags DriverInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DriverInstaller64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DriverInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DriverInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName DriverInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName DriverInstaller64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName DriverInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DriverInstaller64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DriverInstaller64.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A\DefaultFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductName = "Qualcomm USB Drivers For Windows" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Version = "16777256" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\PackageName = "QualcommWindowsDriverInstaller.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\PackageCode = "50F96F0F677D720429F0EAB3F42EA9A4" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductIcon = "C:\\Windows\\Installer\\{D9FB7F91-9687-4B09-894D-072903CADEA4}\\ARPPRODUCTICON.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4\19F7BF9D786990B498D4709230ACED4A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 4892 msiexec.exe 4892 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe Token: SeShutdownPrivilege 4196 msiexec.exe Token: SeIncreaseQuotaPrivilege 4196 msiexec.exe Token: SeSecurityPrivilege 4892 msiexec.exe Token: SeCreateTokenPrivilege 4196 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4196 msiexec.exe Token: SeLockMemoryPrivilege 4196 msiexec.exe Token: SeIncreaseQuotaPrivilege 4196 msiexec.exe Token: SeMachineAccountPrivilege 4196 msiexec.exe Token: SeTcbPrivilege 4196 msiexec.exe Token: SeSecurityPrivilege 4196 msiexec.exe Token: SeTakeOwnershipPrivilege 4196 msiexec.exe Token: SeLoadDriverPrivilege 4196 msiexec.exe Token: SeSystemProfilePrivilege 4196 msiexec.exe Token: SeSystemtimePrivilege 4196 msiexec.exe Token: SeProfSingleProcessPrivilege 4196 msiexec.exe Token: SeIncBasePriorityPrivilege 4196 msiexec.exe Token: SeCreatePagefilePrivilege 4196 msiexec.exe Token: SeCreatePermanentPrivilege 4196 msiexec.exe Token: SeBackupPrivilege 4196 msiexec.exe Token: SeRestorePrivilege 4196 msiexec.exe Token: SeShutdownPrivilege 4196 msiexec.exe Token: SeDebugPrivilege 4196 msiexec.exe Token: SeAuditPrivilege 4196 msiexec.exe Token: SeSystemEnvironmentPrivilege 4196 msiexec.exe Token: SeChangeNotifyPrivilege 4196 msiexec.exe Token: SeRemoteShutdownPrivilege 4196 msiexec.exe Token: SeUndockPrivilege 4196 msiexec.exe Token: SeSyncAgentPrivilege 4196 msiexec.exe Token: SeEnableDelegationPrivilege 4196 msiexec.exe Token: SeManageVolumePrivilege 4196 msiexec.exe Token: SeImpersonatePrivilege 4196 msiexec.exe Token: SeCreateGlobalPrivilege 4196 msiexec.exe Token: SeShutdownPrivilege 4416 msiexec.exe Token: SeIncreaseQuotaPrivilege 4416 msiexec.exe Token: SeCreateTokenPrivilege 4416 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4416 msiexec.exe Token: SeLockMemoryPrivilege 4416 msiexec.exe Token: SeIncreaseQuotaPrivilege 4416 msiexec.exe Token: SeMachineAccountPrivilege 4416 msiexec.exe Token: SeTcbPrivilege 4416 msiexec.exe Token: SeSecurityPrivilege 4416 msiexec.exe Token: SeTakeOwnershipPrivilege 4416 msiexec.exe Token: SeLoadDriverPrivilege 4416 msiexec.exe Token: SeSystemProfilePrivilege 4416 msiexec.exe Token: SeSystemtimePrivilege 4416 msiexec.exe Token: SeProfSingleProcessPrivilege 4416 msiexec.exe Token: SeIncBasePriorityPrivilege 4416 msiexec.exe Token: SeCreatePagefilePrivilege 4416 msiexec.exe Token: SeCreatePermanentPrivilege 4416 msiexec.exe Token: SeBackupPrivilege 4416 msiexec.exe Token: SeRestorePrivilege 4416 msiexec.exe Token: SeShutdownPrivilege 4416 msiexec.exe Token: SeDebugPrivilege 4416 msiexec.exe Token: SeAuditPrivilege 4416 msiexec.exe Token: SeSystemEnvironmentPrivilege 4416 msiexec.exe Token: SeChangeNotifyPrivilege 4416 msiexec.exe Token: SeRemoteShutdownPrivilege 4416 msiexec.exe Token: SeUndockPrivilege 4416 msiexec.exe Token: SeSyncAgentPrivilege 4416 msiexec.exe Token: SeEnableDelegationPrivilege 4416 msiexec.exe Token: SeManageVolumePrivilege 4416 msiexec.exe Token: SeImpersonatePrivilege 4416 msiexec.exe Token: SeCreateGlobalPrivilege 4416 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4196 msiexec.exe 4196 msiexec.exe 4416 msiexec.exe 4416 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 3048 DriverInstaller64.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 5024 wrote to memory of 4196 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 83 PID 5024 wrote to memory of 4196 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 83 PID 5024 wrote to memory of 4196 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 83 PID 5024 wrote to memory of 4416 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 85 PID 5024 wrote to memory of 4416 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 85 PID 5024 wrote to memory of 4416 5024 2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe 85 PID 4892 wrote to memory of 4264 4892 msiexec.exe 87 PID 4892 wrote to memory of 4264 4892 msiexec.exe 87 PID 4892 wrote to memory of 4264 4892 msiexec.exe 87 PID 4264 wrote to memory of 2296 4264 MsiExec.exe 88 PID 4264 wrote to memory of 2296 4264 MsiExec.exe 88 PID 4264 wrote to memory of 4448 4264 MsiExec.exe 89 PID 4264 wrote to memory of 4448 4264 MsiExec.exe 89 PID 4264 wrote to memory of 2924 4264 MsiExec.exe 90 PID 4264 wrote to memory of 2924 4264 MsiExec.exe 90 PID 4264 wrote to memory of 2376 4264 MsiExec.exe 91 PID 4264 wrote to memory of 2376 4264 MsiExec.exe 91 PID 4264 wrote to memory of 2412 4264 MsiExec.exe 92 PID 4264 wrote to memory of 2412 4264 MsiExec.exe 92 PID 4264 wrote to memory of 3572 4264 MsiExec.exe 93 PID 4264 wrote to memory of 3572 4264 MsiExec.exe 93 PID 4264 wrote to memory of 1560 4264 MsiExec.exe 94 PID 4264 wrote to memory of 1560 4264 MsiExec.exe 94 PID 4264 wrote to memory of 3676 4264 MsiExec.exe 95 PID 4264 wrote to memory of 3676 4264 MsiExec.exe 95 PID 4264 wrote to memory of 644 4264 MsiExec.exe 96 PID 4264 wrote to memory of 644 4264 MsiExec.exe 96 PID 4264 wrote to memory of 2136 4264 MsiExec.exe 97 PID 4264 wrote to memory of 2136 4264 MsiExec.exe 97 PID 4264 wrote to memory of 3792 4264 MsiExec.exe 98 PID 4264 wrote to memory of 3792 4264 MsiExec.exe 98 PID 4892 wrote to memory of 4472 4892 msiexec.exe 119 PID 4892 wrote to memory of 4472 4892 msiexec.exe 119 PID 4892 wrote to memory of 3668 4892 msiexec.exe 122 PID 4892 wrote to memory of 3668 4892 msiexec.exe 122 PID 4892 wrote to memory of 3668 4892 msiexec.exe 122 PID 3668 wrote to memory of 3048 3668 MsiExec.exe 123 PID 3668 wrote to memory of 3048 3668 MsiExec.exe 123 PID 668 wrote to memory of 1292 668 svchost.exe 125 PID 668 wrote to memory of 1292 668 svchost.exe 125 PID 1292 wrote to memory of 2472 1292 DrvInst.exe 127 PID 1292 wrote to memory of 2472 1292 DrvInst.exe 127 PID 668 wrote to memory of 3676 668 svchost.exe 128 PID 668 wrote to memory of 3676 668 svchost.exe 128 PID 668 wrote to memory of 1360 668 svchost.exe 129 PID 668 wrote to memory of 1360 668 svchost.exe 129 PID 668 wrote to memory of 4968 668 svchost.exe 130 PID 668 wrote to memory of 4968 668 svchost.exe 130 PID 668 wrote to memory of 2700 668 svchost.exe 131 PID 668 wrote to memory of 2700 668 svchost.exe 131 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-28_11e8ce1c130f56c79b70751cd7669d8c_floxif_icedid.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4196
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4416
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B55ED15A706BB7D9ABA8B0DF1BAD0C10 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A29BF745-760C-4647-ABD0-17763A243939}3⤵
- Executes dropped EXE
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FB4D233D-6C46-497F-8D5E-AB88B30097A1}3⤵
- Executes dropped EXE
PID:4448
-
-
C:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EEFA68D0-3DB9-4AD9-BB91-0A36F7C75078}3⤵
- Executes dropped EXE
PID:2924
-
-
C:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{92B84044-AD78-429A-8A23-1FA41891E74B}3⤵
- Executes dropped EXE
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{23AEF2AC-482B-4269-A8FA-30825B916233}3⤵
- Executes dropped EXE
PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EC686061-0861-48D6-AAB4-80B2915E90F0}3⤵
- Executes dropped EXE
PID:3572
-
-
C:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{214389E5-6D5B-40B1-BA14-503B91239D3A}3⤵
- Executes dropped EXE
PID:1560
-
-
C:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EC039DDF-86FB-4B27-B9C6-CEF1ACD110B5}3⤵
- Executes dropped EXE
PID:3676
-
-
C:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FBE8B7B9-5855-435E-9FBC-D1D3F316B28E}3⤵
- Executes dropped EXE
PID:644
-
-
C:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{533D139C-0E7C-4E1E-AEA9-BCD3F38A3330}3⤵
- Executes dropped EXE
PID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{F68BA557-87DC-470E-9FD6-506209694086}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4E17FC5C-0A2F-4B95-9473-CF6D4A12F6ED}3⤵
- Executes dropped EXE
PID:3792
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4472
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6FD35117718FB09B49805439A19294A8 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe"C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe" "/I|0|C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3048
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2292
-
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe"C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf" "9" "4f0333d67" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"2⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2b52ba71-817f-7847-a5bd-906dca8f12ce} Global\{2547abaa-61bf-e149-a10a-cb47578cb735} C:\Windows\System32\DriverStore\Temp\{7ce464a5-50ca-1742-a9d2-a0615b0b7f0d}\qcfilter.inf C:\Windows\System32\DriverStore\Temp\{7ce464a5-50ca-1742-a9d2-a0615b0b7f0d}\qcfilter.cat3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2472
-
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf" "9" "4417f2877" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3676
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcmdm.inf" "9" "4f8e1879b" "0000000000000160" "WinSta0\Default" "0000000000000154" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1360
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcwwan.inf" "9" "47c727a63" "0000000000000154" "WinSta0\Default" "0000000000000148" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4968
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qdbusb.inf" "9" "4d5e0b807" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD56bc18ee67d13b9b1d4b1f2eed1d70a5a
SHA1cf2105325809d12b914ec7919c2ca9317801cbd2
SHA256cc3bff7a94488ecf6c1b3d4b47409b4478f6b7c653fac9aa4e0f4510b42fcb3c
SHA51288b1245aa062d3c3d85b9ba1dfd213947cc27007408c85975f6a88c1cb05cc59aa34484b226df516bce210473441e7b68963b63dbaec9a7f55ff9d00e5cbee11
-
Filesize
535KB
MD5d08431790b71fbd56875762df88185d9
SHA103a6fe5c60799a5c0a12f10e3aa837cddd026d81
SHA256d6298128cfc0f56646340d8d67bf124412ea2e9852fe9342e36bff177a4a01b0
SHA5121cceaddacaab89e76a350dcd96a1e329a1c2234ea6c33a5f48615f3f6d55f9aa62cb3690e6057df71df2191a98e5dfd712f2d5f3b6da410989adb40a521910ad
-
Filesize
97KB
MD5da65117158c5a4d005ad82a68e53e1e8
SHA178c0fb4c89a7cac5e3e36ce9e9c54b6507bc2e2a
SHA25604390a6986d3809f81dbcb345481cd7bcc54430c041754b5464201dcbb6b9bf5
SHA5125619d046b5047ba8620667835364724bf1c78ab91b74bcb8ade36ff5e8e6cc5c8dc2d56709b083c187ea5ed74679bb10ac3eba3d494dd6e1d7f889831eb4cc44
-
Filesize
96KB
MD51f367e482b4ad610667b425ec6fe8812
SHA149769d83232e2e366817691f03686e5ef0e70c65
SHA2566476bf4f4f731a10e7766f24cec6d71db5140481ff16b87390b402fe8502786a
SHA5125b0db6294b4305652341647036114ef5680be958a94744d9713fdf9e40254f9750f5649792bcce8b03bbf6cb5b533747a84894e1f82a35fc38c392f65ec48e89
-
Filesize
97KB
MD57dc0850624be0d3e8def9d653c013291
SHA15ffe8a50771d9dd6d3a9d15f14575517bedfda5d
SHA256070db359908f6955e129024d1de0acf4750790f21ced52fb333e056d2fdd7be7
SHA512a51a447a8f9793691a9d0314b846c6e3555c22c693c7e0367307001c19744bd8b1ba72261de925c740af9d69a07cbb94a1e5a51b1128394a5a732e2fec1a040e
-
Filesize
46KB
MD50b13a08c6eaa6d7ad76bc43d64b9732b
SHA11e7e512dc690675b3814a879d17642d030ba4ac9
SHA25608ec62ca5a4a64ac48f9963f8623b99d135b9fda6b658ade2564df15d822d950
SHA512709a29c317a06c893a4efa334d0a9455876c592a659d081bee712a964fe48918af2cea8e9bb0e607ea3915bee6c6442615ffd6084fd9edfd8ae465440b003032
-
Filesize
1.6MB
MD54da5da193e0e4f86f6f8fd43ef25329a
SHA168a44d37ff535a2c454f2440e1429833a1c6d810
SHA25618487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e
SHA512b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853
-
Filesize
240KB
MD5a5a4cb5c986715796eb1285289b9c779
SHA1549fafefb36d1df67d1b8b7817041e4f5677e6ed
SHA256357eb980c5d7a9ab4cfa5892432dac41ee9c0f03420fa9b927d78119054f91f6
SHA512032c45b2bba7c5dfafbd0583bc96e79c1710dd981775d6184c131d49835d2183aad7dbaaeda2f45f2b3f490c3a8158c0d901c5467f4ca3158ff01a61c59cc1b5
-
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\amd64\DIFxAPI.dll
Filesize507KB
MD59495b07f33ded991c65d9b04945d44c5
SHA1db9d5ec47980eb0709faba0cda283ff99d643b7c
SHA256bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e
SHA51236ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815
-
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe
Filesize2.2MB
MD52e42457c54c0d281aa191c7ca8e7bc11
SHA133d5ad6b11cd681f956e5dc607c54c5eca168e19
SHA256210f20b72fe67a1b12846aab7886b6bd9702a3caf31a3b6affab3a0dc60199ff
SHA512434872af382e5a73570c1a13d18b9febc71bec25d2ce20fdcfa0fbd23afb103b136d91fa6b6e8b01736a0b59d1477e7296d8a6fda2b26aa0c679454c9246ec1e
-
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe
Filesize81KB
MD5537b58f4523aa9638859d88d61d3ff77
SHA1522b5f172d44d84e7e72201fde56bad684832237
SHA256e1a039481b5470841932f440864c14d0139991d22655da1673afcef33b07f82d
SHA512c2348d6001c6819233a55b1e2ced1fbdbfb6db630c38ffa59185680c31bca8868dfc9ba06350d9d4e9b70f555d0b1e7afa4ba7b55718ee103df5d41e1ecc57a4
-
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf
Filesize37KB
MD5c44f842ad6d69df37aa0dcf5b05d54b7
SHA162eeff99483ba72c0fb341e768124d74071855c5
SHA2565a544fda42a991a970ea3417ab49f967cdcb9fe89a14ae53d6566707a328b730
SHA51244743848307af8d47b978189ba6d192d7d1c39c98bf2d2efe123bc2afc6ed42bade0e101e0b7e8ccb729949ffe89626ce995937d17c8b217e472e45e3ea368fa
-
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcmdm.inf
Filesize44KB
MD5bfd724e1364eb3284822e0b27899d78c
SHA1e95ff9e797d391ca0aa93b55f3cec5dfb9e95e5a
SHA256f59f3b976a682c730201e2d4aa4e33f627f92595aa4fde117521a12f2ee8e305
SHA5129ff0081d900b94cf12ac2b1dbec1fd5ebb108a5048068534a894a6f20c743be387522c45965fc3d68af81d113fa3cb23e5397ed62088641c46c2579a410d66fd
-
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf
Filesize101KB
MD5756d9f6aa85025335d121246e5262528
SHA154d28ffe46bb81c86ca498bd0c357d63416b2fa7
SHA256c8fbd819931030b3800397643ce23bac7f9cb46a770c8c7e5104682afbd0571a
SHA5123012c1b14700bd3dc91f79cd774a61d5b0849203ce6a3d9be742ad902f8d7b52700061fcbde85ce8df2b4ca04b48a66ba81f87616ae7c12028b1ad9699a1f08d
-
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcwwan.inf
Filesize73KB
MD55667cdc8aa7e89f575417aa5837f9202
SHA16449ecffb2a4aebaf4f05a69ac14fb202847f364
SHA256363addf226aca987a56a2caa95ce19eea4dd86654d46e103f0d6184863ace934
SHA51202f00e41469e9e9d76a3928ff5ce651f2977f236642f59e6e25fec3c78dfe3ecf7cc1e7253e1bf65ff6834566547172d175366d37d0dd711394f41e573340965
-
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qdbusb.inf
Filesize9KB
MD5e7fb3e2ee6ae0890da972587516a8110
SHA193267d82c6564f618fafdd6f8a3edb5d8eff70bb
SHA25694dd4e0aab352f69f7788a98563048f23f50402862e89376ca5ec5b742373eba
SHA5126478515112c69674e54474a38b81fe8c1301fbfe64536b96162ade151e5baae22d1886230da2dd477a9d5448797b39f8f4fcb65d88fcb5bdb242a60868630edb
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
Filesize
1.3MB
MD5526de93ee8ed331cf89a744c3aefc355
SHA1c5e8410afc34ebde8372e0e1711e4155d34dece3
SHA256f369ed198e835a3362d1c7d5ddf4b853f9339aafa6b5a6032fe13fb51c02c590
SHA512b3b21ff3f4f98d8d5b14f191d04061addc4c44faf492a4788becfef5cbd55ecc82fc7eb373649fa825264d79b763955d708948412b47555b965ff9ea2d195a16
-
Filesize
20.9MB
MD5fcf5ad3c6e3630c94858e8dd51d07e3a
SHA187f6a86b18d0133ca75e63948c85fdd7aef04003
SHA25611d689580a499cc28048ded32bb408ce417e723787edb8eb4ac68336016c0539
SHA512a1c19f0977a26468dd6125c8422aa154d4d16f20717be9aa9de95b81dfdc4bd21db52502f102906ba9c9f862a1908ff925a02f4e0f527d4a4328d13758d3e271
-
Filesize
146KB
MD5c3b2acc07bb0610405fc786e3432bef9
SHA1333d5f2b55bd00ad4311ba104af7db984f953924
SHA2569acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894
SHA5122438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd
-
Filesize
260KB
MD5a93f625ef42b54c2b0f4d38201e67606
SHA1cbfebc1f736ccfc65562ede79a5ae1a8afb116a1
SHA256e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0
SHA512805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198
-
Filesize
540KB
MD5d6bbf7ff6984213c7f1f0f8f07c51e6a
SHA1cfe933fc3b634f7333adec7ec124c14e9d19ac21
SHA2566366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2
SHA512a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d
-
Filesize
1.6MB
MD5fba7113c8d1b7eecd0e731c184418f29
SHA19961d5ca567f32c703a6b953933ff5fc22fca396
SHA2561d10c129f67a74e1d393bf3c71f76285d3082ce5aa2712e8ffc2c8e148d659d5
SHA5129cad372e139e744a7ade1e7c1b1f50508a22f2c69a5f73417c5a1db588bde34767e402d7770986f758e7cd118f2d67f6be2bb3fa2765e4e7c0bad7e4a4acc631
-
Filesize
37KB
MD553105cc98a81df1b4b557326711b60a9
SHA12b05a13eb96fbfcc81a584e9cdfbaec48f991e4b
SHA2569bf02e216b2a0d6384ac8b44b5266fef21718e84a3714ac80405d131bc2a8307
SHA512a8a235f2a7f585d194d75b819f8bba0bdc8203efb5865479a92c7f90ca6c830e372fa6800d8fad13ae404ddf237256cc615a83a68a23701419bb297aa3f262b8
-
Filesize
37KB
MD5e5c2986f76dbbe57e835fca9694706d2
SHA1018821d08d6875907dd85eef498588b355770eef
SHA25682b8d2b9339653ca1bc92d4328b96f22b6c8e7dcc3ca01019b0da70221f51692
SHA5128e76b7b5a0dab24e30e9fadb00364b861ee0a3d6a4364f6add7e32da5dd69f673dddbcb71d3ad1b0d6ecdf57151647a8952221d47992fc14aab01fcd5b03345f
-
Filesize
37KB
MD5cacc33b37992dc9be02df1716bcbb60d
SHA12cd3fc9c09d870f7cc54056065c6f29ccfeb6e66
SHA256dc0f01cd48f110ff8340c006cb640d432fe99e6c7690ba674bdd2ad76f0240af
SHA512d2d109d654ef921c8e4265fc01b71357e4f4eb386376180af5bd7cbb7a86986d34704ef950edbaa963a25d6f4aa98ec0c055cca9ad4277651545e34569230c54
-
Filesize
37KB
MD5b7fb7e2d2423bbda585a9edf74539c1d
SHA11ea4bfc650ab2fc8bf8f9081a9f63f9edf22886d
SHA256f26bbeaec4cca3f04a755961a90fe5698aa5073750d8809f95050cfe99bd6a52
SHA5123459a8ddaf3e311951bb55e5a583c9967cbbdb4e072f6ca405345b44b6c47fe09814dd88a66cf0b7a21807807a0908a9de836fe87a7047420f809c233613fd10
-
Filesize
37KB
MD5a7cf8635e18731b1a2ab5997cb8ef59c
SHA1eb4c23fed61ecfc0a622b6d8a85daa10665cd1e4
SHA256ad31e1d0a871df668d6f774b44ae4e356c2589c115d42d6250e0149e0abcba78
SHA51249b068201c1ec7dca443dee471c9a32ad84a4483db9a7caaa1e1780e1cc639005c9c6bb936b10c3c98e2f5163a523b1dd0dbf5efbbf2d69b7d2350813fe0d7ff
-
Filesize
37KB
MD597c8654a9cff9945b6b0660dede72d35
SHA1004bb35d40c53439f6f5f8d49f24e0d2d10f4115
SHA25629f8d1993283868aaef66fd31766733f7f88e516d1a672d911151a2ef48be8dd
SHA51239cfcd384a361c2e14a91f99db087a9db4e5f07734b2affe1825d93ec256545f6de55162be69559916cf304ced2e800ab16302dc3b87cd060cce3cee3473dbf3
-
Filesize
37KB
MD59feffa20264a2f7a6d2d526e3329ce8a
SHA1d8897c3423c35283345aae00b5ecea9d4d055e14
SHA25626426670b1d01b06f7958c65763de79ea976c5668b31098a6c58b2281b41726d
SHA512e1afd8d2496ded8bb0790502bb3a8a3f2f99240e09b7a96292531fbd08ac90b6bc6b4a4706b253e101bcfc27c5bbea8c6068e271a19a37d8d1e593d2275afe8c
-
Filesize
37KB
MD54ade0a94dc6ef55cfe8bc2989b3a1950
SHA1a52adfeae5aee1d6f9c00a4cc1893d73ed892d40
SHA256a4d60d03a878f55df7bae31e929125bd9b6d795df59ac228fba5b45a0f6283b9
SHA5121d756351c5bf028fdf308dd13394266bb9bdb8af47b629eb456e192ce82eaa7785b4f8fa332eff537c2ff8d53e82d1b33b09860d05d98e481d178faeeba5153d
-
Filesize
96KB
MD5d7a950a11638dc52717d9270ef09e150
SHA1ec1a37f5e70431b63609199a067784f4a63b2d5c
SHA2560d2a9ef7f0bcdde3d7b5f548b29fed32f4aee8d253d3da41553b7a4dc87a57a0
SHA5120af7bcaf1058d70790a97641a5f46706323b9a649e5731c51885fa1fe5f7d2474e9bbd907db3ae275bda8246951c7eef46c23076fcea1c8750fb2809dd51a0e4
-
C:\Windows\System32\DriverStore\Temp\{7ce464a5-50ca-1742-a9d2-a0615b0b7f0d}\filter\amd64\SET3AD4.tmp
Filesize39KB
MD58438bd5302eed284de96cf98accdfda2
SHA17aacc6fcc500345e6df8cec8839cc63a890779f1
SHA2560011975f3bad3d11747ca9ba4c24ea674d63131e679ac552d4af2b5ffd7f86dc
SHA512406eee9d1450b1cf3a4f1b259182b2fb8f494e297498d4f24f45c5d61fd70c8869b3dc750c144da62d58f6985a2ff715e352be337aa623ecc676d471a3bd73bf
-
Filesize
37KB
MD5c1c4b111ac9a23b89f15be83ffd067ce
SHA18bcf864689020df9dbaf9e4e013e073d8692b82b
SHA256dd66b792d7268bf38c3d8fcb28c6549a27f40473d6b122e3e2c27d53daa04a9f
SHA512d9a2df8795b3b6987acc8192db3c6451ccbee6e79854dfd880a3470347bb23d159eb853ecb618c95978ab84044d9196242e6c5315527e22dc50a896d9eb3c136
-
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b37f1d0f-7dde-434b-b87d-f2cf9633e6bb}_OnDiskSnapshotProp
Filesize6KB
MD5b5650caf6f17d0ae8525547f04034453
SHA1a3b31b9e9179211df029e1c1f548ee4ce9deecf3
SHA2569c7374d64cbcbdb5e7e41b0d9d9bff70503e7db04917c6f84332b77db21625f8
SHA5122cc77f2a99b5e727447a0927e86cc20908eeb0e6202ab0cb62ad0e4ce84dec290c6eccd47283669d4c32e2a7a60f8b602b5273701547400448e118c338ec41d6