floxif | a3423bf9cd6d13981e3efb81bd2d4861b2606d1bfcca8472e1ade9a8f87bd905

Analysis

max time kernel
91s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
Size

22.2MB
MD5

ef5b79d11d56ac638acea43040ba6e2e
SHA1

be50d85741ddf0c0b28b55e340b330824ec341e8
SHA256

a3423bf9cd6d13981e3efb81bd2d4861b2606d1bfcca8472e1ade9a8f87bd905
SHA512

6381b6c4ef8de0fc48c564c9e02f6df1d562434ad3ddf86fa4a456b9ca49847f3b8c3f14caecfc88aa2a340df055e6b7a10ca1f6db22ff2b67764192df283052
SSDEEP

393216:6XePsQXKIQ2A6p/jJicojuCXiv3vMBnz4CFxDqg9u4PS6n4CEJXE0wEKD3/LR:6XePsQXKx6liUCXk3EmCFpq4PznwXDwB

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x0009000000023c95-1.dat	floxif

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\0E163CB0FDCE9E468EAE5A9600402132643ADE48\Blob = 0300000001000000140000000e163cb0fdce9e468eae5a9600402132643ade480400000001000000100000007b1ffa43ba9dbac4b3893effd386d003140000000100000014000000f6aae1de13f29375ae855eaa0ec7f1526acfb0f719000000010000001000000014005b11663d5285ca9a734218bb60720f0000000100000020000000990c8a10329dc2652c3884245965026509222d4219e55405a1a0cf7a1db202d32000000001000000120500003082050e308203f6a00302010202102b13f4b6b65224ea499e5bf1f90f42b5300d06092a864886f70d01010b0500307f310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b3130302e0603550403132753796d616e74656320436c61737320332053484132353620436f6465205369676e696e67204341301e170d3135303531353030303030305a170d3137303531353233353935395a308194310b30090603550406130255533113301106035504080c0a43616c69666f726e69613112301006035504070c0953616e20446965676f311e301c060355040a0c155155414c434f4d4d20496e636f72706f7261746564311c301a060355040b0c135143542055534220486f737420447269766572311e301c06035504030c155155414c434f4d4d20496e636f72706f726174656430820122300d06092a864886f70d01010105000382010f003082010a0282010100c7c353c4328659cbd10802db6b6721e0dcebd0bfb0763d3663f561288216b040e894c1717eb8540e167a71b925c6a73e7f5772c8e4feb4e28e9bee6f91134db39873f97545ec98ebffad31a7036ecdb3a2051bb3440bceda2ff98c4ff7a5071eb2457e1ce31d20b0af7215fcf8f10bc2919b743d751aecf57de987f487a567cba87d6fb196dd5edaccb4ae11eb487961ab7a89340cf1b3c9651299bfab193e85bdd3cfbbbb8bc36c020d48b756101b3e3e10e95173c85610d74a8c98399655af13300f8e73c797cf6be3164200260cc0aa5e29eae91a5716cadce1a9774de776ac2ef6a436ff7339af9c0c48b5b42ce0afcf58afa5c6be95282b53166bb303870203010001a382016e3082016a30090603551d1304023000300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330660603551d20045f305d305b060b6086480186f84501071703304c302306082b06010505070201161768747470733a2f2f642e73796d63622e636f6d2f637073302506082b0601050507020230191a1768747470733a2f2f642e73796d63622e636f6d2f727061301f0603551d23041830168014963b53f0793397af7d83ef2e2bcccab7861e7266302b0603551d1f042430223020a01ea01c861a687474703a2f2f73762e73796d63622e636f6d2f73762e63726c305706082b06010505070101044b3049301f06082b060105050730018613687474703a2f2f73762e73796d63642e636f6d302606082b06010505073002861a687474703a2f2f73762e73796d63622e636f6d2f73762e637274301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010b0500038201010066d5d6f1c898c17d1cec0581ff7b84a9ef8828fe9b59caa3cf74a0ab66cbb36614298eec716a1c8acb1e971a6b2790210f09f7d7efa66bdf97a22b6887d876ae2781a168fe9fd68ef1933322c731ec3b93ab08e198b7a544a9d387b08951806e28e414d7decb106038dc3ee5bdb2845faf4cc5c6540a52fbeb5719965d523e321672919ecde1058e82292fb91885cc18a62c1c145453a8684fd6e26277e54dcb8043186adfe5a8f5124b4b826fe764c39c1d8431d4d05cbff409ed35d569f6ca8d0a13dc3c88f56eeac7b9fbd5e95cd2cc8fb99a61d75173d21d52e2fa160b6d1e5e7058d0bde5aca560ebfb2ffe00b08d7fb896211fd10037708e36fd4f3860	DrvInst.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000023c95-1.dat	acprotect

Executes dropped EXE 13 IoCs

pid	Process
732	ISBEW64.exe
4892	ISBEW64.exe
3504	ISBEW64.exe
1216	ISBEW64.exe
3268	ISBEW64.exe
4988	ISBEW64.exe
2716	ISBEW64.exe
2012	ISBEW64.exe
3748	ISBEW64.exe
2928	ISBEW64.exe
3888	ISBEW64.exe
3668	qcmtusvc.exe
2840	DriverInstaller64.exe

Loads dropped DLL 9 IoCs

pid	Process
540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
4964	MsiExec.exe
4964	MsiExec.exe
4964	MsiExec.exe
4964	MsiExec.exe
4964	MsiExec.exe
4384	MsiExec.exe
2840	DriverInstaller64.exe
4384	MsiExec.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\e:	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_7d91b3baab562649\qcser.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c0c9912f-984e-8046-8799-e913923d15b8}\ndis	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}\qcfilter.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	rundll32.exe
File created	C:\Windows\System32\DriverStore\Temp\{b79c632d-5afd-f54a-b8b5-c75063694800}\SET79DE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{983ab549-0837-ad49-abaa-5e288ad2a890}\qdss\amd64\qdbusb.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}\qcfilter.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_7d91b3baab562649\serial\amd64\qcusbser.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}\filter\amd64	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b79c632d-5afd-f54a-b8b5-c75063694800}\serial\amd64\SET79F0.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{983ab549-0837-ad49-abaa-5e288ad2a890}\SET8039.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{983ab549-0837-ad49-abaa-5e288ad2a890}\SET8039.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_c68a388aad774c96\qdbusb.PNF	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}\SET6F02.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b79c632d-5afd-f54a-b8b5-c75063694800}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{983ab549-0837-ad49-abaa-5e288ad2a890}\qdbusb.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}\filter	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b82d63eb-b7e3-2246-bdfc-109385d2a69a}\serial\amd64\qcusbser.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}\SET6F01.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{c0c9912f-984e-8046-8799-e913923d15b8}\SET7DD6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_936d995a371b46f4\qcwwan.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b79c632d-5afd-f54a-b8b5-c75063694800}\SET79DF.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b82d63eb-b7e3-2246-bdfc-109385d2a69a}\SET7BA3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_dd21d0caf44e7fa8\qcmdm.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{983ab549-0837-ad49-abaa-5e288ad2a890}\qdss\amd64\SET8008.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{983ab549-0837-ad49-abaa-5e288ad2a890}\qdss\amd64\wdfcoinstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_c68a388aad774c96\qdss\amd64\wdfcoinstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_7d91b3baab562649\qcser.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b82d63eb-b7e3-2246-bdfc-109385d2a69a}\serial\amd64\SET7BD4.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_dd21d0caf44e7fa8\qcmdm.PNF	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c0c9912f-984e-8046-8799-e913923d15b8}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{983ab549-0837-ad49-abaa-5e288ad2a890}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DriverInstaller64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	rundll32.exe
File created	C:\Windows\System32\DriverStore\Temp\{b79c632d-5afd-f54a-b8b5-c75063694800}\serial\amd64\SET79F0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c0c9912f-984e-8046-8799-e913923d15b8}\qcwwan.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}\filter\amd64\SET6F03.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c0c9912f-984e-8046-8799-e913923d15b8}\ndis\6.2	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}\SET6F02.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_7d91b3baab562649\qcser.PNF	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{983ab549-0837-ad49-abaa-5e288ad2a890}\qdss\amd64\SET8019.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{983ab549-0837-ad49-abaa-5e288ad2a890}\qdbusb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b82d63eb-b7e3-2246-bdfc-109385d2a69a}\SET7BC4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{983ab549-0837-ad49-abaa-5e288ad2a890}\qdss	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b79c632d-5afd-f54a-b8b5-c75063694800}\qcser.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b79c632d-5afd-f54a-b8b5-c75063694800}\qcser.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b79c632d-5afd-f54a-b8b5-c75063694800}\serial\amd64	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c0c9912f-984e-8046-8799-e913923d15b8}\qcwwan.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c0c9912f-984e-8046-8799-e913923d15b8}\ndis\6.2\amd64\qcusbwwan.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{983ab549-0837-ad49-abaa-5e288ad2a890}\SET804A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b79c632d-5afd-f54a-b8b5-c75063694800}\serial	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c0c9912f-984e-8046-8799-e913923d15b8}\ndis\6.2\amd64	DrvInst.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023c95-1.dat	upx
behavioral2/memory/540-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/540-68-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/540-74-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/540-79-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/540-529-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\ReadMe.txt	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qdcfg.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\amd64\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\i386\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\logReader.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\amd64\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriversInstallerCA.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\i386\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.inf	msiexec.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI601C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6703.tmp	msiexec.exe
File created	C:\Windows\Installer\e585e86.msi	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\Installer\SourceHash{D9FB7F91-9687-4B09-894D-072903CADEA4}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81CF.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DriverInstaller64.exe
File opened for modification	C:\Windows\inf\oem7.inf	DrvInst.exe
File created	C:\Windows\inf\oem7.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\e585e86.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\inf\oem6.inf	DrvInst.exe
File created	C:\Windows\Installer\e585e88.msi	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qcmtusvc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	DriverInstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rundll32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\PackageCode = "54605E80078F0E84081B971B66E8A6D7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Version = "16777253"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductIcon = "C:\\Windows\\Installer\\{D9FB7F91-9687-4B09-894D-072903CADEA4}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\PackageName = "QualcommWindowsDriverInstaller.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductName = "Qualcomm USB Drivers For Windows"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Assignment = "1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
1760	msiexec.exe
1760	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
Token: SeShutdownPrivilege	4048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4048	msiexec.exe
Token: SeSecurityPrivilege	1760	msiexec.exe
Token: SeCreateTokenPrivilege	4048	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4048	msiexec.exe
Token: SeLockMemoryPrivilege	4048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4048	msiexec.exe
Token: SeMachineAccountPrivilege	4048	msiexec.exe
Token: SeTcbPrivilege	4048	msiexec.exe
Token: SeSecurityPrivilege	4048	msiexec.exe
Token: SeTakeOwnershipPrivilege	4048	msiexec.exe
Token: SeLoadDriverPrivilege	4048	msiexec.exe
Token: SeSystemProfilePrivilege	4048	msiexec.exe
Token: SeSystemtimePrivilege	4048	msiexec.exe
Token: SeProfSingleProcessPrivilege	4048	msiexec.exe
Token: SeIncBasePriorityPrivilege	4048	msiexec.exe
Token: SeCreatePagefilePrivilege	4048	msiexec.exe
Token: SeCreatePermanentPrivilege	4048	msiexec.exe
Token: SeBackupPrivilege	4048	msiexec.exe
Token: SeRestorePrivilege	4048	msiexec.exe
Token: SeShutdownPrivilege	4048	msiexec.exe
Token: SeDebugPrivilege	4048	msiexec.exe
Token: SeAuditPrivilege	4048	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4048	msiexec.exe
Token: SeChangeNotifyPrivilege	4048	msiexec.exe
Token: SeRemoteShutdownPrivilege	4048	msiexec.exe
Token: SeUndockPrivilege	4048	msiexec.exe
Token: SeSyncAgentPrivilege	4048	msiexec.exe
Token: SeEnableDelegationPrivilege	4048	msiexec.exe
Token: SeManageVolumePrivilege	4048	msiexec.exe
Token: SeImpersonatePrivilege	4048	msiexec.exe
Token: SeCreateGlobalPrivilege	4048	msiexec.exe
Token: SeShutdownPrivilege	1140	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1140	msiexec.exe
Token: SeCreateTokenPrivilege	1140	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1140	msiexec.exe
Token: SeLockMemoryPrivilege	1140	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1140	msiexec.exe
Token: SeMachineAccountPrivilege	1140	msiexec.exe
Token: SeTcbPrivilege	1140	msiexec.exe
Token: SeSecurityPrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeLoadDriverPrivilege	1140	msiexec.exe
Token: SeSystemProfilePrivilege	1140	msiexec.exe
Token: SeSystemtimePrivilege	1140	msiexec.exe
Token: SeProfSingleProcessPrivilege	1140	msiexec.exe
Token: SeIncBasePriorityPrivilege	1140	msiexec.exe
Token: SeCreatePagefilePrivilege	1140	msiexec.exe
Token: SeCreatePermanentPrivilege	1140	msiexec.exe
Token: SeBackupPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeShutdownPrivilege	1140	msiexec.exe
Token: SeDebugPrivilege	1140	msiexec.exe
Token: SeAuditPrivilege	1140	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1140	msiexec.exe
Token: SeChangeNotifyPrivilege	1140	msiexec.exe
Token: SeRemoteShutdownPrivilege	1140	msiexec.exe
Token: SeUndockPrivilege	1140	msiexec.exe
Token: SeSyncAgentPrivilege	1140	msiexec.exe
Token: SeEnableDelegationPrivilege	1140	msiexec.exe
Token: SeManageVolumePrivilege	1140	msiexec.exe
Token: SeImpersonatePrivilege	1140	msiexec.exe
Token: SeCreateGlobalPrivilege	1140	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4048	msiexec.exe
4048	msiexec.exe
1140	msiexec.exe
1140	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
2840	DriverInstaller64.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 4048	540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	83
PID 540 wrote to memory of 4048	540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	83
PID 540 wrote to memory of 4048	540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	83
PID 540 wrote to memory of 1140	540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	85
PID 540 wrote to memory of 1140	540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	85
PID 540 wrote to memory of 1140	540	2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe	85
PID 1760 wrote to memory of 4964	1760	msiexec.exe	87
PID 1760 wrote to memory of 4964	1760	msiexec.exe	87
PID 1760 wrote to memory of 4964	1760	msiexec.exe	87
PID 4964 wrote to memory of 732	4964	MsiExec.exe	88
PID 4964 wrote to memory of 732	4964	MsiExec.exe	88
PID 4964 wrote to memory of 4892	4964	MsiExec.exe	89
PID 4964 wrote to memory of 4892	4964	MsiExec.exe	89
PID 4964 wrote to memory of 3504	4964	MsiExec.exe	90
PID 4964 wrote to memory of 3504	4964	MsiExec.exe	90
PID 4964 wrote to memory of 1216	4964	MsiExec.exe	91
PID 4964 wrote to memory of 1216	4964	MsiExec.exe	91
PID 4964 wrote to memory of 3268	4964	MsiExec.exe	92
PID 4964 wrote to memory of 3268	4964	MsiExec.exe	92
PID 4964 wrote to memory of 4988	4964	MsiExec.exe	93
PID 4964 wrote to memory of 4988	4964	MsiExec.exe	93
PID 4964 wrote to memory of 2716	4964	MsiExec.exe	94
PID 4964 wrote to memory of 2716	4964	MsiExec.exe	94
PID 4964 wrote to memory of 2012	4964	MsiExec.exe	95
PID 4964 wrote to memory of 2012	4964	MsiExec.exe	95
PID 4964 wrote to memory of 3748	4964	MsiExec.exe	96
PID 4964 wrote to memory of 3748	4964	MsiExec.exe	96
PID 4964 wrote to memory of 2928	4964	MsiExec.exe	97
PID 4964 wrote to memory of 2928	4964	MsiExec.exe	97
PID 4964 wrote to memory of 3888	4964	MsiExec.exe	98
PID 4964 wrote to memory of 3888	4964	MsiExec.exe	98
PID 1760 wrote to memory of 3460	1760	msiexec.exe	120
PID 1760 wrote to memory of 3460	1760	msiexec.exe	120
PID 1760 wrote to memory of 4384	1760	msiexec.exe	123
PID 1760 wrote to memory of 4384	1760	msiexec.exe	123
PID 1760 wrote to memory of 4384	1760	msiexec.exe	123
PID 4384 wrote to memory of 2840	4384	MsiExec.exe	124
PID 4384 wrote to memory of 2840	4384	MsiExec.exe	124
PID 1624 wrote to memory of 5060	1624	svchost.exe	126
PID 1624 wrote to memory of 5060	1624	svchost.exe	126
PID 5060 wrote to memory of 4304	5060	DrvInst.exe	128
PID 5060 wrote to memory of 4304	5060	DrvInst.exe	128
PID 1624 wrote to memory of 2156	1624	svchost.exe	129
PID 1624 wrote to memory of 2156	1624	svchost.exe	129
PID 1624 wrote to memory of 740	1624	svchost.exe	130
PID 1624 wrote to memory of 740	1624	svchost.exe	130
PID 1624 wrote to memory of 2528	1624	svchost.exe	131
PID 1624 wrote to memory of 2528	1624	svchost.exe	131
PID 1624 wrote to memory of 2448	1624	svchost.exe	132
PID 1624 wrote to memory of 2448	1624	svchost.exe	132

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-23_ef5b79d11d56ac638acea43040ba6e2e_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4048
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1140

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 75C939395108F4B0243364183E18C72B C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{495A1662-0AF9-4F23-A078-F452A716F764}
    3⤵
    - Executes dropped EXE
    PID:732
- - C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DA0E2E24-116F-4CD0-A1DA-FC51D7C76AC7}
    3⤵
    - Executes dropped EXE
    PID:4892
- - C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{63823BAB-966E-4827-90F7-05B186DB6D88}
    3⤵
    - Executes dropped EXE
    PID:3504
- - C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BAA28A84-2C39-4D35-9B67-9F2592AEEA33}
    3⤵
    - Executes dropped EXE
    PID:1216
- - C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D9A1E795-EB21-47EB-A984-C09EE5E0AB27}
    3⤵
    - Executes dropped EXE
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A3E69E89-E7DD-431B-B6A8-CAA381426E89}
    3⤵
    - Executes dropped EXE
    PID:4988
- - C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E007840E-A04A-48D1-9834-B3711756C1E4}
    3⤵
    - Executes dropped EXE
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{564A5FD7-FD12-415D-B966-7E4E8955BD42}
    3⤵
    - Executes dropped EXE
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{200CB393-2A23-4B96-9380-CAA322599286}
    3⤵
    - Executes dropped EXE
    PID:3748
- - C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0AC2963B-8D3D-494C-A3C0-57737211D05F}
    3⤵
    - Executes dropped EXE
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5457C7D7-C3AC-4905-AB94-1E45B5E02FF2}
    3⤵
    - Executes dropped EXE
    PID:3888
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3460
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F48C2C4AF45DB4C792BF02BAB80F5C15 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe
    "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe" "/I|0|C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    PID:2840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2728

C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe
"C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf" "9" "4f0333d67" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{30698911-279d-4b4c-a29e-bcb93121acf5} Global\{347f4293-274d-ab4c-8659-1b1e23e74b9a} C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}\qcfilter.inf C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}\qcfilter.cat
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:4304
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf" "9" "4417f2877" "0000000000000158" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2156
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcmdm.inf" "9" "4f8e1879b" "000000000000015C" "WinSta0\Default" "0000000000000154" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:740
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcwwan.inf" "9" "47c727a63" "0000000000000154" "WinSta0\Default" "0000000000000148" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2528
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qdbusb.inf" "9" "4d5e0b807" "000000000000017C" "WinSta0\Default" "0000000000000148" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585e87.rbs

Filesize
37KB

MD5
3515fd9c78206ae831578f6a734550b9

SHA1
edacd77a1e12d79e8bbc3b21f66173b2de20d33b

SHA256
1e833d609c1fd5826e10364605aeb140369db08a251f016f85c3aded1571c062

SHA512
6e1de53c4c3e60e4a919bdb76c9eaf6bc12205761e52e65afaea0129c9200cfb2ea11712286a8f6fe7f49579424aeb2eabe7ab321f640abd58687f8961bded00

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\ndis\6.2\amd64\qcusbwwan.sys

Filesize
504KB

MD5
4999657681bacef73fd6c5162a3bbfb5

SHA1
5d062c1acc28c4e3852043bbbdd87266f22dc478

SHA256
2d759dfd3a6623edd3b2f1634e6192815c25952094ae72cfbbd9ea46d25f7226

SHA512
637295c1c467316268268c2a2b529e0a0175c471807c6cddedf83ddfa2537554720bc53cbabf3864d58c0fb7cd41669805b842c0c58a06caf5d6243143ece290

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qcfilter.cat

Filesize
94KB

MD5
184fb15f93f73790d5dfae0a22557ee4

SHA1
f3de31f1db7e76fd26d7ad4953b0a01c070da8ba

SHA256
2443015b8822a3793c141571135ef1cb79f324700d33266103e3ba599e1b6c21

SHA512
5e6e8a7fc5187f886e33769028f2f4aa5410615c681eb0aa0136ac08c81954c86d7a58b000004294dc60239d8f76c3bda9eafcfd3f1ad7d1c86bd3eb6ad2ea3e

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qcser.cat

Filesize
95KB

MD5
acdc05e308c96515b4b8eda582b1191a

SHA1
9ed26a48419a8435cb6982e6d1d86585213621ee

SHA256
550507c87bdd89d0619328529fefee2933736c85d239367c5e429e0d6febd07c

SHA512
1c7bbbc1144e66cc87977074f73bd6c86ba05ca21fadf7f8ac81088fca6776a20fb5d260c366006100adb766697f91e4f2cd4290d2662ec52b0db60dbff93963

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qcwwan.cat

Filesize
94KB

MD5
a08b4295c74ebc18d6a5f281ca2c3eea

SHA1
9718561dd5f541854bb3dceb0554ee780f4cad43

SHA256
be76010e324e2fcd9990a82265ff8757375f45fc692202ebf5d974b85fcbc777

SHA512
170b32913c40c94ef7d32d2c2c011b6671feb64a91b1ba9c5f0ba44db79264b577871bedbc58ff308ea98926f767823432a86f0749208c1092460d6adb5c92f9

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qdbusb.cat

Filesize
95KB

MD5
582be70e74fd908714af436aa546c119

SHA1
b8179d1f818322da5593d19646e646084ec846e7

SHA256
8c3208d04d1c5fe011659b97692a024df5a607f1a480072127bb0f47073aeffa

SHA512
dce438135be6786e57eda011b786596c751e3ab7bd15e5553ac7643f54d7014aff6d723c52732d306d70054c3a9980968e71fd14dd1480590290fe34f9134a17

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qdss\amd64\qdbusb.sys

Filesize
44KB

MD5
c6ea8d40d2bf25d9011c37e27d65c484

SHA1
9d00f36c1ba545c2c140aa12e6ff0b5917b17f8b

SHA256
ed89b3315d5ff28ccde22b90680d44c7ad8de630601baa2921c96c25d85aae3f

SHA512
b54d2e8dd7692ea4f9308be891330d277ba7b592e2a40b1a330176668d1e3aa7243cd792c70743d1f978bcf992116c4c6f28f2cb02fd4536d53cedc9a13e26ea

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qdss\amd64\wdfcoinstaller01009.dll

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\serial\amd64\qcusbser.sys

Filesize
239KB

MD5
358bc4b7bf9bca41abea485058f9b360

SHA1
47974d8e6512497c9ad6a79919e1cd58366d5e97

SHA256
6fff206a1def97219541568d76d2077ac5db1daef2c6d995f6ac4a83e57ed898

SHA512
1d6de7f4db5f2320889f8e23176b8e6ebacd8ed03fb7bbb62841e105c83fcc6eaa571c89e605f3d41258fa629dd72c5e2305ea7c26855735b1baced84046404a

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DifxApi\amd64\difxapi.dll

Filesize
507KB

MD5
9495b07f33ded991c65d9b04945d44c5

SHA1
db9d5ec47980eb0709faba0cda283ff99d643b7c

SHA256
bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e

SHA512
36ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe

Filesize
2.2MB

MD5
6e0321ff9f386106d64e7b863e1866ea

SHA1
f9898d7bdd18691518ff1d615a693922bcc3a26c

SHA256
f0cbd9fb9abc814e470a4126d3f7b7bf2fc769c20593b402ad2cb979e4817625

SHA512
0449c4ee6fb9798d6dc24e08d70aabc8fb1ecec4696c34e42440ff8a93ae93f058a235b8cf0078699723cbc42a3a579519d048ace5add0bd28d5866fb4d3eb04

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe

Filesize
81KB

MD5
cf9a93ed8f3b472a9c1eb6acb619b9d4

SHA1
9725cb577b28f9a71d66af1f5c075423c3f2c66a

SHA256
b6d6cbf256f08fe397d23c989d41ff6f4bd60b11751f7e7585cfe5dc534b5e26

SHA512
d79581bb5a82a3b396faa20683f5afdcc2933ff525450722142541dbb9450b99f31910983c41420b47dc9b09f2507738d00bcd4047aabbfe23c9a325970394b4

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf

Filesize
36KB

MD5
4e8ff95823ed15cf1bb13489f88784f5

SHA1
f25210d6d26b842ae8a11e3b5c4e18835e4a3b13

SHA256
5fa46ab5487d00840642d82eb321aab0c716b19dc9cd21aaa4af74a7b47a5e2e

SHA512
6d2056e302c73e7092cbd5badb705ae52fb99b4279c174b524c3656d090434e45a2c0e9c4ed24f4215cff112bbe3ae317776bb00d58a7a27c99266c589bcc667

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcmdm.inf

Filesize
44KB

MD5
f1ee860f01ef686168926b2eb70da7aa

SHA1
5000f8e9c765906819b7bc5ee7ba9a8de8c0f4ee

SHA256
db8c72dffd89b859c8d3b511d3c0452d031079c21648d94a8cdfb9c403e492dd

SHA512
12823e92a89b2b52d85388f732dcf57303b3bc3f03fa4332244f30d2a180458cb0e58f533c62608f5ac1613b99df4f4b873e8d663e5f5ca9d4cca379bda1e020

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf

Filesize
100KB

MD5
66702ca8991184e99b39304cbe964bb3

SHA1
99d9453c89e7fedd06f12f3d96b9931e63bdec29

SHA256
717d8c9eb75808d711ec31ad97f5cf4699798c95d4336f57cc54ff09aab9ff6e

SHA512
e3efbb1be20fc84f31112f75fe412d8e7efaf980038a09e2e9a502810e173dbee0abc3ce4c3a6ac608a84ea9cdeafd5fb32ea44da3e5f39d184363e6167cb950

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcwwan.inf

Filesize
72KB

MD5
be202547e7b7317e0eaacb373fb65034

SHA1
f286b1dff477e7bb1b89028d10ed2164f43ee1c1

SHA256
635ec113fb8682ccb237afae4de441882a3edd12526fd7d0f4e0450c54cf8bc6

SHA512
b6fab25bfbd1fef0ad4fa25b1f72829a189fcbb98abb1c36d484fa21acfd8cf71efc58dcb869c424ad8aea8469d224f71a653bd7d14fb82561c815ac1e534c1a

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qdbusb.inf

Filesize
8KB

MD5
028f4b4eea445e57839a0511736cb887

SHA1
55074bcd41bc4b90b52f89d7fd20b35885b3ad95

SHA256
248c3c0a0a6b2f2a7f7438120906d29c8adbb9ee447dd47d7eb16a7c260f531d

SHA512
7faeaccfbd89cfed6bd00fab215e906673505bb64baff4760e7c5fbc385b23b85131d2769bacbaa5f3af3d4cf078ff7d9e61986b5421fb256d64f4726efa7690

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID282.tmp

Filesize
1.3MB

MD5
ca189a2b762e64d61303bfd4d88fd0a6

SHA1
13bf55664fb0345d3931458f75b6039c1213f46a

SHA256
dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a

SHA512
31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

Filesize
20.7MB

MD5
cde633c7be2c8db52f0922f8a8e0c613

SHA1
a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f

SHA256
a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5

SHA512
e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISBEW64.exe

Filesize
146KB

MD5
c3b2acc07bb0610405fc786e3432bef9

SHA1
333d5f2b55bd00ad4311ba104af7db984f953924

SHA256
9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894

SHA512
2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\ISRT.dll

Filesize
260KB

MD5
a93f625ef42b54c2b0f4d38201e67606

SHA1
cbfebc1f736ccfc65562ede79a5ae1a8afb116a1

SHA256
e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0

SHA512
805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

Download Submit
C:\Users\Admin\AppData\Local\Temp\{54A10247-3769-49E3-8286-7F9BF17367BB}\_isres_0x0409.dll

Filesize
540KB

MD5
d6bbf7ff6984213c7f1f0f8f07c51e6a

SHA1
cfe933fc3b634f7333adec7ec124c14e9d19ac21

SHA256
6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2

SHA512
a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

Download Submit
C:\Windows\Installer\MSI6703.tmp

Filesize
1.6MB

MD5
ab8d1cf0de0c1594c2093ccf0128e0b8

SHA1
ddba6dc5c69ba72c879fb15cc109503adb759fdc

SHA256
2f975e52b9e6a99dd3515f7b9bc30e89d39cb44e9fb1a8f3e43ab330df42f0a4

SHA512
0a01b500ef221777ffeeacccf47794d1d468bf86a24f53a6558cd21d244dfb614f552047352f8c5c01682322fceab21089bc2a8bef6ad502c81b347b8f8c1fb9

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
fea42b84c10bff779760b8bc07b7d0cf

SHA1
51e9aff294585272e478c196d69682e7cb7f7580

SHA256
818e2dec80e96085dc6068bee1c4bbdeea65422749caa9d2e9eb834f6b6f7920

SHA512
97ad4aa467cf495794da084449635dfca5d68512d8b8b932e58f83a1cdb579dac5fd0b573aadc36af1600e7e2474613a129858e3311e2d1c80f2187401027893

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
3f5939b71c9895928bd77244a82629f6

SHA1
15b9a2af0fa8dcd90ddc13f0e35644a163794855

SHA256
1d192c0af6e576c1511e82e8dca7a886f00f91f43b39bed3606779f6bd652ac8

SHA512
5ad7acdb26be5a2be9fcef41dc7f21557c6a91e16e777560dbec5ed948e5268799c8f34b7d18ee90f18ea96627b842c5f16efec189b171b0408d47e837824fd0

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
6de5bf8efb50c32a7da47060781d5e2f

SHA1
6eb59ff31d9cc1900aeb8fa965b2d07bfe474f4a

SHA256
2d8172d08bd45f7f3676a03f5f39045193cbed306bd7dccdfb240b91254a2387

SHA512
ed6d133fb6aac3e559ada1f046e711bf551ebd5a7d29bf32388ed2c62718b7872d2d32f6dea39d885b76b6b714d8efa300e197c887f50f1a80800e35245cc6dc

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
a674d9a63eb81aa41456fd992dbcee00

SHA1
712b7b157b9a2bda12f9834faadf00e3c7dec8d9

SHA256
cc3e3c2f216e39a9fc5205a2805f5d17dd6db630cb6c67811de3824c5830005a

SHA512
44e4b398bf2d62c3ba28f4d05134cc5f80527f9e399c89881fe2c6c5b2ea1166647d4bc1f6c209a31753592f887fe16f19120bc5079a859a58b94799aaa42e81

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
064aa48d0614d094e367b330159bc2b4

SHA1
19b4bc221b546ef43bf60cd2f24c01c98f1fad38

SHA256
4376909717c4765fc126869a935a95c0c61c0d4560e40cf6c726ab7f63d2703f

SHA512
ba6d34cba26142609f5e79be47576c1679375011ea631d04b93499213131a736ac726db903ee62189466527dd032a95815d4a99f7df6f4a54cc451b202b4bbfb

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
430852427b51dbb82de98e12339a5a47

SHA1
cafe2e69b83dc0f01b07b267dbcf3bb5272bcf0a

SHA256
88603affc0e35d4cd87a92ab679bbd40c82fac7193310c4e2989d75021bb8e5e

SHA512
488be7566dcb82084335620ad8da1517107096fe0f0da9c303be97e6f67fe1262d7e213a14bf74175e89ecdf826c3bd36372f0597f06053156bec4771d70eac7

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
38KB

MD5
75986492ca998b54b03716eb32b96e7a

SHA1
3f671de5629c3f306f9ca05567c97749083f30f2

SHA256
fbbad5a7c47fa64e4cdf6ebfdf0f038700e1c232907579c8a09c6036265ab2b7

SHA512
c281dd65b08f3e0cff35104e7a924dc2b928799917b520870d5ad736f8057bbbe49f1000280203ffc45dd7d17c81cd66d1952cf9f7f5df832995ffa6801f2a87

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
38KB

MD5
3a3a8b7794a44710f921bdefbc0919bb

SHA1
6e9e38bb43a3c9efcd2ec32ea1ccb82af6a38bd8

SHA256
8d0facd6f3de0c58614de58616d569d91cbf68ac4c89f4bcaa8495bcd5317e2d

SHA512
66e9cb9d05f719d4521e50c19519de0a976e26fc39296c2452ac7792df6bc5c64c8878daa5e3cc054ccb9b9f2518fa1053bc1a014533bca921e104dfe923da87

Download Submit
C:\Windows\System32\DriverStore\Temp\{153eddc0-9dec-7b4b-bc52-932f8cb499ed}\filter\amd64\SET6F03.tmp

Filesize
39KB

MD5
45ef50b1446371ec2411e6ec6f6dabab

SHA1
d2e78f2eba854b57626e69fd9298cd390d76f544

SHA256
65b7baabfcb0788147b1a5bb03083008f6040f6c321b6a5e2892680c5eec9abd

SHA512
5f0377571bd44c83fbd64b8406fcfcf47aef3cd5308d664193d364f978e87c67aa00fd456cc8647ce06381e6c9c6c621a16b5708330776091ca3c6b130957b37

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
2c5fc5cf0e5953b7e26a2e74c0d183eb

SHA1
adb531bd2774c69f860532368c0936ef558a3d20

SHA256
a6d5f8c67ff12bda08a0ab3e62789b304f823a1003a347bdb2cc45ac85ab4095

SHA512
908ea3be6ffc2fc2262fff5ff9eea48c9ab087c4d184b8298ce1a7883a07d73773a1edbfcd2062f7e9e002ee0f9f08f2b7f9a7ba42e3da1edaea88f73d539669

Download Submit
\??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e3f5b6b2-575f-4085-9d91-c92b096a7570}_OnDiskSnapshotProp

Filesize
6KB

MD5
b17fd39eb002e6e04c269d63dc755621

SHA1
f536d94cec29322cd72f7dc913e2058a0e26427d

SHA256
7fc338d4a96630a35f28878e91dc9c6e33d5bb2652f81505c3fe3c94a84d9aa7

SHA512
1edfc6567cac7115f9eb787c494c999247aea500eeec704d10ba575e00c18d130ae3d62e3a8b2b2d233803edad6bf221ee55526ce21ed57c57f077c562d61208

Download Submit
memory/540-68-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/540-74-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/540-79-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/540-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/540-529-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4964-39-0x0000000002C50000-0x0000000002CF7000-memory.dmp

Filesize
668KB

Download
memory/4964-38-0x0000000002C50000-0x0000000002CF7000-memory.dmp

Filesize
668KB

Download
memory/4964-44-0x0000000002DD0000-0x0000000002E59000-memory.dmp

Filesize
548KB

Download
memory/4964-16-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download