floxif | fad98b9ce764a79fb8af81dd2cbb131dea2c139f6259d1c430fdc45d956c5946

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
Size

22.2MB
MD5

951e5314b5dcda4113f3c901d0b0ca1a
SHA1

586bc2d30f18cb86da56d8543733ff50774ef51e
SHA256

fad98b9ce764a79fb8af81dd2cbb131dea2c139f6259d1c430fdc45d956c5946
SHA512

fdae534a86a8beb14045e8184d95da53ff8a1128e8cabe0f5be60030a7f1908a31b19fe5f7fa879f64b5b465f7b9843362784a8777c4cca2c93f86a202c250cc
SSDEEP

393216:XXe9sQXKIQ2A6p/jJicojuCXiv3vMBnz4CFxDqg9u4PS6n4CEJXE0wEKD3/LU:XXe9sQXKx6liUCXk3EmCFpq4PznwXDwk

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000a000000023c87-1.dat	floxif

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\0E163CB0FDCE9E468EAE5A9600402132643ADE48\Blob = 0300000001000000140000000e163cb0fdce9e468eae5a9600402132643ade480400000001000000100000007b1ffa43ba9dbac4b3893effd386d003140000000100000014000000f6aae1de13f29375ae855eaa0ec7f1526acfb0f719000000010000001000000014005b11663d5285ca9a734218bb60720f0000000100000020000000990c8a10329dc2652c3884245965026509222d4219e55405a1a0cf7a1db202d32000000001000000120500003082050e308203f6a00302010202102b13f4b6b65224ea499e5bf1f90f42b5300d06092a864886f70d01010b0500307f310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b3130302e0603550403132753796d616e74656320436c61737320332053484132353620436f6465205369676e696e67204341301e170d3135303531353030303030305a170d3137303531353233353935395a308194310b30090603550406130255533113301106035504080c0a43616c69666f726e69613112301006035504070c0953616e20446965676f311e301c060355040a0c155155414c434f4d4d20496e636f72706f7261746564311c301a060355040b0c135143542055534220486f737420447269766572311e301c06035504030c155155414c434f4d4d20496e636f72706f726174656430820122300d06092a864886f70d01010105000382010f003082010a0282010100c7c353c4328659cbd10802db6b6721e0dcebd0bfb0763d3663f561288216b040e894c1717eb8540e167a71b925c6a73e7f5772c8e4feb4e28e9bee6f91134db39873f97545ec98ebffad31a7036ecdb3a2051bb3440bceda2ff98c4ff7a5071eb2457e1ce31d20b0af7215fcf8f10bc2919b743d751aecf57de987f487a567cba87d6fb196dd5edaccb4ae11eb487961ab7a89340cf1b3c9651299bfab193e85bdd3cfbbbb8bc36c020d48b756101b3e3e10e95173c85610d74a8c98399655af13300f8e73c797cf6be3164200260cc0aa5e29eae91a5716cadce1a9774de776ac2ef6a436ff7339af9c0c48b5b42ce0afcf58afa5c6be95282b53166bb303870203010001a382016e3082016a30090603551d1304023000300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330660603551d20045f305d305b060b6086480186f84501071703304c302306082b06010505070201161768747470733a2f2f642e73796d63622e636f6d2f637073302506082b0601050507020230191a1768747470733a2f2f642e73796d63622e636f6d2f727061301f0603551d23041830168014963b53f0793397af7d83ef2e2bcccab7861e7266302b0603551d1f042430223020a01ea01c861a687474703a2f2f73762e73796d63622e636f6d2f73762e63726c305706082b06010505070101044b3049301f06082b060105050730018613687474703a2f2f73762e73796d63642e636f6d302606082b06010505073002861a687474703a2f2f73762e73796d63622e636f6d2f73762e637274301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010b0500038201010066d5d6f1c898c17d1cec0581ff7b84a9ef8828fe9b59caa3cf74a0ab66cbb36614298eec716a1c8acb1e971a6b2790210f09f7d7efa66bdf97a22b6887d876ae2781a168fe9fd68ef1933322c731ec3b93ab08e198b7a544a9d387b08951806e28e414d7decb106038dc3ee5bdb2845faf4cc5c6540a52fbeb5719965d523e321672919ecde1058e82292fb91885cc18a62c1c145453a8684fd6e26277e54dcb8043186adfe5a8f5124b4b826fe764c39c1d8431d4d05cbff409ed35d569f6ca8d0a13dc3c88f56eeac7b9fbd5e95cd2cc8fb99a61d75173d21d52e2fa160b6d1e5e7058d0bde5aca560ebfb2ffe00b08d7fb896211fd10037708e36fd4f3860	DrvInst.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023c87-1.dat	acprotect

Executes dropped EXE 13 IoCs

pid	Process
2028	ISBEW64.exe
1512	ISBEW64.exe
4052	ISBEW64.exe
384	ISBEW64.exe
4996	ISBEW64.exe
1928	ISBEW64.exe
4244	ISBEW64.exe
4124	ISBEW64.exe
1992	ISBEW64.exe
848	ISBEW64.exe
3036	ISBEW64.exe
1448	qcmtusvc.exe
3980	DriverInstaller64.exe

Loads dropped DLL 9 IoCs

pid	Process
1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
3200	MsiExec.exe
3200	MsiExec.exe
3200	MsiExec.exe
3200	MsiExec.exe
3200	MsiExec.exe
4084	MsiExec.exe
3980	DriverInstaller64.exe
4084	MsiExec.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\e:	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{10c4d5f4-ed42-ec4d-8210-8e4847f5fbce}\SET3459.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_91142176ceafe65a\filter\amd64\qcusbfilter.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	rundll32.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DriverInstaller64.exe
File created	C:\Windows\System32\DriverStore\Temp\{439f83aa-7114-fb47-929c-995341391a00}\serial\amd64\SET3C3B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3c4109f0-799f-6f48-a80b-b780af5f79a9}\serial\amd64\SET3A85.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ec3bc73-b5be-3a41-885e-c4eaa97afa4a}\qdss\amd64	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_c68a388aad774c96\qdbusb.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	rundll32.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_91142176ceafe65a\qcfilter.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3c4109f0-799f-6f48-a80b-b780af5f79a9}\SET3A64.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_7d91b3baab562649\qcser.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e1146e81-9ad0-4742-bfc1-df94c4863b65}\qcwwan.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3c4109f0-799f-6f48-a80b-b780af5f79a9}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{439f83aa-7114-fb47-929c-995341391a00}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e1146e81-9ad0-4742-bfc1-df94c4863b65}\ndis\6.2\amd64\SET3DA2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_936d995a371b46f4\qcwwan.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e1146e81-9ad0-4742-bfc1-df94c4863b65}\ndis\6.2	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_c68a388aad774c96\qdbusb.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_91142176ceafe65a\qcfilter.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ec3bc73-b5be-3a41-885e-c4eaa97afa4a}\qdbusb.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_7d91b3baab562649\qcser.PNF	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{439f83aa-7114-fb47-929c-995341391a00}\SET3C29.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{439f83aa-7114-fb47-929c-995341391a00}\SET3C3A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qdbusb.inf_amd64_c68a388aad774c96\qdbusb.PNF	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcser.inf_amd64_7d91b3baab562649\qcser.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4ec3bc73-b5be-3a41-885e-c4eaa97afa4a}\SET4014.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	rundll32.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcfilter.inf_amd64_91142176ceafe65a\qcfilter.PNF	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ec3bc73-b5be-3a41-885e-c4eaa97afa4a}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4ec3bc73-b5be-3a41-885e-c4eaa97afa4a}\qdss\amd64\SET3F85.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{439f83aa-7114-fb47-929c-995341391a00}\serial\amd64\SET3C3B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e1146e81-9ad0-4742-bfc1-df94c4863b65}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\qcwwan.inf_amd64_936d995a371b46f4\qcwwan.PNF	DriverInstaller64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e1146e81-9ad0-4742-bfc1-df94c4863b65}\SET3D81.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ec3bc73-b5be-3a41-885e-c4eaa97afa4a}\qdss\amd64\SET3F95.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ec3bc73-b5be-3a41-885e-c4eaa97afa4a}\qdbusb.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3c4109f0-799f-6f48-a80b-b780af5f79a9}\qcser.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcmdm.inf_amd64_dd21d0caf44e7fa8\qcmdm.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e1146e81-9ad0-4742-bfc1-df94c4863b65}\SET3D82.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e1146e81-9ad0-4742-bfc1-df94c4863b65}\ndis\6.2\amd64\SET3DA2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ec3bc73-b5be-3a41-885e-c4eaa97afa4a}\SET3F96.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ec3bc73-b5be-3a41-885e-c4eaa97afa4a}\qdss	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{10c4d5f4-ed42-ec4d-8210-8e4847f5fbce}\filter\amd64\qcusbfilter.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{10c4d5f4-ed42-ec4d-8210-8e4847f5fbce}\filter\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e1146e81-9ad0-4742-bfc1-df94c4863b65}\ndis	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	rundll32.exe
File created	C:\Windows\System32\DriverStore\Temp\{10c4d5f4-ed42-ec4d-8210-8e4847f5fbce}\filter\amd64\SET346B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{439f83aa-7114-fb47-929c-995341391a00}\SET3C29.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e1146e81-9ad0-4742-bfc1-df94c4863b65}\SET3D82.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ec3bc73-b5be-3a41-885e-c4eaa97afa4a}\qdss\amd64\SET3F85.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	rundll32.exe
File created	C:\Windows\System32\DriverStore\Temp\{439f83aa-7114-fb47-929c-995341391a00}\SET3C3A.tmp	DrvInst.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023c87-1.dat	upx
behavioral2/memory/1164-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1164-68-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1164-76-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1164-79-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1164-529-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcser.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcfilter.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\logReader.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\i386\qcusbnet.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\ndis\5.1\amd64\qcusbnet.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcmdm.inf	msiexec.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qcwwan.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdbusb.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\i386\qcusbwwan.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcmdm.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcfilter.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\amd64\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qcnet.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Difxapi\i386\DIFxAPI.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\i386\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\ndis\6.2\amd64\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qdcfg.exe	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\ndis\6.2\i386\qcusbwwan.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.cat	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\qdss\i386\qdbusb.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdss\i386\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\i386\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\i386\qcusbser.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qcser.inf	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\filter\amd64\qcusbfilter.sys	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows8\qdss\amd64\qdbusb.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\XP-Vista\serial\amd64\qcusbser.pdb	msiexec.exe
File created	C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Fre\Windows7\qdbusb.inf	msiexec.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI419A.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\SourceHash{D9FB7F91-9687-4B09-894D-072903CADEA4}	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9FB7F91-9687-4B09-894D-072903CADEA4}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\inf\oem6.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem7.inf	DrvInst.exe
File created	C:\Windows\Installer\e58247b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C7B.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DriverInstaller64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\e58247b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2630.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\inf\oem6.inf	DrvInst.exe
File created	C:\Windows\Installer\e58247d.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\inf\oem7.inf	DrvInst.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qcmtusvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DriverInstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	DriverInstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DriverInstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DriverInstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DriverInstaller64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DriverInstaller64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Version = "16777253"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19F7BF9D786990B498D4709230ACED4A\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductIcon = "C:\\Windows\\Installer\\{D9FB7F91-9687-4B09-894D-072903CADEA4}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0EA6D9F1380532E40BBD65C87A1302C4\19F7BF9D786990B498D4709230ACED4A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\ProductName = "Qualcomm USB Drivers For Windows"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\PackageCode = "54605E80078F0E84081B971B66E8A6D7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\PackageName = "QualcommWindowsDriverInstaller.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19F7BF9D786990B498D4709230ACED4A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
964	msiexec.exe
964	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
Token: SeShutdownPrivilege	1696	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1696	msiexec.exe
Token: SeSecurityPrivilege	964	msiexec.exe
Token: SeCreateTokenPrivilege	1696	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1696	msiexec.exe
Token: SeLockMemoryPrivilege	1696	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1696	msiexec.exe
Token: SeMachineAccountPrivilege	1696	msiexec.exe
Token: SeTcbPrivilege	1696	msiexec.exe
Token: SeSecurityPrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeLoadDriverPrivilege	1696	msiexec.exe
Token: SeSystemProfilePrivilege	1696	msiexec.exe
Token: SeSystemtimePrivilege	1696	msiexec.exe
Token: SeProfSingleProcessPrivilege	1696	msiexec.exe
Token: SeIncBasePriorityPrivilege	1696	msiexec.exe
Token: SeCreatePagefilePrivilege	1696	msiexec.exe
Token: SeCreatePermanentPrivilege	1696	msiexec.exe
Token: SeBackupPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeShutdownPrivilege	1696	msiexec.exe
Token: SeDebugPrivilege	1696	msiexec.exe
Token: SeAuditPrivilege	1696	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1696	msiexec.exe
Token: SeChangeNotifyPrivilege	1696	msiexec.exe
Token: SeRemoteShutdownPrivilege	1696	msiexec.exe
Token: SeUndockPrivilege	1696	msiexec.exe
Token: SeSyncAgentPrivilege	1696	msiexec.exe
Token: SeEnableDelegationPrivilege	1696	msiexec.exe
Token: SeManageVolumePrivilege	1696	msiexec.exe
Token: SeImpersonatePrivilege	1696	msiexec.exe
Token: SeCreateGlobalPrivilege	1696	msiexec.exe
Token: SeShutdownPrivilege	4268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4268	msiexec.exe
Token: SeCreateTokenPrivilege	4268	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4268	msiexec.exe
Token: SeLockMemoryPrivilege	4268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4268	msiexec.exe
Token: SeMachineAccountPrivilege	4268	msiexec.exe
Token: SeTcbPrivilege	4268	msiexec.exe
Token: SeSecurityPrivilege	4268	msiexec.exe
Token: SeTakeOwnershipPrivilege	4268	msiexec.exe
Token: SeLoadDriverPrivilege	4268	msiexec.exe
Token: SeSystemProfilePrivilege	4268	msiexec.exe
Token: SeSystemtimePrivilege	4268	msiexec.exe
Token: SeProfSingleProcessPrivilege	4268	msiexec.exe
Token: SeIncBasePriorityPrivilege	4268	msiexec.exe
Token: SeCreatePagefilePrivilege	4268	msiexec.exe
Token: SeCreatePermanentPrivilege	4268	msiexec.exe
Token: SeBackupPrivilege	4268	msiexec.exe
Token: SeRestorePrivilege	4268	msiexec.exe
Token: SeShutdownPrivilege	4268	msiexec.exe
Token: SeDebugPrivilege	4268	msiexec.exe
Token: SeAuditPrivilege	4268	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4268	msiexec.exe
Token: SeChangeNotifyPrivilege	4268	msiexec.exe
Token: SeRemoteShutdownPrivilege	4268	msiexec.exe
Token: SeUndockPrivilege	4268	msiexec.exe
Token: SeSyncAgentPrivilege	4268	msiexec.exe
Token: SeEnableDelegationPrivilege	4268	msiexec.exe
Token: SeManageVolumePrivilege	4268	msiexec.exe
Token: SeImpersonatePrivilege	4268	msiexec.exe
Token: SeCreateGlobalPrivilege	4268	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1696	msiexec.exe
1696	msiexec.exe
4268	msiexec.exe
4268	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
3980	DriverInstaller64.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1696	1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	82
PID 1164 wrote to memory of 1696	1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	82
PID 1164 wrote to memory of 1696	1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	82
PID 1164 wrote to memory of 4268	1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	84
PID 1164 wrote to memory of 4268	1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	84
PID 1164 wrote to memory of 4268	1164	2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe	84
PID 964 wrote to memory of 3200	964	msiexec.exe	86
PID 964 wrote to memory of 3200	964	msiexec.exe	86
PID 964 wrote to memory of 3200	964	msiexec.exe	86
PID 3200 wrote to memory of 2028	3200	MsiExec.exe	87
PID 3200 wrote to memory of 2028	3200	MsiExec.exe	87
PID 3200 wrote to memory of 1512	3200	MsiExec.exe	88
PID 3200 wrote to memory of 1512	3200	MsiExec.exe	88
PID 3200 wrote to memory of 4052	3200	MsiExec.exe	89
PID 3200 wrote to memory of 4052	3200	MsiExec.exe	89
PID 3200 wrote to memory of 384	3200	MsiExec.exe	90
PID 3200 wrote to memory of 384	3200	MsiExec.exe	90
PID 3200 wrote to memory of 4996	3200	MsiExec.exe	91
PID 3200 wrote to memory of 4996	3200	MsiExec.exe	91
PID 3200 wrote to memory of 1928	3200	MsiExec.exe	92
PID 3200 wrote to memory of 1928	3200	MsiExec.exe	92
PID 3200 wrote to memory of 4244	3200	MsiExec.exe	93
PID 3200 wrote to memory of 4244	3200	MsiExec.exe	93
PID 3200 wrote to memory of 4124	3200	MsiExec.exe	94
PID 3200 wrote to memory of 4124	3200	MsiExec.exe	94
PID 3200 wrote to memory of 1992	3200	MsiExec.exe	95
PID 3200 wrote to memory of 1992	3200	MsiExec.exe	95
PID 3200 wrote to memory of 848	3200	MsiExec.exe	96
PID 3200 wrote to memory of 848	3200	MsiExec.exe	96
PID 3200 wrote to memory of 3036	3200	MsiExec.exe	97
PID 3200 wrote to memory of 3036	3200	MsiExec.exe	97
PID 964 wrote to memory of 232	964	msiexec.exe	110
PID 964 wrote to memory of 232	964	msiexec.exe	110
PID 964 wrote to memory of 4084	964	msiexec.exe	113
PID 964 wrote to memory of 4084	964	msiexec.exe	113
PID 964 wrote to memory of 4084	964	msiexec.exe	113
PID 4084 wrote to memory of 3980	4084	MsiExec.exe	114
PID 4084 wrote to memory of 3980	4084	MsiExec.exe	114
PID 3988 wrote to memory of 2976	3988	svchost.exe	116
PID 3988 wrote to memory of 2976	3988	svchost.exe	116
PID 2976 wrote to memory of 2284	2976	DrvInst.exe	117
PID 2976 wrote to memory of 2284	2976	DrvInst.exe	117
PID 3988 wrote to memory of 708	3988	svchost.exe	118
PID 3988 wrote to memory of 708	3988	svchost.exe	118
PID 3988 wrote to memory of 2836	3988	svchost.exe	119
PID 3988 wrote to memory of 2836	3988	svchost.exe	119
PID 3988 wrote to memory of 2972	3988	svchost.exe	120
PID 3988 wrote to memory of 2972	3988	svchost.exe	120
PID 3988 wrote to memory of 1204	3988	svchost.exe	121
PID 3988 wrote to memory of 1204	3988	svchost.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-23_951e5314b5dcda4113f3c901d0b0ca1a_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /x {D9FB7F91-9687-4B09-894D-072903CADEA4} /passive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1696
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4268

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AE3CFD64B1C427826FB4CBCC1D69EC39 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E36A27A6-8B5A-412F-B0D6-AA0A0E56C36E}
    3⤵
    - Executes dropped EXE
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{288E409E-E88A-4CAF-B72E-BB53EE25A51C}
    3⤵
    - Executes dropped EXE
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2CA23804-6D9A-4EF9-9E59-8BBE452E1F5B}
    3⤵
    - Executes dropped EXE
    PID:4052
- - C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9E2F47EE-DD96-4F38-9B07-0B7DBDBAC06F}
    3⤵
    - Executes dropped EXE
    PID:384
- - C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3580ABC4-73C9-41E3-B8DB-92F21C18C457}
    3⤵
    - Executes dropped EXE
    PID:4996
- - C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6773941D-1FF2-4175-9D11-350FC7221BEC}
    3⤵
    - Executes dropped EXE
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DED5D724-B5C6-4DD1-BAB3-E600B9AD971E}
    3⤵
    - Executes dropped EXE
    PID:4244
- - C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{641374D1-0619-41BD-B4FE-D72635F7BAEE}
    3⤵
    - Executes dropped EXE
    PID:4124
- - C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C224E60-F1E5-4F3D-9512-A1BC70224D0A}
    3⤵
    - Executes dropped EXE
    PID:1992
- - C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{639A3294-3456-4B37-938B-457E1A3EBF61}
    3⤵
    - Executes dropped EXE
    PID:848
- - C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8780F138-648C-407E-80A6-531014C5848E}
    3⤵
    - Executes dropped EXE
    PID:3036
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:232
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0E660CE66BB63A431C6336FDB4FA1EBC E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe
    "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe" "/I|0|C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    PID:3980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2380

C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe
"C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf" "9" "4f0333d67" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{ad10a53e-6731-2142-b4ca-f531b5e4e698} Global\{b0350949-d761-9748-bb6e-8cb266e325f6} C:\Windows\System32\DriverStore\Temp\{10c4d5f4-ed42-ec4d-8210-8e4847f5fbce}\qcfilter.inf C:\Windows\System32\DriverStore\Temp\{10c4d5f4-ed42-ec4d-8210-8e4847f5fbce}\qcfilter.cat
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2284
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf" "9" "4417f2877" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:708
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcmdm.inf" "9" "4f8e1879b" "0000000000000160" "WinSta0\Default" "0000000000000154" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2836
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcwwan.inf" "9" "47c727a63" "0000000000000154" "WinSta0\Default" "0000000000000148" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2972
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qdbusb.inf" "9" "4d5e0b807" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58247c.rbs

Filesize
37KB

MD5
a0ed215c97e7d8a0fcc72df975d77320

SHA1
50eb226985e87e473f4f9848313877f2ee8ef828

SHA256
a19e558c092ca3c67148a4eb05139b39ad31c5a4150a19707d0e2b798b887ad3

SHA512
6ffba628abb4810f138ba447437bcc917182916779f4e0068bad725682beefd39c60ad41ec1c34a90cce57a7a6b88b28113c01bd20211f3eb06c9a9510778c0f

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\filter\amd64\qcusbfilter.sys

Filesize
39KB

MD5
45ef50b1446371ec2411e6ec6f6dabab

SHA1
d2e78f2eba854b57626e69fd9298cd390d76f544

SHA256
65b7baabfcb0788147b1a5bb03083008f6040f6c321b6a5e2892680c5eec9abd

SHA512
5f0377571bd44c83fbd64b8406fcfcf47aef3cd5308d664193d364f978e87c67aa00fd456cc8647ce06381e6c9c6c621a16b5708330776091ca3c6b130957b37

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\ndis\6.2\amd64\qcusbwwan.sys

Filesize
504KB

MD5
4999657681bacef73fd6c5162a3bbfb5

SHA1
5d062c1acc28c4e3852043bbbdd87266f22dc478

SHA256
2d759dfd3a6623edd3b2f1634e6192815c25952094ae72cfbbd9ea46d25f7226

SHA512
637295c1c467316268268c2a2b529e0a0175c471807c6cddedf83ddfa2537554720bc53cbabf3864d58c0fb7cd41669805b842c0c58a06caf5d6243143ece290

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qcfilter.cat

Filesize
94KB

MD5
184fb15f93f73790d5dfae0a22557ee4

SHA1
f3de31f1db7e76fd26d7ad4953b0a01c070da8ba

SHA256
2443015b8822a3793c141571135ef1cb79f324700d33266103e3ba599e1b6c21

SHA512
5e6e8a7fc5187f886e33769028f2f4aa5410615c681eb0aa0136ac08c81954c86d7a58b000004294dc60239d8f76c3bda9eafcfd3f1ad7d1c86bd3eb6ad2ea3e

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qcser.cat

Filesize
95KB

MD5
acdc05e308c96515b4b8eda582b1191a

SHA1
9ed26a48419a8435cb6982e6d1d86585213621ee

SHA256
550507c87bdd89d0619328529fefee2933736c85d239367c5e429e0d6febd07c

SHA512
1c7bbbc1144e66cc87977074f73bd6c86ba05ca21fadf7f8ac81088fca6776a20fb5d260c366006100adb766697f91e4f2cd4290d2662ec52b0db60dbff93963

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qcwwan.cat

Filesize
94KB

MD5
a08b4295c74ebc18d6a5f281ca2c3eea

SHA1
9718561dd5f541854bb3dceb0554ee780f4cad43

SHA256
be76010e324e2fcd9990a82265ff8757375f45fc692202ebf5d974b85fcbc777

SHA512
170b32913c40c94ef7d32d2c2c011b6671feb64a91b1ba9c5f0ba44db79264b577871bedbc58ff308ea98926f767823432a86f0749208c1092460d6adb5c92f9

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qdbusb.cat

Filesize
95KB

MD5
582be70e74fd908714af436aa546c119

SHA1
b8179d1f818322da5593d19646e646084ec846e7

SHA256
8c3208d04d1c5fe011659b97692a024df5a607f1a480072127bb0f47073aeffa

SHA512
dce438135be6786e57eda011b786596c751e3ab7bd15e5553ac7643f54d7014aff6d723c52732d306d70054c3a9980968e71fd14dd1480590290fe34f9134a17

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qdss\amd64\qdbusb.sys

Filesize
44KB

MD5
c6ea8d40d2bf25d9011c37e27d65c484

SHA1
9d00f36c1ba545c2c140aa12e6ff0b5917b17f8b

SHA256
ed89b3315d5ff28ccde22b90680d44c7ad8de630601baa2921c96c25d85aae3f

SHA512
b54d2e8dd7692ea4f9308be891330d277ba7b592e2a40b1a330176668d1e3aa7243cd792c70743d1f978bcf992116c4c6f28f2cb02fd4536d53cedc9a13e26ea

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\qdss\amd64\wdfcoinstaller01009.dll

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\PROGRA~2\QUALCO~1\QUALCO~1\DRIVER~1\Qualcomm\fre\Windows7\serial\amd64\qcusbser.sys

Filesize
239KB

MD5
358bc4b7bf9bca41abea485058f9b360

SHA1
47974d8e6512497c9ad6a79919e1cd58366d5e97

SHA256
6fff206a1def97219541568d76d2077ac5db1daef2c6d995f6ac4a83e57ed898

SHA512
1d6de7f4db5f2320889f8e23176b8e6ebacd8ed03fb7bbb62841e105c83fcc6eaa571c89e605f3d41258fa629dd72c5e2305ea7c26855735b1baced84046404a

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DifxApi\amd64\difxapi.dll

Filesize
507KB

MD5
9495b07f33ded991c65d9b04945d44c5

SHA1
db9d5ec47980eb0709faba0cda283ff99d643b7c

SHA256
bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e

SHA512
36ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\DriverInstaller64.exe

Filesize
2.2MB

MD5
6e0321ff9f386106d64e7b863e1866ea

SHA1
f9898d7bdd18691518ff1d615a693922bcc3a26c

SHA256
f0cbd9fb9abc814e470a4126d3f7b7bf2fc769c20593b402ad2cb979e4817625

SHA512
0449c4ee6fb9798d6dc24e08d70aabc8fb1ecec4696c34e42440ff8a93ae93f058a235b8cf0078699723cbc42a3a579519d048ace5add0bd28d5866fb4d3eb04

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\Tools\qcmtusvc.exe

Filesize
81KB

MD5
cf9a93ed8f3b472a9c1eb6acb619b9d4

SHA1
9725cb577b28f9a71d66af1f5c075423c3f2c66a

SHA256
b6d6cbf256f08fe397d23c989d41ff6f4bd60b11751f7e7585cfe5dc534b5e26

SHA512
d79581bb5a82a3b396faa20683f5afdcc2933ff525450722142541dbb9450b99f31910983c41420b47dc9b09f2507738d00bcd4047aabbfe23c9a325970394b4

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcfilter.inf

Filesize
36KB

MD5
4e8ff95823ed15cf1bb13489f88784f5

SHA1
f25210d6d26b842ae8a11e3b5c4e18835e4a3b13

SHA256
5fa46ab5487d00840642d82eb321aab0c716b19dc9cd21aaa4af74a7b47a5e2e

SHA512
6d2056e302c73e7092cbd5badb705ae52fb99b4279c174b524c3656d090434e45a2c0e9c4ed24f4215cff112bbe3ae317776bb00d58a7a27c99266c589bcc667

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcmdm.inf

Filesize
44KB

MD5
f1ee860f01ef686168926b2eb70da7aa

SHA1
5000f8e9c765906819b7bc5ee7ba9a8de8c0f4ee

SHA256
db8c72dffd89b859c8d3b511d3c0452d031079c21648d94a8cdfb9c403e492dd

SHA512
12823e92a89b2b52d85388f732dcf57303b3bc3f03fa4332244f30d2a180458cb0e58f533c62608f5ac1613b99df4f4b873e8d663e5f5ca9d4cca379bda1e020

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcser.inf

Filesize
100KB

MD5
66702ca8991184e99b39304cbe964bb3

SHA1
99d9453c89e7fedd06f12f3d96b9931e63bdec29

SHA256
717d8c9eb75808d711ec31ad97f5cf4699798c95d4336f57cc54ff09aab9ff6e

SHA512
e3efbb1be20fc84f31112f75fe412d8e7efaf980038a09e2e9a502810e173dbee0abc3ce4c3a6ac608a84ea9cdeafd5fb32ea44da3e5f39d184363e6167cb950

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qcwwan.inf

Filesize
72KB

MD5
be202547e7b7317e0eaacb373fb65034

SHA1
f286b1dff477e7bb1b89028d10ed2164f43ee1c1

SHA256
635ec113fb8682ccb237afae4de441882a3edd12526fd7d0f4e0450c54cf8bc6

SHA512
b6fab25bfbd1fef0ad4fa25b1f72829a189fcbb98abb1c36d484fa21acfd8cf71efc58dcb869c424ad8aea8469d224f71a653bd7d14fb82561c815ac1e534c1a

Download Submit
C:\Program Files (x86)\QUALCOMM Incorporated\Qualcomm USB Drivers For Windows\DriverPackage\Qualcomm\fre\Windows7\qdbusb.inf

Filesize
8KB

MD5
028f4b4eea445e57839a0511736cb887

SHA1
55074bcd41bc4b90b52f89d7fd20b35885b3ad95

SHA256
248c3c0a0a6b2f2a7f7438120906d29c8adbb9ee447dd47d7eb16a7c260f531d

SHA512
7faeaccfbd89cfed6bd00fab215e906673505bb64baff4760e7c5fbc385b23b85131d2769bacbaa5f3af3d4cf078ff7d9e61986b5421fb256d64f4726efa7690

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI92DA.tmp

Filesize
1.3MB

MD5
ca189a2b762e64d61303bfd4d88fd0a6

SHA1
13bf55664fb0345d3931458f75b6039c1213f46a

SHA256
dc5094ceb682772d95b427230bfb1af29df90ef67fe8afb08c43a0f2af3f880a

SHA512
31bb912f5c5f6cd6577f8529fcbbfc0bf4d0bda5e1904772c57cd942520db7dd1c10657e8695d16418a05763202af1034e4e47a7db8a8be618b9e330e8a544bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi

Filesize
20.7MB

MD5
cde633c7be2c8db52f0922f8a8e0c613

SHA1
a9bc8e3c20244d7057843ebb5ce6152f9ef1bd7f

SHA256
a7d18848d352986989170eaae01af8439b91b732544662c80c17bad8605353e5

SHA512
e32e7bf3c682f070bfae158d98565aa4285bb0154f6655469ad470289845182d757623ad55bd649c39a5c2cd9f8da15aa564d71103084d8fafb336921211009b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISBEW64.exe

Filesize
146KB

MD5
c3b2acc07bb0610405fc786e3432bef9

SHA1
333d5f2b55bd00ad4311ba104af7db984f953924

SHA256
9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894

SHA512
2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\ISRT.dll

Filesize
260KB

MD5
a93f625ef42b54c2b0f4d38201e67606

SHA1
cbfebc1f736ccfc65562ede79a5ae1a8afb116a1

SHA256
e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0

SHA512
805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7AFC8640-2FC2-4EFB-BE38-59D6C3D6BB2E}\_isres_0x0409.dll

Filesize
540KB

MD5
d6bbf7ff6984213c7f1f0f8f07c51e6a

SHA1
cfe933fc3b634f7333adec7ec124c14e9d19ac21

SHA256
6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2

SHA512
a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d

Download Submit
C:\Windows\Installer\MSI2C7B.tmp

Filesize
1.6MB

MD5
ab8d1cf0de0c1594c2093ccf0128e0b8

SHA1
ddba6dc5c69ba72c879fb15cc109503adb759fdc

SHA256
2f975e52b9e6a99dd3515f7b9bc30e89d39cb44e9fb1a8f3e43ab330df42f0a4

SHA512
0a01b500ef221777ffeeacccf47794d1d468bf86a24f53a6558cd21d244dfb614f552047352f8c5c01682322fceab21089bc2a8bef6ad502c81b347b8f8c1fb9

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
2c09476eff1fbc265b96eb43ed4e76ba

SHA1
b0f264525647ddcca6612087e85829e4fbe39927

SHA256
fe3c0b1424a6034a106ca2eaa5ec2632fbcb7fb0afa99bef99ffc78e6511dd9d

SHA512
2c00854811119aea2ae9c49ec9dfc745e8e4296e627021264acdb175b149be0f3d96cf1e61bbf0f413f1f792a3163378cf91a4b384cb59acbce947b3a6356f0f

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
daf64fec4cd2878f386efdae00201134

SHA1
3590c39ae6af6ca03d1774891148755547d10e1f

SHA256
3d1ca41f83dd38846fddf92d68513450c7c65ea8b492ee997f800642c525fb94

SHA512
b40a18f2dc9011866b6eaee8326f2c1fc2e523605fafe7149e531ebab852a5ecd06bb393aeac8531ebd5683a518480f40c9c0d8ba6d0bebf7a1d8ebfe374f303

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
f3c2509dc330d576086ceb4684ffaaa6

SHA1
35afab6911eb9c9cecd6070b7dcb029ce57fab57

SHA256
fd210a2d70eec7be0116dd004f53a4d8cf2c8e1d0120c08ee6bd2cf01e7331fd

SHA512
f8cd7e64c7e1ca785ffaca49557a735f8e164ee30abbca4fb7dd91e212f8cb9b4e3ed5201dc4d92d3182c20918e077fb4d448261c450a7fa17d08f7646e9acaa

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
c7be7ce7f9b4078c459fb9899f402733

SHA1
d7bc9513da065629c704bc0074a8f2d029e6b730

SHA256
25f6b67450cbe52680dd42d99937cbd04ba6f5bf69246cb7e184c3d6a5bc5f99

SHA512
afa700a75cc0fbb0cbd9663e3e10577ceb911b32643c25be7ca7c2813a5207378ff6fc890d1cda437e5f319832dbf73de79866f14e5b117abe9253830472afb1

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
906f25658b9937dc71415b7d4f0c1b51

SHA1
be59008a40186b8c5ba7417030be063f990d4545

SHA256
cd9031d71a1d15d31aede146362c7a5b1906dbaf4fe99c29a3c31d10de2624fb

SHA512
d27c9fd1c66e7615a867b696bf460fe2869f92fda387cb58541f0d2c504abe799d924f6d4ad00ab2cf3a7c20a64599aca502edd679ea4e4b764f948cfec3bcd1

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
2740f73a052b2280e222259f3689076c

SHA1
8983a60bcb33a165a06e3fbfed1c2c4de11b97fe

SHA256
d135f9f43eb828f0c4b825347f9a1efd22488a72385030f143433f23440f8eb1

SHA512
46e81d3a1d87b1f73bc4ca1fc384304aff551aafe3af05d1749acda7da949b6a811f6d02a83231d2a97c12d389075055d054d99d11956107bba92cba322f7260

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
37KB

MD5
953c3f88e4914aa1d8035f67e1f15987

SHA1
cd21083f5f5155075eabcb630d77303c686b8b6d

SHA256
6f6d5dd0f3d701f2d3cc3f5a27ed2bbbfd2e648ae885bee67a0b82c5ec8b43fa

SHA512
bac444ff60194e5b6504b334c95ff07b59f2a666c96b5b0006f31108d5cf7706fc2ff0d0d6a4eca662ac421765ede3829f3a0f273e41cd89c184aca31959187f

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
38KB

MD5
a34a59f64c5c8347c05db9aba4d9434b

SHA1
1a691e9c42aa3876241f645ecb5770f5aab16ee5

SHA256
34e29f27cb3b9d4181b90c165529c7b655e9971b2baefe98cf9825bd74c15524

SHA512
e5ff0ad3e5395c259ce4e1dbe5804ab014043e699f2eea9905bab68260f592b9dca008656f65c7335db83de6f313a447f3f68d972a0719bde01a375de40d954d

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
38KB

MD5
025fd0c90fe2e2d34d888fe7717d9939

SHA1
9a84e78bd57a540c07eeb69491a2369853a0e889

SHA256
3349c7ff190330c11c1e10994b7435aa9bd2850846c66828ab3c1fefb743466a

SHA512
bd94ae763d2b0137397cbab9a8c418eefe25a8ce61482d6ad6b00268676e689605108c5bf3ba6d66ab6d25fb97a36b528e212d3d79aaa529e87aad0c308c16d6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
6c28a6bbfbc5ee9e9e51538705c36b38

SHA1
e729e812aecca86ae5a9b2cfca97fc28e3df4c30

SHA256
fb35b19ae8e732569baab716ff97c3116ccdd4547a337e5eb85e1b1ff27c6009

SHA512
d1300e37c63b2bc50ac6f7b5fe5229fa855544eff921086e914b1d66e3f19298be1019af93bce59941dd539b5464ca503708ce2cdf3af756d209e5528fb16666

Download Submit
\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{372c2799-f214-4537-aa44-a359f58b4fe5}_OnDiskSnapshotProp

Filesize
6KB

MD5
c7058116eadbe0c8621f364b72be5015

SHA1
39c3476092bd356e8d0f4020b89d56ef872272a2

SHA256
9b45911bf0aaffd394f989195aa759931ebd4d1eae58327aa905b4c1f0afcc4d

SHA512
bb7226c2139ef747ac3c9117e16e916e2bd22443b84ef66c7e585367d3cf61ac3a15a139b9b8b1b5dafe41bcbd8fb76ba027f66649d8834b73a24749a8f11fbf

Download Submit
memory/1164-68-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1164-76-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1164-79-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1164-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1164-529-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3200-16-0x0000000010000000-0x00000000101B5000-memory.dmp

Filesize
1.7MB

Download
memory/3200-40-0x00000000033F0000-0x0000000003497000-memory.dmp

Filesize
668KB

Download
memory/3200-45-0x0000000003520000-0x00000000035A9000-memory.dmp

Filesize
548KB

Download
memory/3200-39-0x00000000033F0000-0x0000000003497000-memory.dmp

Filesize
668KB

Download