810fe0c87a71f369609b6a7000a149297d466d33a0558d9272f24afc463ccb83

Analysis

max time kernel
300s
max time network
280s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
31-10-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DR4G0N_FR4ME_4.rar
Size

61.2MB
MD5

af1bc272e2e428223014233bf6bfe4f3
SHA1

feb1c8d60559094683942d1963944a8739459688
SHA256

810fe0c87a71f369609b6a7000a149297d466d33a0558d9272f24afc463ccb83
SHA512

53415fffa5d1f5cdd3e70e876b85d4dc419737b3d6e79c25e80990f7c191b5442c5177be734a37ced1b53fca3610b87d55633116b16f95ec8bc41347751d3618
SSDEEP

1572864:jYMgVp38JSYr49DIUbcXp/bnpiZ4JW8f5mGw6OpRFV:/gz8gYc9DIucXBjEZ4s8fO

Score

8^/10

defense_evasion discovery exploit upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

DragonFrame_4-1-8_Activation.tmp

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts DragonFrame_4-1-8_Activation.tmp
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

3396 takeown.exe
2500 icacls.exe
3528 takeown.exe
1180 icacls.exe
4704 takeown.exe
2120 icacls.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DragonFrame_4-1-8_Activation.tmp

pid	process
3396	takeown.exe
2500	icacls.exe
3528	takeown.exe
1180	icacls.exe
4704	takeown.exe
2120	icacls.exe

Executes dropped EXE 15 IoCs

Processes:

Dragonframe_4.1.8-Setup.exeDragonframe_4.1.8-Setup.exeDragonFrame_4-1-8_Activation.exeDragonFrame_4-1-8_Activation.tmpRead Me.exeRead Me.tmpDragonframe.exeDragonFrame4LicenseGenerator.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exe

pid	process
1640	Dragonframe_4.1.8-Setup.exe
3684	Dragonframe_4.1.8-Setup.exe
4404	DragonFrame_4-1-8_Activation.exe
4372	DragonFrame_4-1-8_Activation.tmp
1780	Read Me.exe
3056	Read Me.tmp
3408	Dragonframe.exe
3716	DragonFrame4LicenseGenerator.exe
1952	Dragonframe.exe
940	Dragonframe.exe
2332	Dragonframe.exe
2432	Dragonframe.exe
4228	Dragonframe.exe
2020	Dragonframe.exe
4844	Dragonframe.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exe

pid	process
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2760	MsiExec.exe
2760	MsiExec.exe
2760	MsiExec.exe
2760	MsiExec.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

3396 takeown.exe
2500 icacls.exe
3528 takeown.exe
1180 icacls.exe
4704 takeown.exe
2120 icacls.exe

pid	process
3396	takeown.exe
2500	icacls.exe
3528	takeown.exe
1180	icacls.exe
4704	takeown.exe
2120	icacls.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Dragonframe_4.1.8-Setup.exeDragonframe_4.1.8-Setup.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\G:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\O:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\O:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\S:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\T:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\S:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\Z:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\L:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\Q:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\M:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\U:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\W:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\P:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\U:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\V:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\B:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\E:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\K:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\T:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\J:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\V:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\Z:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\N:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\B:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\M:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\Q:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\Y:	Dragonframe_4.1.8-Setup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	Dragonframe_4.1.8-Setup.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\DZED\Dragonframe 4\DragonFrame4LicenseGenerator.exe	upx
behavioral1/memory/3716-307-0x0000000000400000-0x0000000000709000-memory.dmp	upx
behavioral1/memory/3716-314-0x0000000000400000-0x0000000000709000-memory.dmp	upx
behavioral1/memory/3716-315-0x0000000000400000-0x0000000000709000-memory.dmp	upx
behavioral1/memory/3716-332-0x0000000000400000-0x0000000000709000-memory.dmp	upx
behavioral1/memory/3716-333-0x0000000000400000-0x0000000000709000-memory.dmp	upx

Drops file in Program Files directory 49 IoCs

Processes:

msiexec.exeDragonFrame_4-1-8_Activation.tmp

description	ioc	process
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\DFMoco\DFMoco.ino	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\msvcr120.dll	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\avutil-54.dll	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\Arc Focus.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\Arc Triad Pan.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\DFRemote\README.rtf	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Sounds\README.rtf	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\msvcp120.dll	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Using Dragonframe 4.pdf	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\turbojpeg.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\DZED\Dragonframe\TestsFolder.ico	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\Axis360 Slide.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\DitoGear OmniSlider Stepper.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Scripting\dragonframe_script.bat	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Sounds\cat.wav	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\LightProfiles\OnOff.dflp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Gamepads\gamecontrollerdb.txt	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\REDR3D-x64.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\DZED\Dragonframe\FramesFolder.ico	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\swresample-1.dll	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\Axis360 Rotation.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\eMotimo.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Face Sets\Dr. Sock.psd	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\DFRemote\DFRemote.ino	msiexec.exe
File created	C:\Program Files (x86)\Common Files\DZED\Dragonframe\TakeFolder.ico	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\avformat-56.dll	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\swscale-3.dll	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\Arc Triad Roll.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\Arc Triad Tilt.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\DitoGear OmniHead.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\IOTA 3D Slider.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\DFMoco\README.rtf	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\avcodec-56.dll	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\ARRIRAW_SDK.dll	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\is-KJNGU.tmp	DragonFrame_4-1-8_Activation.tmp
File opened for modification	C:\Program Files\DZED\Dragonframe 4\DragonFrame.exe	DragonFrame_4-1-8_Activation.tmp
File created	C:\Program Files\DZED\Dragonframe 4\Resources\DFRemote\DFRemoteExample.ino	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\DitoGear LensDrive.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\AxisPresets\DitoGear OmniSlider Servo.arcp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Arc Motion Control\DFMoco\DFMoco_Protocol.rtf	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Face Sets\MOUTH SHAPES.psd	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Face Sets\README.rtf	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\LightProfiles\Linear.dflp	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Scripting\dragonframe_script.sh	msiexec.exe
File created	C:\Program Files (x86)\Common Files\DZED\Dragonframe\SceneFolder.ico	msiexec.exe
File created	C:\Program Files\DZED\Dragonframe 4\SDL2.dll	msiexec.exe
File opened for modification	C:\Program Files\DZED\Dragonframe 4\DragonFrame4LicenseGenerator.exe	DragonFrame_4-1-8_Activation.tmp
File created	C:\Program Files\DZED\Dragonframe 4\Resources\Scripting\README.rtf	msiexec.exe

Drops file in Windows directory 18 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI3A36.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1E5BAA60-2A5D-42E6-B788-294EFA3E77E4}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A66.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BEF.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF67E8DE2374D949C4.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI395B.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8C0D9EC5DAF35848.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{1E5BAA60-2A5D-42E6-B788-294EFA3E77E4}\windows.exe	msiexec.exe
File created	C:\Windows\Installer\e583805.msi	msiexec.exe
File created	C:\Windows\Installer\e583803.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e583803.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF63AC5C4AD412FDAF.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD6CC51449C5DE2E1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3AB5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{1E5BAA60-2A5D-42E6-B788-294EFA3E77E4}\windows.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Dragonframe_4.1.8-Setup.execmd.exeattrib.exeRead Me.exeDragonframe_4.1.8-Setup.execmd.execmd.execmd.exeDragonFrame_4-1-8_Activation.tmpDragonFrame4LicenseGenerator.exeMsiExec.exeMsiExec.exeattrib.exeattrib.exetaskkill.exetaskkill.execmd.exeattrib.execmd.exeDragonFrame_4-1-8_Activation.exeRead Me.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dragonframe_4.1.8-Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Read Me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dragonframe_4.1.8-Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DragonFrame_4-1-8_Activation.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DragonFrame4LicenseGenerator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DragonFrame_4-1-8_Activation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Read Me.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002fc80c284bade0450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002fc80c280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002fc80c28000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2fc80c28000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002fc80c2800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1940 taskkill.exe
1144 taskkill.exe

pid	process
1940	taskkill.exe
1144	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 30 IoCs

Processes:

msiexec.exeBackgroundTransferHost.exe7zFM.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\ProductIcon = "C:\\Windows\\Installer\\{1E5BAA60-2A5D-42E6-B788-294EFA3E77E4}\\windows.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\06AAB5E1D5A26E247B8892E4AFE3774E\MainFeature	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A421D07999D71994691AF5AF3C12250C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\ProductName = "Dragonframe 4"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\PackageCode = "CC042CDD7A014AB44926E81F212C308A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A421D07999D71994691AF5AF3C12250C\06AAB5E1D5A26E247B8892E4AFE3774E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\DZED Systems LLC\\Dragonframe 4 4.1.8\\install\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\Version = "67174408"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\DZED Systems LLC\\Dragonframe 4 4.1.8\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\06AAB5E1D5A26E247B8892E4AFE3774E	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06AAB5E1D5A26E247B8892E4AFE3774E\SourceList\PackageName = "setup.x64.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Dragonframe_4.1.8-Setup.exeDragonframe_4.1.8-Setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	Dragonframe_4.1.8-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Dragonframe_4.1.8-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Dragonframe_4.1.8-Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	Dragonframe_4.1.8-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Dragonframe_4.1.8-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Dragonframe_4.1.8-Setup.exe

Suspicious behavior: AddClipboardFormatListener 8 IoCs

Processes:

Dragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exe

pid	process
3408	Dragonframe.exe
1952	Dragonframe.exe
940	Dragonframe.exe
2332	Dragonframe.exe
2432	Dragonframe.exe
4228	Dragonframe.exe
2020	Dragonframe.exe
4844	Dragonframe.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msiexec.exeDragonFrame_4-1-8_Activation.tmpDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exe

pid	process
3688	msiexec.exe
3688	msiexec.exe
4372	DragonFrame_4-1-8_Activation.tmp
4372	DragonFrame_4-1-8_Activation.tmp
3408	Dragonframe.exe
3408	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe
2020	Dragonframe.exe
2020	Dragonframe.exe
4844	Dragonframe.exe
4844	Dragonframe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2884 7zFM.exe

pid	process
2884	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exemsiexec.exeDragonframe_4.1.8-Setup.exe

description	pid	process
Token: SeRestorePrivilege	2884	7zFM.exe
Token: 35	2884	7zFM.exe
Token: SeSecurityPrivilege	2884	7zFM.exe
Token: SeSecurityPrivilege	3688	msiexec.exe
Token: SeCreateTokenPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeLockMemoryPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeIncreaseQuotaPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeMachineAccountPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeTcbPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeSecurityPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeTakeOwnershipPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeLoadDriverPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeSystemProfilePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeSystemtimePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeProfSingleProcessPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeIncBasePriorityPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeCreatePagefilePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeCreatePermanentPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeBackupPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeRestorePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeShutdownPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeDebugPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeAuditPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeSystemEnvironmentPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeChangeNotifyPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeRemoteShutdownPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeUndockPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeSyncAgentPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeEnableDelegationPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeManageVolumePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeImpersonatePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeCreateGlobalPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeCreateTokenPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeLockMemoryPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeIncreaseQuotaPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeMachineAccountPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeTcbPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeSecurityPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeTakeOwnershipPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeLoadDriverPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeSystemProfilePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeSystemtimePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeProfSingleProcessPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeIncBasePriorityPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeCreatePagefilePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeCreatePermanentPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeBackupPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeRestorePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeShutdownPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeDebugPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeAuditPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeSystemEnvironmentPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeChangeNotifyPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeRemoteShutdownPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeUndockPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeSyncAgentPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeEnableDelegationPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeManageVolumePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeImpersonatePrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeCreateGlobalPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeCreateTokenPrivilege	1640	Dragonframe_4.1.8-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1640	Dragonframe_4.1.8-Setup.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

7zFM.exeDragonframe_4.1.8-Setup.exeDragonFrame_4-1-8_Activation.tmp

pid process

2884 7zFM.exe
2884 7zFM.exe
1640 Dragonframe_4.1.8-Setup.exe
1640 Dragonframe_4.1.8-Setup.exe
4372 DragonFrame_4-1-8_Activation.tmp

pid	process
2884	7zFM.exe
2884	7zFM.exe
1640	Dragonframe_4.1.8-Setup.exe
1640	Dragonframe_4.1.8-Setup.exe
4372	DragonFrame_4-1-8_Activation.tmp

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

Dragonframe.exeDragonFrame4LicenseGenerator.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exeDragonframe.exe

pid	process
3408	Dragonframe.exe
3408	Dragonframe.exe
3716	DragonFrame4LicenseGenerator.exe
3408	Dragonframe.exe
3408	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
1952	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
940	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2332	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe
2432	Dragonframe.exe
4228	Dragonframe.exe
2020	Dragonframe.exe
2020	Dragonframe.exe
2020	Dragonframe.exe
2020	Dragonframe.exe
4844	Dragonframe.exe
4844	Dragonframe.exe
4844	Dragonframe.exe
4844	Dragonframe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeDragonframe_4.1.8-Setup.execmd.execmd.exeDragonFrame_4-1-8_Activation.exeDragonFrame_4-1-8_Activation.tmpcmd.execmd.execmd.exe

description	pid	process	target process
PID 3688 wrote to memory of 2080	3688	msiexec.exe	MsiExec.exe
PID 3688 wrote to memory of 2080	3688	msiexec.exe	MsiExec.exe
PID 3688 wrote to memory of 2080	3688	msiexec.exe	MsiExec.exe
PID 1640 wrote to memory of 3684	1640	Dragonframe_4.1.8-Setup.exe	Dragonframe_4.1.8-Setup.exe
PID 1640 wrote to memory of 3684	1640	Dragonframe_4.1.8-Setup.exe	Dragonframe_4.1.8-Setup.exe
PID 1640 wrote to memory of 3684	1640	Dragonframe_4.1.8-Setup.exe	Dragonframe_4.1.8-Setup.exe
PID 3688 wrote to memory of 4576	3688	msiexec.exe	srtasks.exe
PID 3688 wrote to memory of 4576	3688	msiexec.exe	srtasks.exe
PID 3688 wrote to memory of 2760	3688	msiexec.exe	MsiExec.exe
PID 3688 wrote to memory of 2760	3688	msiexec.exe	MsiExec.exe
PID 3688 wrote to memory of 2760	3688	msiexec.exe	MsiExec.exe
PID 1640 wrote to memory of 1336	1640	Dragonframe_4.1.8-Setup.exe	cmd.exe
PID 1640 wrote to memory of 1336	1640	Dragonframe_4.1.8-Setup.exe	cmd.exe
PID 1640 wrote to memory of 1336	1640	Dragonframe_4.1.8-Setup.exe	cmd.exe
PID 1640 wrote to memory of 72	1640	Dragonframe_4.1.8-Setup.exe	cmd.exe
PID 1640 wrote to memory of 72	1640	Dragonframe_4.1.8-Setup.exe	cmd.exe
PID 1640 wrote to memory of 72	1640	Dragonframe_4.1.8-Setup.exe	cmd.exe
PID 1336 wrote to memory of 2680	1336	cmd.exe	attrib.exe
PID 1336 wrote to memory of 2680	1336	cmd.exe	attrib.exe
PID 1336 wrote to memory of 2680	1336	cmd.exe	attrib.exe
PID 72 wrote to memory of 4956	72	cmd.exe	attrib.exe
PID 72 wrote to memory of 4956	72	cmd.exe	attrib.exe
PID 72 wrote to memory of 4956	72	cmd.exe	attrib.exe
PID 1336 wrote to memory of 3896	1336	cmd.exe	attrib.exe
PID 1336 wrote to memory of 3896	1336	cmd.exe	attrib.exe
PID 1336 wrote to memory of 3896	1336	cmd.exe	attrib.exe
PID 72 wrote to memory of 1708	72	cmd.exe	attrib.exe
PID 72 wrote to memory of 1708	72	cmd.exe	attrib.exe
PID 72 wrote to memory of 1708	72	cmd.exe	attrib.exe
PID 1336 wrote to memory of 1004	1336	cmd.exe	cmd.exe
PID 1336 wrote to memory of 1004	1336	cmd.exe	cmd.exe
PID 1336 wrote to memory of 1004	1336	cmd.exe	cmd.exe
PID 1336 wrote to memory of 3436	1336	cmd.exe	cmd.exe
PID 1336 wrote to memory of 3436	1336	cmd.exe	cmd.exe
PID 1336 wrote to memory of 3436	1336	cmd.exe	cmd.exe
PID 72 wrote to memory of 3464	72	cmd.exe	cmd.exe
PID 72 wrote to memory of 3464	72	cmd.exe	cmd.exe
PID 72 wrote to memory of 3464	72	cmd.exe	cmd.exe
PID 72 wrote to memory of 1180	72	cmd.exe	cmd.exe
PID 72 wrote to memory of 1180	72	cmd.exe	cmd.exe
PID 72 wrote to memory of 1180	72	cmd.exe	cmd.exe
PID 4404 wrote to memory of 4372	4404	DragonFrame_4-1-8_Activation.exe	DragonFrame_4-1-8_Activation.tmp
PID 4404 wrote to memory of 4372	4404	DragonFrame_4-1-8_Activation.exe	DragonFrame_4-1-8_Activation.tmp
PID 4404 wrote to memory of 4372	4404	DragonFrame_4-1-8_Activation.exe	DragonFrame_4-1-8_Activation.tmp
PID 4372 wrote to memory of 1940	4372	DragonFrame_4-1-8_Activation.tmp	taskkill.exe
PID 4372 wrote to memory of 1940	4372	DragonFrame_4-1-8_Activation.tmp	taskkill.exe
PID 4372 wrote to memory of 1940	4372	DragonFrame_4-1-8_Activation.tmp	taskkill.exe
PID 4372 wrote to memory of 1144	4372	DragonFrame_4-1-8_Activation.tmp	taskkill.exe
PID 4372 wrote to memory of 1144	4372	DragonFrame_4-1-8_Activation.tmp	taskkill.exe
PID 4372 wrote to memory of 1144	4372	DragonFrame_4-1-8_Activation.tmp	taskkill.exe
PID 4372 wrote to memory of 4292	4372	DragonFrame_4-1-8_Activation.tmp	cmd.exe
PID 4372 wrote to memory of 4292	4372	DragonFrame_4-1-8_Activation.tmp	cmd.exe
PID 4292 wrote to memory of 3528	4292	cmd.exe	takeown.exe
PID 4292 wrote to memory of 3528	4292	cmd.exe	takeown.exe
PID 4372 wrote to memory of 5000	4372	DragonFrame_4-1-8_Activation.tmp	cmd.exe
PID 4372 wrote to memory of 5000	4372	DragonFrame_4-1-8_Activation.tmp	cmd.exe
PID 5000 wrote to memory of 1180	5000	cmd.exe	icacls.exe
PID 5000 wrote to memory of 1180	5000	cmd.exe	icacls.exe
PID 4372 wrote to memory of 3524	4372	DragonFrame_4-1-8_Activation.tmp	cmd.exe
PID 4372 wrote to memory of 3524	4372	DragonFrame_4-1-8_Activation.tmp	cmd.exe
PID 3524 wrote to memory of 4704	3524	cmd.exe	takeown.exe
PID 3524 wrote to memory of 4704	3524	cmd.exe	takeown.exe
PID 4372 wrote to memory of 2312	4372	DragonFrame_4-1-8_Activation.tmp	cmd.exe
PID 4372 wrote to memory of 2312	4372	DragonFrame_4-1-8_Activation.tmp	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

2680 attrib.exe
4956 attrib.exe
3896 attrib.exe
1708 attrib.exe

pid	process
2680	attrib.exe
4956	attrib.exe
3896	attrib.exe
1708	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DR4G0N_FR4ME_4.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1124

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\Read Me.txt
1⤵
PID:2152

C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\Dragonframe_4.1.8-Setup.exe
"C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\Dragonframe_4.1.8-Setup.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\Dragonframe_4.1.8-Setup.exe
"C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\Dragonframe_4.1.8-Setup.exe" /i "C:\Users\Admin\AppData\Roaming\DZED Systems LLC\Dragonframe 4 4.1.8\install\setup.x64.msi" CHAINERUIPROCESSID="1640Chainer" EXECUTEACTION="INSTALL" SECONDSEQUENCE="1" CLIENTPROCESSID="1640" ADDLOCAL="MainFeature" ACTION="INSTALL" CLIENTUILEVEL="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " AI_SETUPEXEPATH="C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\Dragonframe_4.1.8-Setup.exe" SETUPEXEDIR="C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\" TARGETDIR="F:\" APPDIR="C:\Program Files\DZED\Dragonframe 4\" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dragonframe 4"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE4D24.tmp.bat" "
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\attrib.exe
ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\DZEDSY~1\DRAGON~1.8\install\SETUPX~1.MSI"
3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2680

C:\Windows\SysWOW64\attrib.exe
ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE4D24.tmp.bat"
3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE4D24.tmp.bat" "
3⤵
- System Location Discovery: System Language Discovery
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
3⤵
- System Location Discovery: System Language Discovery
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE4D73.tmp.bat" "
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:72

C:\Windows\SysWOW64\attrib.exe
ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\DZEDSY~1\DRAGON~1.8\install\SETUPX~1.MSI"
3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4956

C:\Windows\SysWOW64\attrib.exe
ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE4D73.tmp.bat"
3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE4D73.tmp.bat" "
3⤵
- System Location Discovery: System Language Discovery
PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
3⤵
- System Location Discovery: System Language Discovery
PID:1180

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 07E89C81D87A2A8BEA141DCC0876EFF1 C
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2080

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4576

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6BFE85CC6CA36A4C8CEA4EF61CC6D966
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1432

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\Read Me.txt
1⤵
PID:3468

C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\DragonFrame_4-1-8_Activation.exe
"C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\DragonFrame_4-1-8_Activation.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\is-U2N1R.tmp\DragonFrame_4-1-8_Activation.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U2N1R.tmp\DragonFrame_4-1-8_Activation.tmp" /SL5="$402DC,1223273,111616,C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\DragonFrame_4-1-8_Activation.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /F /IM DragonFrame.exe /T
3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1940

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /F /IM DragonFrame.exe /T
3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1144

C:\Windows\system32\cmd.exe
"cmd.exe" /c takeown /f "C:\Windows\system32\drivers\etc\hosts" /r /d y
3⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\drivers\etc\hosts" /r /d y
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3528

C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls "C:\Windows\system32\drivers\etc\hosts " /grant everyone:F /c /t /q
3⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\drivers\etc\hosts " /grant everyone:F /c /t /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1180

C:\Windows\system32\cmd.exe
"cmd.exe" /c takeown /f "C:\Windows\system32\drivers\etc\hosts" /r /d y
3⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\drivers\etc\hosts" /r /d y
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4704

C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls "C:\Windows\system32\drivers\etc\hosts " /grant everyone:F /c /t /q
3⤵
PID:2312

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\drivers\etc\hosts " /grant everyone:F /c /t /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2120

C:\Windows\system32\cmd.exe
"cmd.exe" /c takeown /f "C:\Windows\system32\drivers\etc\hosts" /r /d y
3⤵
PID:4844

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\system32\drivers\etc\hosts" /r /d y
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3396

C:\Windows\system32\cmd.exe
"cmd.exe" /c icacls "C:\Windows\system32\drivers\etc\hosts " /grant everyone:F /c /t /q
3⤵
PID:1936

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\drivers\etc\hosts " /grant everyone:F /c /t /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2500

C:\Users\Admin\AppData\Local\Temp\is-CD35E.tmp\Read Me.exe
"C:\Users\Admin\AppData\Local\Temp\is-CD35E.tmp\Read Me.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780

C:\Users\Admin\AppData\Local\Temp\is-FMLL4.tmp\Read Me.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FMLL4.tmp\Read Me.tmp" /SL5="$2030A,112328,111616,C:\Users\Admin\AppData\Local\Temp\is-CD35E.tmp\Read Me.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056

C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe
"C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Program Files\DZED\Dragonframe 4\DragonFrame4LicenseGenerator.exe
"C:\Program Files\DZED\Dragonframe 4\DragonFrame4LicenseGenerator.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3716

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4436

C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe
"C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe
"C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:940

C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe
"C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe
"C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe
"C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe
"C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe
"C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583804.rbs

Filesize
19KB

MD5
f7ec4a13a077bc608b27305599389437

SHA1
9d19859035801f937e2b1862fe3d56201c639431

SHA256
4804cd8cb09ed6ebe4aacde9b5f5577a35c205eaff55e436bb7046779ed879c8

SHA512
ed46194d0c1bcd099de3a26e07547526f2f3536b44b10a2ec582aa4f9e45a78832993443d1ec7fc7b42161ad41e731af6b74ac54917c202e587632e4e2a65f78

Download Submit
C:\Program Files\DZED\Dragonframe 4\ARRIRAW_SDK.dll

Filesize
29.1MB

MD5
bceda7afb46b58de1271e0d94f1d4bd0

SHA1
5ea39d429480f70561c1f8cd3b0e21839cd5c5ec

SHA256
600454a44ad8270849f5e8fe4f24d517fdbda02d2bf18515dbe91946915156e0

SHA512
4da82604f29b922db83bf300562094c4b9b9c50b3971a6dad9fbcd9aedfbb20607fd2ff071dc58bd5126c7f88e59f3419c22d463d2922ac2f2b7850f9607722a

Download Submit
C:\Program Files\DZED\Dragonframe 4\DragonFrame.exe

Filesize
33.1MB

MD5
e9e23beb249ef16d6df06ef91309e36f

SHA1
a7266f3574a6c4964c628ccf0a2d10c7da775412

SHA256
837726667bc46b38f13b883e5dd5675853b522a022629ee044bcf390ff183c9b

SHA512
427ed86fce4eb77b021d40701f75ce0fafd983481e7b246da8e2e09366d7f205f8265a22e2ec16a08c6a541fe5cdda44e5a47a55bbdf38ab632b12aa40ba3b8d

Download Submit
C:\Program Files\DZED\Dragonframe 4\DragonFrame4LicenseGenerator.exe

Filesize
851KB

MD5
99f8ffac5dfea2253fc74b5e7667aa3a

SHA1
df4247c7647cd78b52e1e4d3af8f4a7bd7d315fa

SHA256
4e69cf14ff14a139d132f277848a3e43ca39ee65dd16cc5e8fac3e978f2e3ca2

SHA512
90af122a3ce06e0c9a88d91780ae3be51e403e89785664ec74028376b2102924f0e7c9d5aa378e9f198dbb0f343ab6db5466afa71fe78241250a1f29f03329fb

Download Submit
C:\Program Files\DZED\Dragonframe 4\Dragonframe.exe

Filesize
33.1MB

MD5
be8a6b93935115d85083fe88f5326ed3

SHA1
0975dc6dc2ea06c90287494ecdd02d8168a69163

SHA256
4db4c1f2ad92837ea52e2cab351d6a9881bef92c8a4d544b8a6b465d4f0e279a

SHA512
73bdad4290416ded7f7ea7ed32a38d3bbef913c167e424eb127d736123f78baf6f80b7551e54ab2a862557567df4896a027c4646986355e0678ff1ee21d94116

Download Submit
C:\Program Files\DZED\Dragonframe 4\SDL2.dll

Filesize
1.3MB

MD5
6f0469c91c605754eb64163b5f9014ad

SHA1
fa4b2ac4f36251984aade8479a93c4ac527d43e6

SHA256
24cb7b791c05255fc35757542f307190d9668a072f1ddcb38eeb8cf8dfc7dc91

SHA512
431a48ec4ea7cc144d09ed3e3c4640702a04d18cd1c43e1d35fa64d611e8eaad87a332129c7db4b42451ed84efd9a57bf5c146af636856a6678ea5ca46f37bc0

Download Submit
C:\Program Files\DZED\Dragonframe 4\avcodec-56.dll

Filesize
12.8MB

MD5
74fa75626082fc36219e712d330d446d

SHA1
db7478ca5e0eb155d9d90bf3ec00cd3729d6bd85

SHA256
dfc9f4f72cd4930df97a13716ee9b94948602bfe8ee7622631dc221534bf61b1

SHA512
2e3427016c1ea3d5db15240faf8ddb7077deea29bd7aff3a7feeab292963833b25310b10876fd09942b89f7c367806b3a0d0c74f9f37ed7b120fbf6f31837aad

Download Submit
C:\Program Files\DZED\Dragonframe 4\avformat-56.dll

Filesize
2.5MB

MD5
dcdc43049757f901f2b7821b9584fe3c

SHA1
5b9e28c186ed7203bee5649722a41bd6447f8078

SHA256
2c63ff4281e64e83d7039da30c0a7b916de9956878c9dbd1d4d5f789c0a1f311

SHA512
c5c5adcfa2894e2e0844a0be133c905483b546c4e9b482afd89bba3186f4bbecfbf80017b3edf29a3dfd3d7e7b8b3dc0b7b8bd544675cfc272abf36b308b1709

Download Submit
C:\Program Files\DZED\Dragonframe 4\avutil-54.dll

Filesize
715KB

MD5
ad2f014e713d6b75a415b27171807749

SHA1
4f6f7d20158c435eab4414e93964d1bcbee56151

SHA256
3e84e93899a75bc02d1de3fb14c9b3dfea1353e04d223844e3ce99bf3f30bb27

SHA512
cb9737026ef6553eb60e9b83e8c374a6aa830ab226ac46cec0ada95c52619c45ffb3b8a05d7b3ae479f275a62f816976e69d5c9cb31f74ee36f08cfebf998de6

Download Submit
C:\Program Files\DZED\Dragonframe 4\msvcp120.dll

Filesize
644KB

MD5
46060c35f697281bc5e7337aee3722b1

SHA1
d0164c041707f297a73abb9ea854111953e99cf1

SHA256
2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848

SHA512
2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a

Download Submit
C:\Program Files\DZED\Dragonframe 4\msvcr120.dll

Filesize
940KB

MD5
9c861c079dd81762b6c54e37597b7712

SHA1
62cb65a1d79e2c5ada0c7bfc04c18693567c90d0

SHA256
ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c

SHA512
3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

Download Submit
C:\Program Files\DZED\Dragonframe 4\swresample-1.dll

Filesize
332KB

MD5
afcf7f21f62b199e9125b1b58ef4e346

SHA1
724bf32f64b1f1bbe4faf2a9c3a789cd751aeabe

SHA256
f8faded6b353ec1047c33bb5028eb22261e3ad0453e1f9d4484b3354a9ddd2af

SHA512
a83945ba17f5ecb7bfcbbeb0208f5eba21941fb7ba2dd8bef64dc07e8b373f08b8a345587b241a1efb4dc7ccf32c5640c66f16ea87e5a50904f89a4e3a5b9cc6

Download Submit
C:\Program Files\DZED\Dragonframe 4\swscale-3.dll

Filesize
874KB

MD5
4ae8834c5349c14e31ecd298a3b90118

SHA1
63286b1a1286fa22af5b63061a260b9879c9fe0d

SHA256
821af3da1a66a2ae3f9d91e199883c7cf05b1b7f46cc32084e31627a95e8fa99

SHA512
8a3cadaf04eb684fbd73219ec6fad3c83bfcabd9aca2dcaa3b2c7ef736b37a3491951cfa0e8c65222e43fee258401b90aab982fbd13ca2545bfcd954206d5819

Download Submit
C:\Program Files\DZED\Dragonframe 4\turbojpeg.dll

Filesize
561KB

MD5
559acf7024905336de1319dce184183b

SHA1
5c730e89d786a4f0d44b66e3b57100ac8fe34605

SHA256
8d4a6baa2982b4b10ad1d6b75c3686692184dcd40cd2bf170212ace23f895c56

SHA512
335f5fe037215761319eb4913bb199ffcda15997c6ffacf4a76a11d7305c6db84b924b4787cb249961d5afe146cec314091bb8de34237620be3f610cce189213

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
31b49bf8db3d1a74a8a65fd6fece3bd2

SHA1
55b7c68652f06aad20f7766b184e20ae88f82a9a

SHA256
d264a237b8673a088b5e19f80beada84e4eb3b411016d0cf28a4f9166a5d6e76

SHA512
8be40d318da8a876b4f4edf05b62d160818eb57e71b20aa89732b9b13a6a658cf44c64dd160260fb389fbde84826fd48f5b8bcf4ad569d952091738979c252e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7AE00CBB984A94B365C6F635B9DA27DB_0198962556F642CFC08288137657DBC9

Filesize
2KB

MD5
31fa82279a81a7274db279652058350c

SHA1
82d83b3d066a35cbeac16876668ad3b99f768e38

SHA256
ff53f049d06343e67efb8bb689bed752e539b426397650bdd51f5d20cd4ec25e

SHA512
96cb1bf251e1c6c1f799389a4198a9b7cb930cb0599835e1653fe5be9f8924040dafe0daaa95cf8668e5a93fd02ca68aaa17402f8ef1cfebdb94eaad7b25e76d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
a48619df87aacaf7df6e8fcbc221e8f3

SHA1
429f1de957fec5ebb764a82f6d3a8962544ff002

SHA256
d789ba0ab14591b32927ecb58af1c7e19321ed12bf5cfbaacf962846e1a3a2bc

SHA512
8f7f0bcc7896e542028c8b8a61f7e87127f228f7b896a8435290aa774530629e5444e7f53a34bc4e6b47b042772fc39481b49622712dc739a1e401314542f011

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
4fae32044af56a2287347ac1e477cd09

SHA1
90c226fbb5f341172ad1f0ea3d4433262811d250

SHA256
0c19290b71bc435d1d7f3794e946afe1db91d77bb7cf7d21c55ff47eb01436b0

SHA512
b94d3cc9927f114bd082862eb04a5c49d8d5bbfb4f897e810ba6d2fec3e87e553d0f890704cc676c1e83c291855f674316abbb2ad03c2896737ad8964783518b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7AE00CBB984A94B365C6F635B9DA27DB_0198962556F642CFC08288137657DBC9

Filesize
474B

MD5
23c1d3b415d4dbb70ae3832eabb3a5e5

SHA1
9ca25c1685d7627eb064676c6c0597b25e806960

SHA256
7f0d0b4f9d7646fc89bd0ca3f2e0868053e6d628648e801c29d75b511e66a02e

SHA512
77c7c6e5bb59ce7d821c706bb8eb17b6c064e2ef979e843f6aa5df4102525dcc96269478b5a7a71f5443c7054ea9e18b2da66a44f54d39c01ecfd028fae64ad6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
38e0937578f3dfb008101a630551846b

SHA1
e7de8c2efde5cce5c6bc6df265ab00c2c12b8c48

SHA256
6dbd280fed1f399812584b48dbbbcbe947720e58dc3ff54d3bb67dfec7a8cca4

SHA512
623e5123da82d31d09457d0b0697e37207d301cf4a5ddcfc4bdfe25fa7d4fb4bb4fb7413b9520993624d0f03040d4a394535a6ac9307d1b84b8f0f50937457e7

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d3c741e1-7a4f-4d9a-abbc-c51a4551e6bd.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1640\wininstallerbanner.jpg

Filesize
12KB

MD5
324e8a477b3150c770433d1f1dad5c51

SHA1
8d94a4ba04d74b580f4b2b9f4f35858cf4e808a0

SHA256
ee806ad71f43856bda2891c41ef37158ee4396a993fed54d9770721cad725f2d

SHA512
e176d124acb54b923faf319f3bd058defed832ad0896d1aecbdca0b618c9fa22b983bc2e186d6f6d29965552436259a4313318c9bcdac77092a485716ca1dffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1640\wininstallerdialog.jpg

Filesize
29KB

MD5
ed4f18772ec6af4aca7aa415f1fdd35d

SHA1
e6f9eb90c44d9f3cdedc3aa95bbc94dd7f2f4370

SHA256
1e961cc9de31c1682aa2d0815d88f4a231f5d4a0f1e655dd64d065726399f21f

SHA512
0fd26e7f49e78416c9311f3b85c89128b5cbeb056cc57cab9a9373ce8243afa33e7aa0290fef9bdebe83d122a62d47b9ed915c1749deeba4db791f191993ffc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE4D24.tmp.bat

Filesize
415B

MD5
869ef154a79ca2d6bc321d294840e7b4

SHA1
e355199d979f3fc6fdc87719e445c33ad87230a8

SHA256
9719cfd08b070668c322fe538235b1cb0b69acdf89bfba36430f0034196dcce9

SHA512
4a12391958ed5d903deeeac7c7775d27c2da4c834c5f425eb849e4f1cd767d72e05052d1bbf24599a5b2d8144e884ccd645a0e19ca4bd690462e1983c0689f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE4D73.tmp.bat

Filesize
415B

MD5
ed62a229871bd052840ba832e77b47a4

SHA1
c2c0431123aadac410aae2edd5b4cf86bf909656

SHA256
1a24453f29a04c91fdb9940a998d65f200e5d0e4265398965e5b907d3a6ff635

SHA512
781acb9552c10316151f760e8908c7883ba46c485a8d93e6ceae6e44ebfff636c32b75f758ca7ce8974a8feb5f37753686e5bf156f64b2c9907597337f366164

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEF71.tmp

Filesize
91KB

MD5
3fe30e3727ac3e4a3b6e832b6a14a1c4

SHA1
a27a7f7193f5255f4a7b4150a000998cb4a420cc

SHA256
b3bc41b77a13c3a45d43fd2a7b1cdf37f5212798c602282e0e0d1ec52a4dbb8f

SHA512
b842766faeb6ce7f641854f8d120d8c34808773d4c0916b3097f04f398bdf36e92405804ef998607ebbbf5299b42bdf35420f4cc99e4a82f1508b55a058e6827

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CD35E.tmp\Read Me.exe

Filesize
381KB

MD5
e4c309c40d9c02e44955b5e26d5016b0

SHA1
b2af6c12032655c01657c0a6e8eb85bda1f48ac7

SHA256
169df787b66deaa366a1d9cf3b695635a68f3c41d63736255b17757eec47af5f

SHA512
7d68f6bdf9eeb8183bd5e7acf001cbbc1d3302c7d16543b9e4e15bd5bc5bfac6fe6246b3f39dbfb9cf0fd56ff006e79bded4c5ffc3876ee13ad7cb66c8fd54b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U2N1R.tmp\DragonFrame_4-1-8_Activation.tmp

Filesize
754KB

MD5
d8467ca1f529c6c6decb1b82dbaed1df

SHA1
a4a21c366a4f4331e13bada80682a117c9d17be2

SHA256
d12e8487b5941b9552e2ad2f742938cff407cb80825ad4dbb1b54de2c706ce81

SHA512
03a519849743a7f71ae2974b4d5d08ceba8555f06ff8c64a4a99749bbef99d59f40effc34f3f8afbb56d8370c1171a5f5ba5de4d0ca830bfb28b16c5e6956257

Download Submit
C:\Users\Admin\AppData\Roaming\DZED Systems LLC\Dragonframe 4 4.1.8\install\setup.aiui

Filesize
1.4MB

MD5
1d42d27ebd659bf353859c75dc6ae309

SHA1
bfb5bef8ba877ef509b56566954d274769cac872

SHA256
4ef7e39ce5c10db6807da078475f89c2523acc46207a895a0257ed8f58f5390e

SHA512
f1577ace2bded900cead34ff5ccc2c9fc2ee4fc0996105edd5aeef8dd2fa7023e1166311e98c9661b123a5d7fa3df5a8f49afe54909d4924c41467fcda3fb1ca

Download Submit
C:\Users\Admin\AppData\Roaming\DZED Systems LLC\Dragonframe 4 4.1.8\install\setup.x64.msi

Filesize
852KB

MD5
d232bb0f652352cf336f3014da098b7f

SHA1
de6dc9d526b95bc741816da72e5e58bae8d15597

SHA256
0a426a0cb2059fe7522c8301090a65d1ab2afb6fb98985fafa6826ec29b500cf

SHA512
0901e53b49e7dbdcdcc16cd7d4acc9780591a3a14ecc151b0c0745385016c9a6a9364eb74f1072e99cb4418af0df802c481fd382c0b5f6e058814b9f4270eb58

Download Submit
C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\DragonFrame_4-1-8_Activation.exe

Filesize
1.6MB

MD5
c7d4a601a22eb54368b58aea39b0023b

SHA1
840200cd66bd07c0d1005fe652a36db318be8328

SHA256
7b8144c5b25fa92533ca3082c87e902211bb2f6be049d738814c61b4276c2eeb

SHA512
3e253a47a7a4b57bf65761f34086e40e9fcf23b6eb1c3b1977159ab584b2f6657b66a191f064e64237e64700a7bb259a85734cbe0692ae74652f39e7f35ee793

Download Submit
C:\Users\Admin\Desktop\DragonFrame_4-1-8_Installer+Activation\Read Me.txt

Filesize
868B

MD5
fd22473cd66f5df65df7a0c005389955

SHA1
b97aa785922e299d217c76b170cec4192cbaeaf4

SHA256
bb7dd6449f51b482331f9b430478ae7d8ecc3a9ecb0c93b61b6d149446213cb2

SHA512
013ced65ab5084b5334d2e9d097b270bd7f78d3ae106b9bd5a248dcb55afe80b158470a040350274425188e535167a618c8656626142e55111a14dc3f9546965

Download Submit
C:\Windows\Installer\MSI3AB5.tmp

Filesize
297KB

MD5
d8d0f609fae9ad424dd3e8f51f35dd41

SHA1
61d039248b588c0198b4a3ac86cc8d3ae42f3e9b

SHA256
a8e60cec78db1fed07cb41ac52809b194cfaef00ba33f85286d1aeeeb19db1ed

SHA512
1e0ae02f0f9301b8a8cd21ef916b42518f330014bad16367d0f3794710fb441d0a8a3349b7bc1fc73529a6f7a4b47b3b4846b152792a7dd1bea385bd79034b89

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
d49071c2eb53e58c18bb07889db6920b

SHA1
5eab2eead25467ff0b0da5d91531fd71367f7841

SHA256
127fb49d66c16bad8d64b77592e0e7c44b937b3174c7e7f8eefe966e102e5409

SHA512
434b7ccb2100403fa7f213b27cd7d0c93de065feed144e79bfbfa3a040666f9f8df9fdd26d69c2987a44475b0a0f8b95664c95f36c69ae6131ba8c8dd8b475ff

Download Submit
\??\Volume{280cc82f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{adadaa0e-8e74-435c-a95b-294f72879d34}_OnDiskSnapshotProp

Filesize
6KB

MD5
33a83008e6e5f670ef66925d96089742

SHA1
5f7c74f82c742ab99fed5f962501594b5a852d89

SHA256
ccd350c44ce1ddc81ce9cbe2f83074bed67f2686521edce3e5a224858a463401

SHA512
13a41e2b3b35d8a3770f0d24b382de362847d34db11b90ca9f0ed48391246640303c7a3d06a5b1f045c1b266192047c72b755a4391c3493ffc6f8db3ae6eef66

Download Submit
memory/940-327-0x000000006C740000-0x000000006C891000-memory.dmp

Filesize
1.3MB

Download
memory/1780-268-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1780-281-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1952-324-0x000000006C740000-0x000000006C891000-memory.dmp

Filesize
1.3MB

Download
memory/2020-340-0x000000006C740000-0x000000006C891000-memory.dmp

Filesize
1.3MB

Download
memory/2332-331-0x000000006C740000-0x000000006C891000-memory.dmp

Filesize
1.3MB

Download
memory/2432-338-0x000000006C740000-0x000000006C891000-memory.dmp

Filesize
1.3MB

Download
memory/3056-280-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3408-313-0x000000006C740000-0x000000006C891000-memory.dmp

Filesize
1.3MB

Download
memory/3716-314-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/3716-332-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/3716-307-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/3716-315-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/3716-333-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/4228-336-0x000000006C740000-0x000000006C891000-memory.dmp

Filesize
1.3MB

Download
memory/4372-245-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4372-310-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4372-264-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4372-279-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4404-244-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4404-311-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4404-237-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4844-342-0x000000006C740000-0x000000006C891000-memory.dmp

Filesize
1.3MB

Download