926b921e1fbe71043229a51c273bc30089ce07c326c9c2466550172f82c361bd

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

926b921e1fbe71043229a51c273bc30089ce07c326c9c2466550172f82c361bd.exe
Size

653KB
MD5

5095519ea6939d15fd152dbf7c8ff0ac
SHA1

96cd163c52fc84275ab644db334b3c7764eeee6b
SHA256

926b921e1fbe71043229a51c273bc30089ce07c326c9c2466550172f82c361bd
SHA512

a8f7662cdc2a3740daf9daf85cbe8f38bc5d9494ce8d22cf759f1c7f6d35bc980eb0b90e522fb17807ba76c332f19a2cee7f46665ab0a13ab494643ea01cead4
SSDEEP

12288:l/iSu7Kp081EFbfcjTBJgSFghJys9WDksIiCerNc9fEiQsBc4KtyUDl:l/iPoO2jTBFAys9APGVSbsi4u

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\DropboxExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\DropboxExt\ = "{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\DropboxExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\DropboxExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\DropboxExt\ = "{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}"	regsvr32.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

14 4188 msiexec.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

flow	pid	process
14	4188	msiexec.exe

Drops file in Drivers directory 9 IoCs

Processes:

Dropbox.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SET82B9.tmp	Dropbox.exe
File created	C:\Windows\system32\DRIVERS\SET82BA.tmp	Dropbox.exe
File created	C:\Windows\system32\DRIVERS\SET82B9.tmp	Dropbox.exe
File opened for modification	C:\Windows\system32\DRIVERS\dbx-dev.sys	Dropbox.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET82BA.tmp	Dropbox.exe
File opened for modification	C:\Windows\system32\DRIVERS\dbx-canary.sys	Dropbox.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET82A8.tmp	Dropbox.exe
File created	C:\Windows\system32\DRIVERS\SET82A8.tmp	Dropbox.exe
File opened for modification	C:\Windows\system32\DRIVERS\dbx-stable.sys	Dropbox.exe

Executes dropped EXE 10 IoCs

Processes:

DropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxClient_157.4.4808.exeDropbox.exeDbxSvc.exedismhost.exe

pid	process
4204	DropboxUpdate.exe
4972	DropboxUpdate.exe
2808	DropboxUpdate.exe
4548	DropboxUpdate.exe
3184	DropboxUpdate.exe
1300	DropboxUpdate.exe
1108	DropboxClient_157.4.4808.exe
3844	Dropbox.exe
3176	DbxSvc.exe
4556	dismhost.exe

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3652 netsh.exe
1960 netsh.exe

pid	process
3652	netsh.exe
1960	netsh.exe

Registers COM server for autorun 1 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exeDropbox.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE1-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBC9D74C-AF55-4309-9FB2-C426E071637F}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF142CA5-83C5-4E06-8FEA-310AA519A945}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE2-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBC9D74C-AF55-4309-9FB2-C426E071637F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF142CA5-83C5-4E06-8FEA-310AA519A945}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\LocalServer32	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE2-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBC9D74C-AF55-4309-9FB2-C426E071637F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF142CA5-83C5-4E06-8FEA-310AA519A945}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\157.4.4808\\DropboxOfficeAddin64.14.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE1-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE1-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1A}\InProcServer32	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1B}\InProcServer32	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\LocalServer32\ = "\"C:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" /autoplay"	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE2-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1A}\InProcServer32\ = "%SYSTEMROOT%\\system32\\shell32.dll"	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.53.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1B}\InProcServer32\ = "%SYSTEMROOT%\\system32\\shell32.dll"	Dropbox.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DropboxUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe\DisableExceptionChainValidation = "0"	DropboxUpdate.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DropboxUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DropboxUpdate.exe

Loads dropped DLL 64 IoCs

Processes:

DropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxClient_157.4.4808.exeDropbox.exe

pid	process
4204	DropboxUpdate.exe
4972	DropboxUpdate.exe
2808	DropboxUpdate.exe
2808	DropboxUpdate.exe
2808	DropboxUpdate.exe
2808	DropboxUpdate.exe
4204	DropboxUpdate.exe
4548	DropboxUpdate.exe
3184	DropboxUpdate.exe
1300	DropboxUpdate.exe
1300	DropboxUpdate.exe
3184	DropboxUpdate.exe
1108	DropboxClient_157.4.4808.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe
3844	Dropbox.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Dropbox.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Dropbox.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Dropbox = "\"C:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" /systemstartup"	Dropbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 11 IoCs

Processes:

DropboxUpdate.exeDropbox.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_72E9B602DBBE8F382B48D98F49AE6328	DropboxUpdate.exe
File opened for modification	C:\Windows\system32\DbxSvc.exe	Dropbox.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_72E9B602DBBE8F382B48D98F49AE6328	DropboxUpdate.exe
File opened for modification	C:\Windows\system32\SET82BB.tmp	Dropbox.exe
File created	C:\Windows\system32\SET82BB.tmp	Dropbox.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB	DropboxUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

DropboxClient_157.4.4808.exeDropbox.exeDropboxUpdate.exe

description	ioc	process
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\Assets\StoreLogo.contrast-black_scale-150.png	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\Assets\StoreLogo.contrast-white_scale-200.png	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\Assets\logo.targetsize-32_altform-unplated.png	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\QtGraphicalEffects\LevelAdjust.qml	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\QtQuick\Controls\StackView.qml	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Strings\language-ru\Resources.resw	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.639.1\goopdateres_ko.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.639.1\DropboxUpdateBroker.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\QtGraphicalEffects\InnerShadow.qml	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\QtGraphicalEffects\OpacityMask.qml	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\QtQuick\Controls\Private\TabBar.qml	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\Strings\language-ja\Resources.resw	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\driver_amd64\dbx-stable.sys	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\images\03_Tray_Icon\win\dark\dropboxstatus-connecting@2p5x.png	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.639.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\winscreenshot_native.cp38-win32.pyd	DropboxClient_157.4.4808.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\images\03_Tray_Icon\win\light\dropboxstatus-cam@1p75x.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\QtQuick\Window.2\qmldir	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\resources\app.asar	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\locales\fa.pak	DropboxClient_157.4.4808.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\logo.targetsize-16_contrast-black.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\QtQuick\Controls\ScrollView.qml	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\QtQuick\Controls\Private\MenuContentScroller.qml	DropboxClient_157.4.4808.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\api-ms-win-core-string-l1-1-0.dll	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\binder.targetsize-24.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\logo.targetsize-30_altform-unplated_contrast-white.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\images\03_Tray_Icon\win\dark\dropboxstatus-connecting.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\windisplaytoast_native.cp38-win32.pyd	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\Assets\passwords.targetsize-32.png	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\Strings\language-ms\Resources.resw	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\binder.targetsize-128.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\logo.targetsize-20_altform-unplated.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\TileSmall.contrast-white_scale-200.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\images\03_Tray_Icon\win\legacy\dropboxstatus-idle@1p75x.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Strings\language-uk-UA\Resources.resw	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\dropbox_tprt.dll	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\QtQuick\Controls\Styles\Desktop\CheckBoxStyle.qml	DropboxClient_157.4.4808.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\logo.targetsize-80_contrast-white.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\QtGraphicalEffects\Blend.qml	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\PackageAssets\Dropbox.msix	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\QtQuick\Controls\GroupBox.qml	DropboxClient_157.4.4808.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\logo.targetsize-80_altform-unplated_contrast-white.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\QtQuick\Controls\GroupBox.qml	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\QtQuick\Controls\Styles\Base\images\editbox.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\shcore_native.cp38-win32.pyd	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\locales\uk.pak	DropboxClient_157.4.4808.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\apex._apex.cp38-win32.pyd	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\images\03_Tray_Icon\win\light\dropboxstatus-shortnotification@2x.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\DropboxThumbnailGenerator.exe	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\Assets\TileSmall.contrast-black_scale-400.png	DropboxClient_157.4.4808.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\logo.contrast-black_scale-100.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\images\03_Tray_Icon\win\light\dropboxstatus-busy@3x.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\locales\ca.pak	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\QtQuick\Controls\Styles\Base\RadioButtonStyle.qml	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Strings\language-en-US\Resources.resw	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\win32print.cp38-win32.pyd	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\QtGraphicalEffects\private\FastGlow.qml	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\QtQuick\Controls\Styles\Base\ToolBarStyle.qml	DropboxClient_157.4.4808.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\gslides.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\images\03_Tray_Icon\win\dark\dropboxstatus-x@3x.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\images\03_Tray_Icon\win\light\dropboxstatus-shortnotification.png	DropboxClient_157.4.4808.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\binder.targetsize-32.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Assets\web.targetsize-256.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\157.4.4808\Strings\language-es\Resources.resw	Dropbox.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exedismhost.exeDropboxUpdate.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e568f28.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job	DropboxUpdate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e568f25.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{099218A5-A723-43DC-8DB5-6173656A1E94}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI93D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job	DropboxUpdate.exe
File created	C:\Windows\Installer\e568f25.msi	msiexec.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

512 sc.exe
4604 sc.exe
2304 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
512	sc.exe
4604	sc.exe
2304	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

DropboxUpdate.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\Policy = "3"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\CLSID = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

msiexec.exeDropboxUpdate.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E	DropboxUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DropboxUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DropboxUpdate.exe

Modifies registry class 64 IoCs

Processes:

DropboxUpdate.exeregsvr32.exemsiexec.exeregsvr32.exeregsvr32.exeDropbox.exeDropboxUpdate.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass.1\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OfficeAddIn\CurVer\ = "Dropbox.OfficeAddIn.1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEF2D6E-1CE5-4823-88D0-7F727719D0A2}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBCB9957-FBBA-412E-AB18-D6FEED996B31}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt.53.0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.gslides\OpenWithProgids	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3363994D-A786-4A32-A745-48B9B6EA709A}\VersionIndependentProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Dropbox.Gsheet\DefaultIcon	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc.1.0\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Dropbox.PaperT	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.Gsheet\shell	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.ExternalBackupLocation\DefaultIcon\ = "C:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe,-3712"	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.ExternalBackupLocation\ = "Dropbox feature"	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\VersionIndependentProgID\ = "DropboxUpdate.Update3WebSvc"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine.1.0\ = "Dropbox Update Broker Class Factory"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine.1.0	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78F1393A-63FD-494A-BA89-2C3ECA4E8EC8}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DD80E78-80D7-4E12-90CA-CBF68A68B1B3}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.gdoc\OpenWithProgids	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.Gsheet\shell\Open\Command\ = "\"C:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" /openext \"%1\" %*"	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1A}\System.IsPinnedToNamespaceTree = "1"	Dropbox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1A}\ShellFolder	Dropbox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Dropbox.Paper	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher\ = "Dropbox Update Process Launcher Class"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback.1.0	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\ = "DropboxExt4 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE2-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.Gslides\DefaultIcon\ = "C:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe,-4003"	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.Passwords\shell\Open	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{831F99E1-2250-4065-8975-7408E726825F}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\Elevation\IconReference = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.639.1\\goopdate.dll,-1004"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\ = "DropboxExt8 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{527E621D-39D6-4627-8185-08F387A73307}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.dbx-backup	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C52C4100-E8C6-438B-AEAC-43C99F7CCC26}\NumMethods	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine.1.0\CLSID\ = "{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\DropboxExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dropbox-install\shell\	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc.1.0\CLSID\ = "{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine\CurVer\ = "DropboxUpdate.Update3WebMachine.1.0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DropboxExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Dropbox.Shortcut	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachineFallback\ = "Dropbox Update Legacy On Demand"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D412914-1C4F-447D-80D2-E7F9BB302B05}\ProxyStubClsid32\ = "{97E0A5E2-76BC-43F6-8DDC-3E07A738E45E}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}\ProxyStubClsid32\ = "{97E0A5E2-76BC-43F6-8DDC-3E07A738E45E}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachineFallback.1.0	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EE1-A251-47B7-93E1-CDD82E34AF8B}\ = "DropboxExt9 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.Vault	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF028154-CA20-4F73-ACBB-82451B78F1E6}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58237066-0A7A-4C18-B132-D7BE280A6327}\ProxyStubClsid32\ = "{97E0A5E2-76BC-43F6-8DDC-3E07A738E45E}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync\ = "CoCreateAsync"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine.1.0\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine.1.0\CLSID\ = "{E54806CB-0046-4BCF-B389-3A6F732DC6E6}"	DropboxUpdate.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

DropboxUpdate.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

DropboxUpdate.exemsiexec.exeDropbox.exepowershell.exepowershell.exe

pid	process
4204	DropboxUpdate.exe
4204	DropboxUpdate.exe
4188	msiexec.exe
4188	msiexec.exe
3844	Dropbox.exe
3844	Dropbox.exe
4488	powershell.exe
4488	powershell.exe
1496	powershell.exe
1496	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DropboxUpdate.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4204	DropboxUpdate.exe
Token: SeShutdownPrivilege	4204	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	4204	DropboxUpdate.exe
Token: SeSecurityPrivilege	4188	msiexec.exe
Token: SeCreateTokenPrivilege	4204	DropboxUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	4204	DropboxUpdate.exe
Token: SeLockMemoryPrivilege	4204	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	4204	DropboxUpdate.exe
Token: SeMachineAccountPrivilege	4204	DropboxUpdate.exe
Token: SeTcbPrivilege	4204	DropboxUpdate.exe
Token: SeSecurityPrivilege	4204	DropboxUpdate.exe
Token: SeTakeOwnershipPrivilege	4204	DropboxUpdate.exe
Token: SeLoadDriverPrivilege	4204	DropboxUpdate.exe
Token: SeSystemProfilePrivilege	4204	DropboxUpdate.exe
Token: SeSystemtimePrivilege	4204	DropboxUpdate.exe
Token: SeProfSingleProcessPrivilege	4204	DropboxUpdate.exe
Token: SeIncBasePriorityPrivilege	4204	DropboxUpdate.exe
Token: SeCreatePagefilePrivilege	4204	DropboxUpdate.exe
Token: SeCreatePermanentPrivilege	4204	DropboxUpdate.exe
Token: SeBackupPrivilege	4204	DropboxUpdate.exe
Token: SeRestorePrivilege	4204	DropboxUpdate.exe
Token: SeShutdownPrivilege	4204	DropboxUpdate.exe
Token: SeDebugPrivilege	4204	DropboxUpdate.exe
Token: SeAuditPrivilege	4204	DropboxUpdate.exe
Token: SeSystemEnvironmentPrivilege	4204	DropboxUpdate.exe
Token: SeChangeNotifyPrivilege	4204	DropboxUpdate.exe
Token: SeRemoteShutdownPrivilege	4204	DropboxUpdate.exe
Token: SeUndockPrivilege	4204	DropboxUpdate.exe
Token: SeSyncAgentPrivilege	4204	DropboxUpdate.exe
Token: SeEnableDelegationPrivilege	4204	DropboxUpdate.exe
Token: SeManageVolumePrivilege	4204	DropboxUpdate.exe
Token: SeImpersonatePrivilege	4204	DropboxUpdate.exe
Token: SeCreateGlobalPrivilege	4204	DropboxUpdate.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe
Token: SeTakeOwnershipPrivilege	4188	msiexec.exe
Token: SeRestorePrivilege	4188	msiexec.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

926b921e1fbe71043229a51c273bc30089ce07c326c9c2466550172f82c361bd.exeDropboxUpdate.exeDropboxUpdate.exeDropboxClient_157.4.4808.exeDropbox.exeregsvr32.exeregsvr32.exepowershell.exe

description	pid	process	target process
PID 4756 wrote to memory of 4204	4756	926b921e1fbe71043229a51c273bc30089ce07c326c9c2466550172f82c361bd.exe	DropboxUpdate.exe
PID 4756 wrote to memory of 4204	4756	926b921e1fbe71043229a51c273bc30089ce07c326c9c2466550172f82c361bd.exe	DropboxUpdate.exe
PID 4756 wrote to memory of 4204	4756	926b921e1fbe71043229a51c273bc30089ce07c326c9c2466550172f82c361bd.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 4972	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 4972	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 4972	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 2808	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 2808	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 2808	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 4548	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 4548	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 4548	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 3184	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 3184	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 4204 wrote to memory of 3184	4204	DropboxUpdate.exe	DropboxUpdate.exe
PID 1300 wrote to memory of 1108	1300	DropboxUpdate.exe	DropboxClient_157.4.4808.exe
PID 1300 wrote to memory of 1108	1300	DropboxUpdate.exe	DropboxClient_157.4.4808.exe
PID 1300 wrote to memory of 1108	1300	DropboxUpdate.exe	DropboxClient_157.4.4808.exe
PID 1108 wrote to memory of 3844	1108	DropboxClient_157.4.4808.exe	Dropbox.exe
PID 1108 wrote to memory of 3844	1108	DropboxClient_157.4.4808.exe	Dropbox.exe
PID 1108 wrote to memory of 3844	1108	DropboxClient_157.4.4808.exe	Dropbox.exe
PID 3844 wrote to memory of 3652	3844	Dropbox.exe	netsh.exe
PID 3844 wrote to memory of 3652	3844	Dropbox.exe	netsh.exe
PID 3844 wrote to memory of 3652	3844	Dropbox.exe	netsh.exe
PID 3844 wrote to memory of 1960	3844	Dropbox.exe	netsh.exe
PID 3844 wrote to memory of 1960	3844	Dropbox.exe	netsh.exe
PID 3844 wrote to memory of 1960	3844	Dropbox.exe	netsh.exe
PID 3844 wrote to memory of 3076	3844	Dropbox.exe	regsvr32.exe
PID 3844 wrote to memory of 3076	3844	Dropbox.exe	regsvr32.exe
PID 3844 wrote to memory of 3076	3844	Dropbox.exe	regsvr32.exe
PID 3844 wrote to memory of 1472	3844	Dropbox.exe	regsvr32.exe
PID 3844 wrote to memory of 1472	3844	Dropbox.exe	regsvr32.exe
PID 3844 wrote to memory of 1472	3844	Dropbox.exe	regsvr32.exe
PID 1472 wrote to memory of 4580	1472	regsvr32.exe	regsvr32.exe
PID 1472 wrote to memory of 4580	1472	regsvr32.exe	regsvr32.exe
PID 3844 wrote to memory of 4396	3844	Dropbox.exe	regsvr32.exe
PID 3844 wrote to memory of 4396	3844	Dropbox.exe	regsvr32.exe
PID 3844 wrote to memory of 4396	3844	Dropbox.exe	regsvr32.exe
PID 3844 wrote to memory of 4436	3844	Dropbox.exe	regsvr32.exe
PID 3844 wrote to memory of 4436	3844	Dropbox.exe	regsvr32.exe
PID 3844 wrote to memory of 4436	3844	Dropbox.exe	regsvr32.exe
PID 4436 wrote to memory of 4352	4436	regsvr32.exe	regsvr32.exe
PID 4436 wrote to memory of 4352	4436	regsvr32.exe	regsvr32.exe
PID 3844 wrote to memory of 1452	3844	Dropbox.exe	runonce.exe
PID 3844 wrote to memory of 1452	3844	Dropbox.exe	runonce.exe
PID 3844 wrote to memory of 4604	3844	Dropbox.exe	sc.exe
PID 3844 wrote to memory of 4604	3844	Dropbox.exe	sc.exe
PID 3844 wrote to memory of 2304	3844	Dropbox.exe	sc.exe
PID 3844 wrote to memory of 2304	3844	Dropbox.exe	sc.exe
PID 3844 wrote to memory of 512	3844	Dropbox.exe	sc.exe
PID 3844 wrote to memory of 512	3844	Dropbox.exe	sc.exe
PID 3844 wrote to memory of 512	3844	Dropbox.exe	sc.exe
PID 3844 wrote to memory of 4488	3844	Dropbox.exe	powershell.exe
PID 3844 wrote to memory of 4488	3844	Dropbox.exe	powershell.exe
PID 3844 wrote to memory of 4488	3844	Dropbox.exe	powershell.exe
PID 3844 wrote to memory of 1496	3844	Dropbox.exe	powershell.exe
PID 3844 wrote to memory of 1496	3844	Dropbox.exe	powershell.exe
PID 1496 wrote to memory of 4556	1496	powershell.exe	dismhost.exe
PID 1496 wrote to memory of 4556	1496	powershell.exe	dismhost.exe

C:\Users\Admin\AppData\Local\Temp\926b921e1fbe71043229a51c273bc30089ce07c326c9c2466550172f82c361bd.exe
"C:\Users\Admin\AppData\Local\Temp\926b921e1fbe71043229a51c273bc30089ce07c326c9c2466550172f82c361bd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\DropboxUpdate.exe
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\DropboxUpdate.exe /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd055OEVLQWlFUUFOQmZXVHhINkRqT09IMkJWSGlOVGt2Z1VyS0x3cnAyMk9qZjY5M2ZSejM2OWhxM09rOUZuUVkxNzJ2QUdLN3Y1R1BsX1pMeWM4RXo1Qkp2OXg2V2ZqUkVhRFNCUm5VWVZKdGF5N1dNT2Yyelk4MGdBa1RXRVRnQno4Q2V3SG90SUlSa3hSal9fUUVhYXlCNEBNRVRBIn0"
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvc
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4972

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regserver
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:2808

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVJFSlFVa1ZCVlZSSU9qcGphSEp2YldVNk9tVktkMDU1T0VWTFFXbEZVVUZPUW1aWFZIaElOa1JxVDA5SU1rSldTR2xPVkd0MloxVnlTMHgzY25BeU1rOXFaalk1TTJaU2VqTTJPV2h4TTA5ck9VWnVVVmt4TnpKMlFVZExOM1kxUjFCc1gxcE1lV000UlhvMVFrcDJPWGcyVjJacVVrVmhSRk5DVW01VldWWktkR0Y1TjFkTlQyWXllbGs0TUdkQmExUlhSVlJuUW5vNFEyVjNTRzkwU1VsU2EzaFNhbDlmVVVWaFlYbENORUJOUlZSQkluMCIgcHJvdG9jb2w9IjMuMCIgdmVyc2lvbj0iMS4zLjYzOS4xIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0ie0M5ODdEODAyLUQ5MTMtNEExNy1CMEEyLTRGNjdCOUFDRTE4NH0iIHVzZXJpZD0iezE0QkYxRTE0LTM2NjQtNDA2OS1COUFCLUE2MjIzNjgzODVBRn0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9InszMzNFNjQ3OC04N0QxLTQ3NjgtOTNCMi0wMDBEMzg5OERBQkV9Ij48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7RDg5NjhGRjItRTBCMS00QTEzLUEzRTItQzlGMjk5NUYzQkM2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjYzOS4xIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4548

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd055OEVLQWlFUUFOQmZXVHhINkRqT09IMkJWSGlOVGt2Z1VyS0x3cnAyMk9qZjY5M2ZSejM2OWhxM09rOUZuUVkxNzJ2QUdLN3Y1R1BsX1pMeWM4RXo1Qkp2OXg2V2ZqUkVhRFNCUm5VWVZKdGF5N1dNT2Yyelk4MGdBa1RXRVRnQno4Q2V3SG90SUlSa3hSal9fUUVhYXlCNEBNRVRBIn0&nolaunch=0" /installsource taggedmi /sessionid "{C987D802-D913-4A17-B0A2-4F67B9ACE184}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3184

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1300

C:\Program Files (x86)\Dropbox\Update\Install\{6C1BEF11-1537-44CD-B7BD-A7C63A6DC71F}\DropboxClient_157.4.4808.exe
"C:\Program Files (x86)\Dropbox\Update\Install\{6C1BEF11-1537-44CD-B7BD-A7C63A6DC71F}\DropboxClient_157.4.4808.exe" /S /DBData:eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd055OEVLQWlFUUFOQmZXVHhINkRqT09IMkJWSGlOVGt2Z1VyS0x3cnAyMk9qZjY5M2ZSejM2OWhxM09rOUZuUVkxNzJ2QUdLN3Y1R1BsX1pMeWM4RXo1Qkp2OXg2V2ZqUkVhRFNCUm5VWVZKdGF5N1dNT2Yyelk4MGdBa1RXRVRnQno4Q2V3SG90SUlSa3hSal9fUUVhYXlCNEBNRVRBIiwib21haGEtaW5zdGFsbGVyLWlkIjoiezE0QkYxRTE0LTM2NjQtNDA2OS1COUFCLUE2MjIzNjgzODVBRn0iLCJyZXF1ZXN0X3NlcXVlbmNlIjowfQ /InstallType:MACHINE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1108

C:\Program Files (x86)\Dropbox\Client_157.4.4808\Dropbox.exe
"C:\Program Files (x86)\Dropbox\Client\..\Client_157.4.4808\Dropbox.exe" /install /InstallType:MACHINE /InstallDir:"C:\Program Files (x86)\Dropbox\Client" /KillEveryone:YES /DBData:eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd055OEVLQWlFUUFOQmZXVHhINkRqT09IMkJWSGlOVGt2Z1VyS0x3cnAyMk9qZjY5M2ZSejM2OWhxM09rOUZuUVkxNzJ2QUdLN3Y1R1BsX1pMeWM4RXo1Qkp2OXg2V2ZqUkVhRFNCUm5VWVZKdGF5N1dNT2Yyelk4MGdBa1RXRVRnQno4Q2V3SG90SUlSa3hSal9fUUVhYXlCNEBNRVRBIiwib21haGEtaW5zdGFsbGVyLWlkIjoiezE0QkYxRTE0LTM2NjQtNDA2OS1COUFCLUE2MjIzNjgzODVBRn0iLCJyZXF1ZXN0X3NlcXVlbmNlIjowfQ
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall delete rule name=Dropbox
4⤵
- Modifies Windows Firewall
PID:3652

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any
4⤵
- Modifies Windows Firewall
PID:1960

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt.53.0.dll"
4⤵
- Modifies system executable filetype association
- Modifies registry class
PID:3076

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt64.53.0.dll"
4⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\system32\regsvr32.exe
/S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt64.53.0.dll"
5⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:4580

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /S "C:\Program Files (x86)\Dropbox\Client\157.4.4808\DropboxOfficeAddin.14.dll"
4⤵
- Modifies registry class
PID:4396

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /S "C:\Program Files (x86)\Dropbox\Client\157.4.4808\DropboxOfficeAddin64.14.dll"
4⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\system32\regsvr32.exe
/S "C:\Program Files (x86)\Dropbox\Client\157.4.4808\DropboxOfficeAddin64.14.dll"
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:4352

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
PID:1452

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe delete DbxSvc
4⤵
- Launches sc.exe
PID:4604

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe create DbxSvc binPath=C:\Windows\System32\DbxSvc.exe start=auto
4⤵
- Launches sc.exe
PID:2304

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe failure DbxSvc reset= 3600 actions= restart/5000/restart/30000//
4⤵
- Launches sc.exe
PID:512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxPackage C27EB4BA.DropboxOEM | Remove-AppxPackage"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In \"C27EB4BA.DropboxOEM\" | Remove-ProvisionedAppxPackage -Online"
4⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\C71C12BB-3870-4F6A-894B-25A7101351D5\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\C71C12BB-3870-4F6A-894B-25A7101351D5\dismhost.exe {2ADFD9D7-BD77-410A-81DE-4A960287F1EE}
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4556

C:\Windows\System32\DbxSvc.exe
C:\Windows\System32\DbxSvc.exe
1⤵
- Executes dropped EXE
PID:3176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\VCRUNTIME140.dll
Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\dropbox_core.dll
Filesize
54.3MB

MD5
3cea1cae82fa505abb03d9719c8aa2ac

SHA1
47eb1ed3eb0a0e515aef5a0511787117bc2aad72

SHA256
96f366a807d2ad446f11833901e4f11593bf945e9792d48b68242c64a4937f0d

SHA512
a954948225d251720ce055bf37a6ef6c927f9797fee211a9d2b1867394028801d66d4d6cc43895680e222b8c80099b13b625b8b5d0136f71b0c1359f4d79606e

Download Submit
C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\dropbox_core.dll
Filesize
54.3MB

MD5
3cea1cae82fa505abb03d9719c8aa2ac

SHA1
47eb1ed3eb0a0e515aef5a0511787117bc2aad72

SHA256
96f366a807d2ad446f11833901e4f11593bf945e9792d48b68242c64a4937f0d

SHA512
a954948225d251720ce055bf37a6ef6c927f9797fee211a9d2b1867394028801d66d4d6cc43895680e222b8c80099b13b625b8b5d0136f71b0c1359f4d79606e

Download Submit
C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\python38.dll
Filesize
8.8MB

MD5
b70939941b460f1159cb9f6a5d77e3f9

SHA1
ac411be596dee34e6703179723d4985388e27c6b

SHA256
e5ae4774a98648b857f2d53ed0ede647f337bcdfdeb59c68fc49a3338e091a98

SHA512
262eab488c467be5c3c084378ffe49e194f18dc9037d7fc9b9846f0d18a12eb930788521f73724413af9cf7ccf41621d44e5ab1752dd50bc1f44a4b2d83350b9

Download Submit
C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\python38.dll
Filesize
8.8MB

MD5
b70939941b460f1159cb9f6a5d77e3f9

SHA1
ac411be596dee34e6703179723d4985388e27c6b

SHA256
e5ae4774a98648b857f2d53ed0ede647f337bcdfdeb59c68fc49a3338e091a98

SHA512
262eab488c467be5c3c084378ffe49e194f18dc9037d7fc9b9846f0d18a12eb930788521f73724413af9cf7ccf41621d44e5ab1752dd50bc1f44a4b2d83350b9

Download Submit
C:\Program Files (x86)\Dropbox\Client_157.4.4808\157.4.4808\vcruntime140.dll
Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Program Files (x86)\Dropbox\Client_157.4.4808\Dropbox.exe
Filesize
10.7MB

MD5
297d19d29e51e2313cd03879ae67829b

SHA1
3f4b9959abc76c144405412a37a571b6857c97f6

SHA256
1045e640f036e5756419658ec01b3a0ce5eff141beb7f33a5e40916e01af31c4

SHA512
8ba966c7acf3b52eb6172741c515637efd905da4d513d14e7be4e64eb18fd870e282828184a18ed840ddfb22947c5f34902f2ac63e8b343416fa3e8de25af203

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\DropboxUpdateHelper.msi
Filesize
26KB

MD5
d78d0fe3a00f46774880f12e14f7394c

SHA1
62e4d7ddd5e46d227ca2e571daa1e466f64bea66

SHA256
08ea4b27abcc2506163f41d64611e29beae769e2fbeff6ad374723bba9520827

SHA512
64d081f9562aea4729531713f8483cc97f1cc0f5317c5a39d5036088c9a3808fe5868bc07d7e87113170e7e6e4b7e61fa79a20e4449b69874d10de1768d30018

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\goopdate.dll
Filesize
1.1MB

MD5
45e5f57ab16e4e6654464da44ebe5852

SHA1
bd45e57b3c1c7c6a1c21798ad4b2fb1a59e41ece

SHA256
b8d072135296abb0e99bf990874c6502e464af24cb9cbacf53a1095f1072e677

SHA512
698e0306d5a2f69c77569e6ca79d588e3c19668fa29f03c9f4421e4ab029e101143d8cccba4c40d79405cfc5e3121c5a477353422cb9dffd18aea68aba0b729d

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\goopdate.dll
Filesize
1.1MB

MD5
45e5f57ab16e4e6654464da44ebe5852

SHA1
bd45e57b3c1c7c6a1c21798ad4b2fb1a59e41ece

SHA256
b8d072135296abb0e99bf990874c6502e464af24cb9cbacf53a1095f1072e677

SHA512
698e0306d5a2f69c77569e6ca79d588e3c19668fa29f03c9f4421e4ab029e101143d8cccba4c40d79405cfc5e3121c5a477353422cb9dffd18aea68aba0b729d

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\goopdate.dll
Filesize
1.1MB

MD5
45e5f57ab16e4e6654464da44ebe5852

SHA1
bd45e57b3c1c7c6a1c21798ad4b2fb1a59e41ece

SHA256
b8d072135296abb0e99bf990874c6502e464af24cb9cbacf53a1095f1072e677

SHA512
698e0306d5a2f69c77569e6ca79d588e3c19668fa29f03c9f4421e4ab029e101143d8cccba4c40d79405cfc5e3121c5a477353422cb9dffd18aea68aba0b729d

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\goopdate.dll
Filesize
1.1MB

MD5
45e5f57ab16e4e6654464da44ebe5852

SHA1
bd45e57b3c1c7c6a1c21798ad4b2fb1a59e41ece

SHA256
b8d072135296abb0e99bf990874c6502e464af24cb9cbacf53a1095f1072e677

SHA512
698e0306d5a2f69c77569e6ca79d588e3c19668fa29f03c9f4421e4ab029e101143d8cccba4c40d79405cfc5e3121c5a477353422cb9dffd18aea68aba0b729d

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\goopdate.dll
Filesize
1.1MB

MD5
45e5f57ab16e4e6654464da44ebe5852

SHA1
bd45e57b3c1c7c6a1c21798ad4b2fb1a59e41ece

SHA256
b8d072135296abb0e99bf990874c6502e464af24cb9cbacf53a1095f1072e677

SHA512
698e0306d5a2f69c77569e6ca79d588e3c19668fa29f03c9f4421e4ab029e101143d8cccba4c40d79405cfc5e3121c5a477353422cb9dffd18aea68aba0b729d

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\goopdate.dll
Filesize
1.1MB

MD5
45e5f57ab16e4e6654464da44ebe5852

SHA1
bd45e57b3c1c7c6a1c21798ad4b2fb1a59e41ece

SHA256
b8d072135296abb0e99bf990874c6502e464af24cb9cbacf53a1095f1072e677

SHA512
698e0306d5a2f69c77569e6ca79d588e3c19668fa29f03c9f4421e4ab029e101143d8cccba4c40d79405cfc5e3121c5a477353422cb9dffd18aea68aba0b729d

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\goopdateres_en.dll
Filesize
31KB

MD5
0d5ad989075908469c249863555716d5

SHA1
ebb71e00051ded8d51fb7b42a8e1229f8b1fd8c5

SHA256
06ca8649fd52527c0df92d759ebae442ed7efdad3d45cef220f4d7d14aefca2f

SHA512
d548bdbb808e19cc8375fb3b3ac9855422a28450d6006749b5fd3669402b9f3bfa2c96e99661b70976e87ed658e4f7416392839c1c0dd6b5052814097101ecd3

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\npDropboxUpdate3.dll
Filesize
273KB

MD5
06e53e63294e29d1da4312a357b5b68c

SHA1
3ee051135178e79d5a8009afed483fd21ea1a95d

SHA256
6191829d054a53ea394a26a57f72f7dad4b683c471da341d09cf27362eb5942e

SHA512
e5463c844e60bea5e502e460fd03358a3f083053457135c5dbc29a32820593662bb34ce60224df612d2d5a0313a89d14519fa9a79ef0181ac88d087d36ebc7be

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\psmachine.dll
Filesize
211KB

MD5
edb5981a474ad37c298c748d11247c8e

SHA1
474bd029fd83ea4feaabf310052f5bd9b6c59735

SHA256
f82caa4b49ac69496abe401286608c720d5db0a479b530b44de6f93502bae9f7

SHA512
56afe39eedf6e2e06218acf5c63f3c7fe92f210e241c19e85382835001084526152c45a6b62e8f0b5c25994eb6c114e2f989bc82c47b2aab3312f4852a59428c

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\psmachine.dll
Filesize
211KB

MD5
edb5981a474ad37c298c748d11247c8e

SHA1
474bd029fd83ea4feaabf310052f5bd9b6c59735

SHA256
f82caa4b49ac69496abe401286608c720d5db0a479b530b44de6f93502bae9f7

SHA512
56afe39eedf6e2e06218acf5c63f3c7fe92f210e241c19e85382835001084526152c45a6b62e8f0b5c25994eb6c114e2f989bc82c47b2aab3312f4852a59428c

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\psmachine.dll
Filesize
211KB

MD5
edb5981a474ad37c298c748d11247c8e

SHA1
474bd029fd83ea4feaabf310052f5bd9b6c59735

SHA256
f82caa4b49ac69496abe401286608c720d5db0a479b530b44de6f93502bae9f7

SHA512
56afe39eedf6e2e06218acf5c63f3c7fe92f210e241c19e85382835001084526152c45a6b62e8f0b5c25994eb6c114e2f989bc82c47b2aab3312f4852a59428c

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\psmachine.dll
Filesize
211KB

MD5
edb5981a474ad37c298c748d11247c8e

SHA1
474bd029fd83ea4feaabf310052f5bd9b6c59735

SHA256
f82caa4b49ac69496abe401286608c720d5db0a479b530b44de6f93502bae9f7

SHA512
56afe39eedf6e2e06218acf5c63f3c7fe92f210e241c19e85382835001084526152c45a6b62e8f0b5c25994eb6c114e2f989bc82c47b2aab3312f4852a59428c

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\psmachine.dll
Filesize
211KB

MD5
edb5981a474ad37c298c748d11247c8e

SHA1
474bd029fd83ea4feaabf310052f5bd9b6c59735

SHA256
f82caa4b49ac69496abe401286608c720d5db0a479b530b44de6f93502bae9f7

SHA512
56afe39eedf6e2e06218acf5c63f3c7fe92f210e241c19e85382835001084526152c45a6b62e8f0b5c25994eb6c114e2f989bc82c47b2aab3312f4852a59428c

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.639.1\psmachine.dll
Filesize
211KB

MD5
edb5981a474ad37c298c748d11247c8e

SHA1
474bd029fd83ea4feaabf310052f5bd9b6c59735

SHA256
f82caa4b49ac69496abe401286608c720d5db0a479b530b44de6f93502bae9f7

SHA512
56afe39eedf6e2e06218acf5c63f3c7fe92f210e241c19e85382835001084526152c45a6b62e8f0b5c25994eb6c114e2f989bc82c47b2aab3312f4852a59428c

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
C:\Program Files (x86)\Dropbox\Update\Install\{6C1BEF11-1537-44CD-B7BD-A7C63A6DC71F}\DropboxClient_157.4.4808.exe
Filesize
163.2MB

MD5
2e6b76ea80788c0f533d66d5ef18aca1

SHA1
f5eda8dd1ee49bad1cea6cae8370a668167384ba

SHA256
f00c2267c642ab2fc3a06c7d52c02b53bf6d64d8a9ba7e2824413cad8a17ce94

SHA512
4c4893f8a9a36fb6ee3911e5c1d1eedcb62bb4aef7c08f96e16882c6c7f915bf0310f314b9869f87551e7758d0654f500d211264953112f26370eb7bc6156527

Download Submit
C:\Program Files (x86)\Dropbox\Update\Install\{6C1BEF11-1537-44CD-B7BD-A7C63A6DC71F}\DropboxClient_157.4.4808.exe
Filesize
163.2MB

MD5
2e6b76ea80788c0f533d66d5ef18aca1

SHA1
f5eda8dd1ee49bad1cea6cae8370a668167384ba

SHA256
f00c2267c642ab2fc3a06c7d52c02b53bf6d64d8a9ba7e2824413cad8a17ce94

SHA512
4c4893f8a9a36fb6ee3911e5c1d1eedcb62bb4aef7c08f96e16882c6c7f915bf0310f314b9869f87551e7758d0654f500d211264953112f26370eb7bc6156527

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\DropboxCrashHandler.exe
Filesize
129KB

MD5
5ecee6fc156527757209c82a4edf19ca

SHA1
653f9234e467efce1fced8b3885047fc13a2b9f3

SHA256
c8d370e15e744b49c46bd0f350d5474541a5ca17b0b438db2ad76733127f89b4

SHA512
795401d771f4d5f94a8e2507c0169acd678327f854eb64548b0e665a5586614f5f96ec52f625543010d1254308e9925cdf8cb98a2b69c18ee9053364b1997151

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\DropboxUpdate.exe
Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\DropboxUpdate.exe
Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\DropboxUpdateBroker.exe
Filesize
75KB

MD5
cfde3292ed966039846bc5b321bff1b2

SHA1
3ea1222f920b6534e118cd7170b3df9c6a62dc7a

SHA256
d97b011e58461d7c2ad9c2226f185708836ce1971de8fe2bf7deeac81e54f89f

SHA512
0976a8330e90b4fe7e85761dde9897ea08b3851d4dae0107fe4aa3179c9a4e08201dade6912df84ac467fd4146b098f5beaaaaf6150109b9bf5c6fc4c2f3d9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\DropboxUpdateHelper.msi
Filesize
26KB

MD5
d78d0fe3a00f46774880f12e14f7394c

SHA1
62e4d7ddd5e46d227ca2e571daa1e466f64bea66

SHA256
08ea4b27abcc2506163f41d64611e29beae769e2fbeff6ad374723bba9520827

SHA512
64d081f9562aea4729531713f8483cc97f1cc0f5317c5a39d5036088c9a3808fe5868bc07d7e87113170e7e6e4b7e61fa79a20e4449b69874d10de1768d30018

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\DropboxUpdateOnDemand.exe
Filesize
75KB

MD5
2b361afa23729bf6139b99a1168957b6

SHA1
eb07cfca1d372eb59c4a74de9236b380c076dfae

SHA256
3d6efe7c4671b3e11a09b3df7a1fee3434dd6b71a43c10bd9181e10a1e7941e3

SHA512
a63e46dc5d1a85593f11a529f8f4ef2fecf9cce6369b0244d9f70e1d99953473d1cfd6aa94af9e9e2cdd0493b2e6c96f9a5eaa8af35ffbc5834f66d3edb46b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdate.dll
Filesize
1.1MB

MD5
45e5f57ab16e4e6654464da44ebe5852

SHA1
bd45e57b3c1c7c6a1c21798ad4b2fb1a59e41ece

SHA256
b8d072135296abb0e99bf990874c6502e464af24cb9cbacf53a1095f1072e677

SHA512
698e0306d5a2f69c77569e6ca79d588e3c19668fa29f03c9f4421e4ab029e101143d8cccba4c40d79405cfc5e3121c5a477353422cb9dffd18aea68aba0b729d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdate.dll
Filesize
1.1MB

MD5
45e5f57ab16e4e6654464da44ebe5852

SHA1
bd45e57b3c1c7c6a1c21798ad4b2fb1a59e41ece

SHA256
b8d072135296abb0e99bf990874c6502e464af24cb9cbacf53a1095f1072e677

SHA512
698e0306d5a2f69c77569e6ca79d588e3c19668fa29f03c9f4421e4ab029e101143d8cccba4c40d79405cfc5e3121c5a477353422cb9dffd18aea68aba0b729d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_da.dll
Filesize
32KB

MD5
1301bc60c2424f69f091ababcc86f8cc

SHA1
6206159e28a00531876e9ad6f0093b945cf91c38

SHA256
9a48be8e60d43e968f6600e73391c97ed4cb9661dd1e917d335d014bf1e7b228

SHA512
8a5e1296d92dd8ac66d577efb75a5191bc27a881f8779b208322ad71f7cf952dc316f223be462f0776dd216505bb8c019c91c54dab5422f677e795f35ef60837

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_de.dll
Filesize
35KB

MD5
c5e6a073fffc6683cde32b96599c7725

SHA1
7592cbce63335a407f207fa6ae8f0956f0ddd0dc

SHA256
3a01c8cd5c2a586ca17f724bbfd526d1801d1697992f2993d561c190f55da0b7

SHA512
b12c890143eaea7d5d28b41666833eb29298b4a68ef6eebcaf8b8e59f97d5e8bbb303ab631681d9c7d5d39efd5656360dff42a8cc5545fbef3355d26e4b11e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_en.dll
Filesize
31KB

MD5
0d5ad989075908469c249863555716d5

SHA1
ebb71e00051ded8d51fb7b42a8e1229f8b1fd8c5

SHA256
06ca8649fd52527c0df92d759ebae442ed7efdad3d45cef220f4d7d14aefca2f

SHA512
d548bdbb808e19cc8375fb3b3ac9855422a28450d6006749b5fd3669402b9f3bfa2c96e99661b70976e87ed658e4f7416392839c1c0dd6b5052814097101ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_es-419.dll
Filesize
33KB

MD5
7df80b6d573b6b3dcf6a4a0105ada9f8

SHA1
890a90f7bf97615a085712e82747feee724f8e75

SHA256
cc3e874c666cf935b3f1ddc449a946236aab95589fdfc05f631c92dc47576d0a

SHA512
e593218873793618aa930a1c3c2c17235d6abe0abf8985f50afabd76cbfe89d4e932b853020adc0043a0b47200231646a5424356e99ea8c0d8b20c580a230fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_es.dll
Filesize
33KB

MD5
86c2d7187b461398c58bed0c7e48d93b

SHA1
6f82a85337ec02f14e72d6697fef5b9d120c2447

SHA256
509b126b249def0468be289fbac4ce959059c1c3b982e7670a39291f67ac5a6b

SHA512
f32609b9976d60d129255b14e42a7e00cdc974bb41509512cf793377208c0fa6c36cb3ada69d1064804f497e0c1566926bec5b19a8b2b287c6d84d1e8d8dd9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_fr.dll
Filesize
34KB

MD5
47d6198d8afc654b1357f886d51390d2

SHA1
e143e62ecc00246f13ce710cd68921d78f8d5258

SHA256
0b864b03fa21e972935b028f3e3e5c2b344e04d84bf8e844fded43d5c6f13ef9

SHA512
433708332cec3bf639e53522ae62b4d89689ac0d918ea5546fa25690598bf7a0600d3dc853cdc1605d569f04f49a2b76f3fd3d1281c6e92a65fbf10901d6b278

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_id.dll
Filesize
31KB

MD5
b4972522aa429f03d3ef5cb1cfeb4275

SHA1
339389e671082d74954efc8ca78c4354383eed9c

SHA256
3d4983be545b604a083f0aa4e083b91037e015ac7db6a4b4d878023b5d9ef58b

SHA512
30f2bc58a1d97b1ea809bffc93d317573330877653ea180553ec57f8d98dff51aadc393a1ebe7b19eb992283122703a505b77cb7f054954f20efc202702f734c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_it.dll
Filesize
33KB

MD5
dd28fafdd50ffe47460bd6a7ed845b03

SHA1
6331f86cb24014c2e06033802171d3339a013bfd

SHA256
072429ae6fb3a7a2d145bfa7fce3be89f98d75636238ab665294500bac45d89c

SHA512
f5428a9350ab8b029423562f1fa75b7b5dc1cb03b2434cd15bbbe1224fd711d50304d7857320ce4d6499fd8e112e9e5edbfd115bdbdbc26fbcb383d96411e5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_ja.dll
Filesize
27KB

MD5
750f92b58c34c03651cad14fd0eae455

SHA1
59e4130a0131b02994901e32575f88f6ba8e54f6

SHA256
3389597240ddf453a4c396777ccf80fafd7fa80aefe8ff9ae5a4ba924323f703

SHA512
2a023bad31f3e18134cd4400f669291d7fb4740e5057d0a8162f3f5e949b0f9f556f403cb1f2c337797872374fa8102b0c8b6df5130140d87517b93b7e9c8be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_ko.dll
Filesize
27KB

MD5
097ac7365616670974c6f39660938ff6

SHA1
6167611b08fc3f3b23018cb9d05f015c642004bf

SHA256
acfdffd0e58a985518363f4c703ceb4429b5470cdc62404e0a9b9af3fe1726bd

SHA512
705eebfde9211cf5b9f66589eb42b0d27274ecffbc0b9f706e1141a1b357f2140d4c6760dfbd97b44a2ae69821b44f9c8df259c84591e093209163f06397a1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_ms.dll
Filesize
31KB

MD5
80305b659dc0b77578476d179f5e5a56

SHA1
337f00f964eea37ab0f3d7bef28ae0abfc46d509

SHA256
6aa2021733ab522144d16567253d565f95a3bae548995c8c7412405a9a4dda6a

SHA512
46658f76570f61a72577342c8506a700a7028c2ba9859246f1a119cf919c32d3836eddbd92bf83974c987f661e0c99dfee75d85cca46684d0b8d8a6e03325a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_nl.dll
Filesize
34KB

MD5
f51d31df7a086e6c001686086f977d35

SHA1
5407e4f85e279d2bc5a5336bf109ca0c46c91e0a

SHA256
c046cbca2d077a222158a2d95f6cbfa229e8032a2395be6e16a1565917a65246

SHA512
d1799a43beef4f3c70ac35497d10260ed324bca62f212082bf72a70bd1edab7ff48f2f5e87c7c5d9d637a5883297bbf62efeeec546a03d975877e13fa2bb88a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_no.dll
Filesize
32KB

MD5
b6615b35d0905c9ca2e39678bf85bfc5

SHA1
62de31d5f991cdcbeb967ab309e3bd054927fec7

SHA256
dde7f7dddccba5b3e234e7a9af2152035ba1a044f27fb2fac65f709479ae26a6

SHA512
403deaf8a94cb5422f5749ec5c437380c4da1654e5d44910408f3681cb9a7909d841a5a38c9c6cce21fe7203581edbae655d1bba2c1caf46b1b0f906c5ca1451

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_pl.dll
Filesize
33KB

MD5
0dac0bbc2244b10d540c8b07dcc331bb

SHA1
da4acc32d893f1af61b779d3257f97779c948e7b

SHA256
e65adf5cf4eb50b041855400440095c9ac9fd828f717483ef8aad6737cd170a9

SHA512
f5c698f22ebdcf8e6f241dfbe31251222043ef3367bb008f2d0e7fa8d9a5c087ecf006153d12a08baf0c52c9864e8910af6e60c21efd22c7c37bc720bc185516

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_pt-BR.dll
Filesize
32KB

MD5
7aacf25f28084badfd5c6c9850ae8f0e

SHA1
122da522d5bb3c28b20128b80a4b70159711b793

SHA256
f76edb5594f35563894f6d67c70a5fc6e200b4e00145345d72d83d453c516402

SHA512
dde22d81a0cc81ca506649fc43b43f02a19c0f2dc14d0a76a97ca10d2d666c942e361221bc2a2f38550b3e7d5f86b62a6c0efac536730ff11144a91a8003df1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_ru.dll
Filesize
33KB

MD5
abd331d37909e716ec5d35bd83b8cec3

SHA1
6ffdba22f3f8bd9007f69f94fc01d1381843f9fc

SHA256
d916fe1ca6a7ffeeeca2032a765db9c962dde321fd7e293d403146ab92c08467

SHA512
98f0c72e8684728f86d53232ede862cdc65a6a0c527fcfbdea4a889526026cbc5608acf0ea14a46ed113d43b03c8cfa01d1ef9dd015abee9b20c9f2de9a14626

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_sv.dll
Filesize
32KB

MD5
ef762fe5636b17c491444e886dead158

SHA1
48e24cc58b4d402bdf6a40454cedeb30df72c708

SHA256
eb54da8396fe8ffe32c416357a6cebd36092cdb17bc3aae10ebf1d035abd9473

SHA512
9751abb250243d281b052ad56109fcb08390082d88307c4c930ffa25bbb34c849d54d7258e83e8c6ea51165aa9f8540e15b09f93e4a4b35bf8140de68289ffc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_th.dll
Filesize
31KB

MD5
267fc12ea91ff17401bf6f59f695d1ac

SHA1
828315d0e1d3bede5c49e8df15164135f6c4150b

SHA256
e698f6be6d98549b7c01149d892fc934951534476715235d28c6afca30ef0958

SHA512
da982cf7698dd48751e1b8ad73251f35e5b71f80401a1e430fd1020c9eb9f26d3dd3226f5a7af49613df1ce9203d4e83e23d6ee54c7e4e49113cd510a9a057d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_uk.dll
Filesize
32KB

MD5
aa09c8a1c612c494292a47fd07d1f2f9

SHA1
eba0dab28e9adb8d45b93b86697a6f2d9121264b

SHA256
a9737cf7ccd2f05eacd65ba898cd5084c9ea0c264d826803adce72a1691b228a

SHA512
59df99e57bfc2ea53a2732cf1c18d417f725eab2780f18cd56d10ec6786974d16df6763ea00c270bba666a1946b29ba40b80194680b6391e41e060e27d449714

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_zh-CN.dll
Filesize
25KB

MD5
4115e2ea20b4faeef97d419595e993ef

SHA1
dcd23fa5536c9c5202e934bc8f43ba1ee33cb2e9

SHA256
17c88571ef3929a0d50df0211135a95d8aa0eb0ea1fc69c0ab9b36a7e1432a61

SHA512
828ef190e204f83d0b2c87a6fde74f9ed2b5550c9cdb9c6c48699ab3912bc3b4a6f76673b1bcbf8dade7756af72c9afe4e411d5ac15fbcaf2cb94eb4b6d6db6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\goopdateres_zh-TW.dll
Filesize
25KB

MD5
d4852f657e4ac4fe693f62f336bd275f

SHA1
f407950da73032ed2f30e918ba69e6b42fb6d938

SHA256
ee9eb7898c451a1ef7756b5c721f03d452deda45a99fea3566afb8ab1ec46d1b

SHA512
9fd012bdb3dc130d045d342ceab0dec154db208001cf4d84d576e787645c5de48263d90969d683cca107a14687928ebd938c0b8726f883a6231c7fe6923acb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\npDropboxUpdate3.dll
Filesize
273KB

MD5
06e53e63294e29d1da4312a357b5b68c

SHA1
3ee051135178e79d5a8009afed483fd21ea1a95d

SHA256
6191829d054a53ea394a26a57f72f7dad4b683c471da341d09cf27362eb5942e

SHA512
e5463c844e60bea5e502e460fd03358a3f083053457135c5dbc29a32820593662bb34ce60224df612d2d5a0313a89d14519fa9a79ef0181ac88d087d36ebc7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\psmachine.dll
Filesize
211KB

MD5
edb5981a474ad37c298c748d11247c8e

SHA1
474bd029fd83ea4feaabf310052f5bd9b6c59735

SHA256
f82caa4b49ac69496abe401286608c720d5db0a479b530b44de6f93502bae9f7

SHA512
56afe39eedf6e2e06218acf5c63f3c7fe92f210e241c19e85382835001084526152c45a6b62e8f0b5c25994eb6c114e2f989bc82c47b2aab3312f4852a59428c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM78FD.tmp\psuser.dll
Filesize
211KB

MD5
d6ef3bd5cf6aaf2beb7ab2522a4b87c8

SHA1
ca1e31529d7373f279f95e27b766950d640b0e8c

SHA256
2519303fd988ae8efaa15e7c8a294135565abbfcc94bfa4610ee0b66b002eef0

SHA512
916993d6a854810f55bbea647af428f5fd322d720513624c5880e7969133e12c886d54a4ecec951cae489e167054e1eff654c7c6983d17c082df99214b084a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso10EA.tmp\System.dll
Filesize
11KB

MD5
c6e19f882ac7c89c517ec158d8bee0e3

SHA1
4bd07cb821aca4d2eb32e7f74ae620780d8b958d

SHA256
817929ce4af784af2f28db0eea5cc9a16fa28e8ed0b3bd497ed8dda0619207a3

SHA512
cbf559f48b66e2bdf9e0de75d48f169fe2a112e34981c1463856e50807ff05f63afb512afd99503126d9f700ed4eda9bfa45fd38ded5d55d4c8738043ec7e62f

Download Submit
memory/512-213-0x0000000000000000-mapping.dmp

Download
memory/1108-189-0x0000000000000000-mapping.dmp

Download
memory/1452-210-0x0000000000000000-mapping.dmp

Download
memory/1472-205-0x0000000000000000-mapping.dmp

Download
memory/1496-231-0x000001599C8F0000-0x000001599C914000-memory.dmp

Filesize
144KB

Download
memory/1496-232-0x00007FFB920D0000-0x00007FFB92B91000-memory.dmp

Filesize
10.8MB

Download
memory/1496-230-0x000001599C870000-0x000001599C892000-memory.dmp

Filesize
136KB

Download
memory/1496-229-0x0000000000000000-mapping.dmp

Download
memory/1960-203-0x0000000000000000-mapping.dmp

Download
memory/2304-212-0x0000000000000000-mapping.dmp

Download
memory/2808-171-0x0000000000000000-mapping.dmp

Download
memory/3076-204-0x0000000000000000-mapping.dmp

Download
memory/3184-182-0x0000000000000000-mapping.dmp

Download
memory/3652-202-0x0000000000000000-mapping.dmp

Download
memory/3844-201-0x00000000659A0000-0x0000000065D29000-memory.dmp

Filesize
3.5MB

Download
memory/3844-193-0x0000000000000000-mapping.dmp

Download
memory/4204-132-0x0000000000000000-mapping.dmp

Download
memory/4352-209-0x0000000000000000-mapping.dmp

Download
memory/4396-207-0x0000000000000000-mapping.dmp

Download
memory/4436-208-0x0000000000000000-mapping.dmp

Download
memory/4488-222-0x0000000060370000-0x00000000603BC000-memory.dmp

Filesize
304KB

Download
memory/4488-223-0x0000000006A40000-0x0000000006A5E000-memory.dmp

Filesize
120KB

Download
memory/4488-216-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/4488-217-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/4488-218-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/4488-219-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/4488-220-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/4488-221-0x0000000006A60000-0x0000000006A92000-memory.dmp

Filesize
200KB

Download
memory/4488-214-0x0000000000000000-mapping.dmp

Download
memory/4488-215-0x0000000002B70000-0x0000000002BA6000-memory.dmp

Filesize
216KB

Download
memory/4488-224-0x0000000007E20000-0x000000000849A000-memory.dmp

Filesize
6.5MB

Download
memory/4488-225-0x00000000077C0000-0x00000000077DA000-memory.dmp

Filesize
104KB

Download
memory/4488-226-0x0000000007990000-0x00000000079A6000-memory.dmp

Filesize
88KB

Download
memory/4488-227-0x0000000006A50000-0x0000000006A5A000-memory.dmp

Filesize
40KB

Download
memory/4488-228-0x0000000007A20000-0x0000000007A46000-memory.dmp

Filesize
152KB

Download
memory/4548-179-0x0000000000000000-mapping.dmp

Download
memory/4556-233-0x0000000000000000-mapping.dmp

Download
memory/4580-206-0x0000000000000000-mapping.dmp

Download
memory/4604-211-0x0000000000000000-mapping.dmp

Download
memory/4972-165-0x0000000000000000-mapping.dmp

Download