416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414

Analysis

max time kernel
152s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe
Size

657KB
MD5

f1fb157ce9b7c6d4aef539fe915e8ee5
SHA1

1a3b96d6f33726c97da8d0c148662a5066d4c400
SHA256

416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414
SHA512

83120c27a5503003a19a4a696bcfd9fc4af5968b94d70f5f5410c5313e048cea71eb4b687b508f767ddca032f17b343b7d8e6ea169101ef41b329c0b540315b2
SSDEEP

12288:K/iSu68aZ2NHx8eBPh7VwwsaTyItetooaUt788+PJ2Cwwa7z:K/imXY5CeBkKM/ar1J2hwY

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\DropboxExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\DropboxExt\ = "{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\DropboxExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\DropboxExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\DropboxExt\ = "{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}"	regsvr32.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

15 4616 msiexec.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

flow	pid	process
15	4616	msiexec.exe

Drops file in Drivers directory 9 IoCs

Processes:

Dropbox.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\dbx-stable.sys	Dropbox.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET2DDD.tmp	Dropbox.exe
File opened for modification	C:\Windows\system32\DRIVERS\dbx-dev.sys	Dropbox.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET2DEE.tmp	Dropbox.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET2DBD.tmp	Dropbox.exe
File created	C:\Windows\system32\DRIVERS\SET2DBD.tmp	Dropbox.exe
File created	C:\Windows\system32\DRIVERS\SET2DDD.tmp	Dropbox.exe
File created	C:\Windows\system32\DRIVERS\SET2DEE.tmp	Dropbox.exe
File opened for modification	C:\Windows\system32\DRIVERS\dbx-canary.sys	Dropbox.exe

Executes dropped EXE 9 IoCs

Processes:

DropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxClient_158.4.4564.exeDropbox.exeDbxSvc.exe

pid	process
3948	DropboxUpdate.exe
1360	DropboxUpdate.exe
3456	DropboxUpdate.exe
3428	DropboxUpdate.exe
4432	DropboxUpdate.exe
4852	DropboxUpdate.exe
4176	DropboxClient_158.4.4564.exe
2612	Dropbox.exe
372	DbxSvc.exe

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

364 netsh.exe
1360 netsh.exe

pid	process
364	netsh.exe
1360	netsh.exe

Registers COM server for autorun 1 TTPs 43 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeDropbox.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1B}\InProcServer32\ = "%SYSTEMROOT%\\system32\\shell32.dll"	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF142CA5-83C5-4E06-8FEA-310AA519A945}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE1-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF142CA5-83C5-4E06-8FEA-310AA519A945}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\158.4.4564\\DropboxOfficeAddin64.14.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF142CA5-83C5-4E06-8FEA-310AA519A945}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBC9D74C-AF55-4309-9FB2-C426E071637F}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE1-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE1-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBC9D74C-AF55-4309-9FB2-C426E071637F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1A}\InProcServer32	Dropbox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1B}\InProcServer32	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE2-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBC9D74C-AF55-4309-9FB2-C426E071637F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1A}\InProcServer32\ = "%SYSTEMROOT%\\system32\\shell32.dll"	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE2-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ = "C:\\Program Files (x86)\\Dropbox\\Client\\DropboxExt64.55.0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE2-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DropboxUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe\DisableExceptionChainValidation = "0"	DropboxUpdate.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DropboxUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DropboxUpdate.exe

Loads dropped DLL 64 IoCs

Processes:

DropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxClient_158.4.4564.exeDropbox.exe

pid	process
3948	DropboxUpdate.exe
1360	DropboxUpdate.exe
3456	DropboxUpdate.exe
3456	DropboxUpdate.exe
3456	DropboxUpdate.exe
3456	DropboxUpdate.exe
3948	DropboxUpdate.exe
3428	DropboxUpdate.exe
4432	DropboxUpdate.exe
4852	DropboxUpdate.exe
4852	DropboxUpdate.exe
4432	DropboxUpdate.exe
4176	DropboxClient_158.4.4564.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe
2612	Dropbox.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Dropbox.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Dropbox.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in System32 directory 11 IoCs

Processes:

DropboxUpdate.exeDropbox.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_72E9B602DBBE8F382B48D98F49AE6328	DropboxUpdate.exe
File opened for modification	C:\Windows\system32\SET2DFF.tmp	Dropbox.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_72E9B602DBBE8F382B48D98F49AE6328	DropboxUpdate.exe
File opened for modification	C:\Windows\system32\DbxSvc.exe	Dropbox.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB	DropboxUpdate.exe
File created	C:\Windows\system32\SET2DFF.tmp	Dropbox.exe

Drops file in Program Files directory 64 IoCs

Processes:

Dropbox.exeDropboxClient_158.4.4564.exe

description	ioc	process
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\driver_amd64\dbx.inf	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\dark\dropboxstatus-x@2x.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\Assets\TileSmall.contrast-white_scale-125.png	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\QtGraphicalEffects\private\FastInnerShadow.qml	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\dark\dropboxstatus-x@3x.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\legacy\dropboxstatus-busy@3x.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\locales\fr.pak	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\Assets\external_drive.targetsize-24.png	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\Assets\logo.targetsize-40_altform-unplated_contrast-black.png	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\QtGraphicalEffects\private\FastInnerShadow.qml	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\QtQuick\Controls\Private\TextInputWithHandles.qml	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\shell32_native.cp38-win32.pyd	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\QtQuick\Controls\Styles\Base\MenuBarStyle.qml	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\QtQuick\Controls\Styles\Desktop\ButtonStyle.qml	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\images\03_Tray_Icon\win\dark\dropboxstatus-shortnotification@2p5x.png	DropboxClient_158.4.4564.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\light\dropboxstatus-busy@1p25x.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\light\dropboxstatus-snooze.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\QtQuick\Controls\ComboBox.qml	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\QtQuick\Controls\Private\TextHandle.qml	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\Assets\passwords.targetsize-48.png	DropboxClient_158.4.4564.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\Assets\backup.targetsize-24.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\Assets\gdoc.targetsize-256.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\dark\dropboxstatus-snooze@1p75x.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\plugins\imageformats\qgif.dll	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\plugins\styles\qwindowsvistastyle.dll	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\images\03_Tray_Icon\win\dark\dropboxstatus-connecting.png	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\QtGraphicalEffects\private\GaussianMaskedBlur.qml	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\win32process.cp38-win32.pyd	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\QtQuick\Controls\Styles\Flat\qtquickextrasflatplugin.dll	DropboxClient_158.4.4564.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\Assets\gdoc.targetsize-16.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\QtQuick\Controls\Private\StackView.js	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\QtQuick\Controls\Styles\Base\DelayButtonStyle.qml	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\QtQuick\Controls\Styles\Desktop\ToolBarStyle.qml	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\Assets\logo.targetsize-30_altform-unplated_contrast-white.png	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\images\03_Tray_Icon\win\dark\dropboxstatus-pause@2p5x.png	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\images\03_Tray_Icon\win\legacy\dropboxstatus-idle@1p25x.png	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\api-ms-win-crt-environment-l1-1-0.dll	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\legacy\dropboxstatus-shortnotification@1p25x.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\QtQuick\Controls\Private\qmldir	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\Strings\language-da-DK\Resources.resw	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\dark\dropboxstatus-longnotification@1p25x.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\ucrtbase.dll	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\win32event.cp38-win32.pyd	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\QtQuick\Controls\Private\CalendarUtils.js	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\images\03_Tray_Icon\win\dark\dropboxstatus-x.png	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\api-ms-win-core-timezone-l1-1-0.dll	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\Assets\logo.targetsize-72.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\dark\dropboxstatus-logo@2x.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\QtQuick\Controls\Private\HoverButton.qml	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\QtQuick\Controls\Styles\Base\StatusIndicatorStyle.qml	DropboxClient_158.4.4564.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\dark\dropboxstatus-cam@1p5x.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\swiftshader\libGLESv2.dll	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\win32clipboard.cp38-win32.pyd	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\Qt5Sql.dll	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\images\03_Tray_Icon\win\legacy\dropboxstatus-pause@1p75x.png	DropboxClient_158.4.4564.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\Assets\logo.targetsize-64_contrast-white.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\DropboxUpdateProxy32.exe	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\light\dropboxstatus-snooze@1p75x.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client\158.4.4564\locales\ro.pak	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\images\03_Tray_Icon\win\dark\dropboxstatus-notification@2p5x.png	DropboxClient_158.4.4564.exe
File created	C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\images\03_Tray_Icon\win\light\dropboxstatus-pause@3x.png	DropboxClient_158.4.4564.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\Assets\binder.targetsize-16.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\images\03_Tray_Icon\win\legacy\dropboxstatus-cam.png	Dropbox.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Client\158.4.4564\tprt.cp38-win32.pyd	Dropbox.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exeDropboxUpdate.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{099218A5-A723-43DC-8DB5-6173656A1E94}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job	DropboxUpdate.exe
File created	C:\Windows\Installer\e56fd02.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56fd02.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e56fd05.msi	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job	DropboxUpdate.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3120 sc.exe
5052 sc.exe
1660 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3120	sc.exe
5052	sc.exe
1660	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

DropboxUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\CLSID = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\Policy = "3"	DropboxUpdate.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

msiexec.exeDropboxUpdate.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E	DropboxUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DropboxUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DropboxUpdate.exe

Modifies registry class 64 IoCs

Processes:

DropboxUpdate.exeDropboxUpdate.exeregsvr32.exeregsvr32.exeDropbox.exeregsvr32.exeregsvr32.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass\CLSID\ = "{3A337332-37E4-4063-B4F3-6416846C8A33}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A337332-37E4-4063-B4F3-6416846C8A33}\ProgID\ = "DropboxUpdate.CoreClass.1"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A89190B-400F-47DB-960A-7D5A1325A2C8}\NumMethods\ = "24"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B35122D2-0036-4536-AEEA-EEA68E54A460}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine\CurVer\ = "DropboxUpdate.CredentialDialogMachine.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{76E258F0-DE86-4CEC-9D30-3F728A898741}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D412914-1C4F-447D-80D2-E7F9BB302B05}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B35122D2-0036-4536-AEEA-EEA68E54A460}\NumMethods\ = "4"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{527E621D-39D6-4627-8185-08F387A73307}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1DCEB61-74EC-4B50-9AEF-F2BE0F8238E0}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1B}\ = "dropbox-NamespaceExtensionRole.Business"	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DD80E78-80D7-4E12-90CA-CBF68A68B1B3}\ = "IRibbonCallback"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF142CA5-83C5-4E06-8FEA-310AA519A945}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}\LocalServer32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05378308-2559-4C71-B758-7DACD5A359BA}\NumMethods\ = "6"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\ = "DropboxExt2 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\DropboxExt\ = "{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}\VersionIndependentProgID\ = "DropboxUpdate.Update3COMClassService"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60ACA18E-54E6-43F8-A1A4-C4176B6C994E}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback\CurVer\ = "DropboxUpdate.Update3WebMachineFallback.1.0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1B}	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF142CA5-83C5-4E06-8FEA-310AA519A945}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8474489-B2C1-4CE8-852D-FF8A916C91F0}\ = "ICoCreateAsync"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDA8FC46-0F9A-4A8C-8764-3B80880A9AEB}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60ACA18E-54E6-43F8-A1A4-C4176B6C994E}\NumMethods	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CECD4BFB-9F43-4540-B72C-706BE66B375E}\ = "IPackage"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}\ProgID\ = "DropboxUpdate.CoCreateAsync.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3363994D-A786-4A32-A745-48B9B6EA709A}\LocalServer32\ = "\"C:\\Program Files (x86)\\Dropbox\\Update\\1.3.415.1\\DropboxUpdateOnDemand.exe\""	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine.1.0\ = "DropboxUpdate CredentialDialog"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}\AppID = "{96D1EED3-701E-4FE5-B996-A543A8465897}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EE2-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1A}\SortOrderIndex = "66"	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\VersionIndependentProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DE7C611-9E6D-468F-8AA2-26C08DB4A687}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF028154-CA20-4F73-ACBB-82451B78F1E6}	DropboxUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2441950E-49C6-4F69-8EB4-0AA66295CE56}\InprocHandler32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1A}\ShellFolder\FolderValueFlags = "40"	Dropbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1A}\ShellFolder\FolderValueFlags = "40"	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5A812990327ACD34D85B163756A6E149\Complete	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1B}\SortOrderIndex = "66"	Dropbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B35122D2-0036-4536-AEEA-EEA68E54A460}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CECD4BFB-9F43-4540-B72C-706BE66B375E}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine\ = "DropboxUpdate CredentialDialog"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\ = "DropboxExt1 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{E31EA727-12ED-4702-820C-4B6445F28E1B}\InProcServer32	Dropbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF142CA5-83C5-4E06-8FEA-310AA519A945}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C416C376-AEC5-4443-9D90-BEBA9434763B}\NumMethods\ = "10"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DropboxUpdate.exe\AppID = "{76E258F0-DE86-4CEC-9D30-3F728A898741}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F84F5221-63AA-431E-A57C-D7D03649E3E6}\ProxyStubClsid32\ = "{A1DCEB61-74EC-4B50-9AEF-F2BE0F8238E0}"	DropboxUpdate.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

DropboxUpdate.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	DropboxUpdate.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

DropboxUpdate.exemsiexec.exeDropbox.exe

pid process

3948 DropboxUpdate.exe
3948 DropboxUpdate.exe
4616 msiexec.exe
4616 msiexec.exe
2612 Dropbox.exe
2612 Dropbox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DropboxUpdate.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3948	DropboxUpdate.exe
Token: SeShutdownPrivilege	3948	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	3948	DropboxUpdate.exe
Token: SeSecurityPrivilege	4616	msiexec.exe
Token: SeCreateTokenPrivilege	3948	DropboxUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	3948	DropboxUpdate.exe
Token: SeLockMemoryPrivilege	3948	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	3948	DropboxUpdate.exe
Token: SeMachineAccountPrivilege	3948	DropboxUpdate.exe
Token: SeTcbPrivilege	3948	DropboxUpdate.exe
Token: SeSecurityPrivilege	3948	DropboxUpdate.exe
Token: SeTakeOwnershipPrivilege	3948	DropboxUpdate.exe
Token: SeLoadDriverPrivilege	3948	DropboxUpdate.exe
Token: SeSystemProfilePrivilege	3948	DropboxUpdate.exe
Token: SeSystemtimePrivilege	3948	DropboxUpdate.exe
Token: SeProfSingleProcessPrivilege	3948	DropboxUpdate.exe
Token: SeIncBasePriorityPrivilege	3948	DropboxUpdate.exe
Token: SeCreatePagefilePrivilege	3948	DropboxUpdate.exe
Token: SeCreatePermanentPrivilege	3948	DropboxUpdate.exe
Token: SeBackupPrivilege	3948	DropboxUpdate.exe
Token: SeRestorePrivilege	3948	DropboxUpdate.exe
Token: SeShutdownPrivilege	3948	DropboxUpdate.exe
Token: SeDebugPrivilege	3948	DropboxUpdate.exe
Token: SeAuditPrivilege	3948	DropboxUpdate.exe
Token: SeSystemEnvironmentPrivilege	3948	DropboxUpdate.exe
Token: SeChangeNotifyPrivilege	3948	DropboxUpdate.exe
Token: SeRemoteShutdownPrivilege	3948	DropboxUpdate.exe
Token: SeUndockPrivilege	3948	DropboxUpdate.exe
Token: SeSyncAgentPrivilege	3948	DropboxUpdate.exe
Token: SeEnableDelegationPrivilege	3948	DropboxUpdate.exe
Token: SeManageVolumePrivilege	3948	DropboxUpdate.exe
Token: SeImpersonatePrivilege	3948	DropboxUpdate.exe
Token: SeCreateGlobalPrivilege	3948	DropboxUpdate.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exeDropboxUpdate.exeDropboxUpdate.exeDropboxClient_158.4.4564.exeDropbox.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2200 wrote to memory of 3948	2200	416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe	DropboxUpdate.exe
PID 2200 wrote to memory of 3948	2200	416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe	DropboxUpdate.exe
PID 2200 wrote to memory of 3948	2200	416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 1360	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 1360	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 1360	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 3456	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 3456	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 3456	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 3428	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 3428	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 3428	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 4432	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 4432	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 3948 wrote to memory of 4432	3948	DropboxUpdate.exe	DropboxUpdate.exe
PID 4852 wrote to memory of 4176	4852	DropboxUpdate.exe	DropboxClient_158.4.4564.exe
PID 4852 wrote to memory of 4176	4852	DropboxUpdate.exe	DropboxClient_158.4.4564.exe
PID 4852 wrote to memory of 4176	4852	DropboxUpdate.exe	DropboxClient_158.4.4564.exe
PID 4176 wrote to memory of 2612	4176	DropboxClient_158.4.4564.exe	Dropbox.exe
PID 4176 wrote to memory of 2612	4176	DropboxClient_158.4.4564.exe	Dropbox.exe
PID 4176 wrote to memory of 2612	4176	DropboxClient_158.4.4564.exe	Dropbox.exe
PID 2612 wrote to memory of 364	2612	Dropbox.exe	netsh.exe
PID 2612 wrote to memory of 364	2612	Dropbox.exe	netsh.exe
PID 2612 wrote to memory of 364	2612	Dropbox.exe	netsh.exe
PID 2612 wrote to memory of 1360	2612	Dropbox.exe	netsh.exe
PID 2612 wrote to memory of 1360	2612	Dropbox.exe	netsh.exe
PID 2612 wrote to memory of 1360	2612	Dropbox.exe	netsh.exe
PID 2612 wrote to memory of 1232	2612	Dropbox.exe	regsvr32.exe
PID 2612 wrote to memory of 1232	2612	Dropbox.exe	regsvr32.exe
PID 2612 wrote to memory of 1232	2612	Dropbox.exe	regsvr32.exe
PID 2612 wrote to memory of 1824	2612	Dropbox.exe	regsvr32.exe
PID 2612 wrote to memory of 1824	2612	Dropbox.exe	regsvr32.exe
PID 2612 wrote to memory of 1824	2612	Dropbox.exe	regsvr32.exe
PID 1824 wrote to memory of 940	1824	regsvr32.exe	regsvr32.exe
PID 1824 wrote to memory of 940	1824	regsvr32.exe	regsvr32.exe
PID 2612 wrote to memory of 3040	2612	Dropbox.exe	regsvr32.exe
PID 2612 wrote to memory of 3040	2612	Dropbox.exe	regsvr32.exe
PID 2612 wrote to memory of 3040	2612	Dropbox.exe	regsvr32.exe
PID 2612 wrote to memory of 4972	2612	Dropbox.exe	regsvr32.exe
PID 2612 wrote to memory of 4972	2612	Dropbox.exe	regsvr32.exe
PID 2612 wrote to memory of 4972	2612	Dropbox.exe	regsvr32.exe
PID 4972 wrote to memory of 2956	4972	regsvr32.exe	regsvr32.exe
PID 4972 wrote to memory of 2956	4972	regsvr32.exe	regsvr32.exe
PID 2612 wrote to memory of 2528	2612	Dropbox.exe	runonce.exe
PID 2612 wrote to memory of 2528	2612	Dropbox.exe	runonce.exe
PID 2612 wrote to memory of 3120	2612	Dropbox.exe	sc.exe
PID 2612 wrote to memory of 3120	2612	Dropbox.exe	sc.exe
PID 2612 wrote to memory of 5052	2612	Dropbox.exe	sc.exe
PID 2612 wrote to memory of 5052	2612	Dropbox.exe	sc.exe
PID 2612 wrote to memory of 1660	2612	Dropbox.exe	sc.exe
PID 2612 wrote to memory of 1660	2612	Dropbox.exe	sc.exe
PID 2612 wrote to memory of 1660	2612	Dropbox.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe
"C:\Users\Admin\AppData\Local\Temp\416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\DropboxUpdate.exe
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\DropboxUpdate.exe /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3TmpZM01qSzNNTFl3TVRNek1qQzJNRGN3TkRjMU5EUURpaGxhV3BpWW1scWFtVm1ZVzlRQ0FLbzBEZGd-QE1FVEEifQ"
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvc
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1360

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regserver
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:3456

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVpVcDVjbFpwY0U5TVV6ZFBlazB0VEhvd2VGSnpiRWwzVG1wWk0wMXFTek5OVEZsM1RWUk5lazFxUXpKTlJHTjNUa1JqTVU1RVVVUnBhR3hoVjNCcFdXMXNjV0Z0Vm0xWlZ6bFJRMEZMYnpCRVpHZC1RRTFGVkVFaWZRIiBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuNDE1LjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDU2NzQzREUtRjdFNi00MkVELUI5QzktMUQyN0Y1NURCRkYzfSIgdXNlcmlkPSJ7RkRBRjAwQkItMzU4Ny00MjEzLUEzRDUtQzUwNjVDRUFDNjJGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezBDNjM4NDNELTUyRjktNEI3Qy1CNTM1LTgyRDRFRUM3RjA4NX0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjIiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntEODk2OEZGMi1FMEIxLTRBMTMtQTNFMi1DOUYyOTk1RjNCQzZ9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuNDE1LjEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3428

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3TmpZM01qSzNNTFl3TVRNek1qQzJNRGN3TkRjMU5EUURpaGxhV3BpWW1scWFtVm1ZVzlRQ0FLbzBEZGd-QE1FVEEifQ&nolaunch=0" /installsource taggedmi /sessionid "{456743DE-F7E6-42ED-B9C9-1D27F55DBFF3}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4852

C:\Program Files (x86)\Dropbox\Update\Install\{BACD1645-4E24-491C-A336-55398BD7EB0F}\DropboxClient_158.4.4564.exe
"C:\Program Files (x86)\Dropbox\Update\Install\{BACD1645-4E24-491C-A336-55398BD7EB0F}\DropboxClient_158.4.4564.exe" /S /DBData:eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3TmpZM01qSzNNTFl3TVRNek1qQzJNRGN3TkRjMU5EUURpaGxhV3BpWW1scWFtVm1ZVzlRQ0FLbzBEZGd-QE1FVEEiLCJvbWFoYS1pbnN0YWxsZXItaWQiOiJ7RkRBRjAwQkItMzU4Ny00MjEzLUEzRDUtQzUwNjVDRUFDNjJGfSIsInJlcXVlc3Rfc2VxdWVuY2UiOjB9 /InstallType:MACHINE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4176

C:\Program Files (x86)\Dropbox\Client_158.4.4564\Dropbox.exe
"C:\Program Files (x86)\Dropbox\Client\..\Client_158.4.4564\Dropbox.exe" /install /InstallType:MACHINE /InstallDir:"C:\Program Files (x86)\Dropbox\Client" /KillEveryone:YES /DBData:eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3TmpZM01qSzNNTFl3TVRNek1qQzJNRGN3TkRjMU5EUURpaGxhV3BpWW1scWFtVm1ZVzlRQ0FLbzBEZGd-QE1FVEEiLCJvbWFoYS1pbnN0YWxsZXItaWQiOiJ7RkRBRjAwQkItMzU4Ny00MjEzLUEzRDUtQzUwNjVDRUFDNjJGfSIsInJlcXVlc3Rfc2VxdWVuY2UiOjB9
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall delete rule name=Dropbox
4⤵
- Modifies Windows Firewall
PID:364

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any
4⤵
- Modifies Windows Firewall
PID:1360

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt.55.0.dll"
4⤵
- Modifies system executable filetype association
- Modifies registry class
PID:1232

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt64.55.0.dll"
4⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\system32\regsvr32.exe
/S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt64.55.0.dll"
5⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:940

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /S "C:\Program Files (x86)\Dropbox\Client\158.4.4564\DropboxOfficeAddin.14.dll"
4⤵
- Modifies registry class
PID:3040

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /S "C:\Program Files (x86)\Dropbox\Client\158.4.4564\DropboxOfficeAddin64.14.dll"
4⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\system32\regsvr32.exe
/S "C:\Program Files (x86)\Dropbox\Client\158.4.4564\DropboxOfficeAddin64.14.dll"
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:2956

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
PID:2528

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe delete DbxSvc
4⤵
- Launches sc.exe
PID:3120

C:\Windows\System32\sc.exe
C:\Windows\System32\sc.exe create DbxSvc binPath=C:\Windows\System32\DbxSvc.exe start=auto
4⤵
- Launches sc.exe
PID:5052

C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\sc.exe failure DbxSvc reset= 3600 actions= restart/5000/restart/30000//
4⤵
- Launches sc.exe
PID:1660

C:\Windows\System32\DbxSvc.exe
C:\Windows\System32\DbxSvc.exe
1⤵
- Executes dropped EXE
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\VCRUNTIME140.dll
Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\dropbox_core.dll
Filesize
54.6MB

MD5
a6b10255b7b53083e23ae95395f3d573

SHA1
1fc50252013455254475e517d013b5f08cfdced8

SHA256
8c830582f8b0a73e62531d34ce08b51ff5d9e29afaf294b05aee4d47c91ef766

SHA512
3b926c55302d235b16635bfc6b321ef39b1dc1f6195fe30c3ff1e256b403bf709e202cf0d2cbaa19fdd686e1080b3db29f1d06518c2db9f1ae2815890a4e7bef

Download Submit
C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\dropbox_core.dll
Filesize
54.6MB

MD5
a6b10255b7b53083e23ae95395f3d573

SHA1
1fc50252013455254475e517d013b5f08cfdced8

SHA256
8c830582f8b0a73e62531d34ce08b51ff5d9e29afaf294b05aee4d47c91ef766

SHA512
3b926c55302d235b16635bfc6b321ef39b1dc1f6195fe30c3ff1e256b403bf709e202cf0d2cbaa19fdd686e1080b3db29f1d06518c2db9f1ae2815890a4e7bef

Download Submit
C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\python38.dll
Filesize
8.8MB

MD5
878080203f29883dde44fdee7d0799e9

SHA1
c806273199d4cf5a02fc97c4945a5217ba6e797f

SHA256
c0ca3ecdb0fa579e8b3dc736ce7275bd06d67290b64a902efd0bac48b483ee6b

SHA512
ca84d676587f4974d970dcc6ac71be590fb344c7c9a163ee842b0cbe851481abf6a33e84b5753e243258f63958be335bfb3a1054d28707a3270f3d94117505e8

Download Submit
C:\Program Files (x86)\Dropbox\Client_158.4.4564\158.4.4564\python38.dll
Filesize
8.8MB

MD5
878080203f29883dde44fdee7d0799e9

SHA1
c806273199d4cf5a02fc97c4945a5217ba6e797f

SHA256
c0ca3ecdb0fa579e8b3dc736ce7275bd06d67290b64a902efd0bac48b483ee6b

SHA512
ca84d676587f4974d970dcc6ac71be590fb344c7c9a163ee842b0cbe851481abf6a33e84b5753e243258f63958be335bfb3a1054d28707a3270f3d94117505e8

Download Submit
C:\Program Files (x86)\Dropbox\Client_158.4.4564\Dropbox.exe
Filesize
10.7MB

MD5
1c600bec2cfb8c5c5f42a12354abe394

SHA1
14eabf26520e936302164b51984ee65857570363

SHA256
e9f18b1a74529ac0dc38c0ef7387f48f69712200ee49e6b83e4c2a3bf1de40bf

SHA512
f2a4504fed15b1455b2f68bd9c3bbfe63fcc13454b1bfdf1219e3efe5fb06528c7b6396cf57abb04d2f5f54c8fcff0b9f1998e1f5e75e61eaba7d8da043aa922

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\DropboxUpdateHelper.msi
Filesize
23KB

MD5
6d1ea0e9099f78478fc055c8c552550f

SHA1
2888760c0e530b7c0ee82dc8f36b042e7077f864

SHA256
5301f806c26e74c17f4ffaaa4006e0070152b374863cd0c2b48750d148946f05

SHA512
1a8e58580aee6db7e38c2727b8779aaad90592be29c204e6610e7c1f31ebeafc074183f26476f4342b5afc1f93aa42d4d61f66c7b1005d4584c9d9bd6ba8268f

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\goopdate.dll
Filesize
1.1MB

MD5
01fcad9acf3724382c4bad474bae9b2f

SHA1
a7261b5b298262a592a2848a9fbb150f2a2b4409

SHA256
5d0d980ef653dd1de8f385e6080e63c7b535d6b614aff3f45bc75b76cab6fad6

SHA512
719b64d6ec6ae96cccd39109f478e0bdea13889d03208d901c02ad62eb04134d833ad6c4186929e262b4a571c485f7dde4fff8470926610547e3647a1cabf765

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\goopdate.dll
Filesize
1.1MB

MD5
01fcad9acf3724382c4bad474bae9b2f

SHA1
a7261b5b298262a592a2848a9fbb150f2a2b4409

SHA256
5d0d980ef653dd1de8f385e6080e63c7b535d6b614aff3f45bc75b76cab6fad6

SHA512
719b64d6ec6ae96cccd39109f478e0bdea13889d03208d901c02ad62eb04134d833ad6c4186929e262b4a571c485f7dde4fff8470926610547e3647a1cabf765

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\goopdate.dll
Filesize
1.1MB

MD5
01fcad9acf3724382c4bad474bae9b2f

SHA1
a7261b5b298262a592a2848a9fbb150f2a2b4409

SHA256
5d0d980ef653dd1de8f385e6080e63c7b535d6b614aff3f45bc75b76cab6fad6

SHA512
719b64d6ec6ae96cccd39109f478e0bdea13889d03208d901c02ad62eb04134d833ad6c4186929e262b4a571c485f7dde4fff8470926610547e3647a1cabf765

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\goopdate.dll
Filesize
1.1MB

MD5
01fcad9acf3724382c4bad474bae9b2f

SHA1
a7261b5b298262a592a2848a9fbb150f2a2b4409

SHA256
5d0d980ef653dd1de8f385e6080e63c7b535d6b614aff3f45bc75b76cab6fad6

SHA512
719b64d6ec6ae96cccd39109f478e0bdea13889d03208d901c02ad62eb04134d833ad6c4186929e262b4a571c485f7dde4fff8470926610547e3647a1cabf765

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\goopdate.dll
Filesize
1.1MB

MD5
01fcad9acf3724382c4bad474bae9b2f

SHA1
a7261b5b298262a592a2848a9fbb150f2a2b4409

SHA256
5d0d980ef653dd1de8f385e6080e63c7b535d6b614aff3f45bc75b76cab6fad6

SHA512
719b64d6ec6ae96cccd39109f478e0bdea13889d03208d901c02ad62eb04134d833ad6c4186929e262b4a571c485f7dde4fff8470926610547e3647a1cabf765

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\goopdate.dll
Filesize
1.1MB

MD5
01fcad9acf3724382c4bad474bae9b2f

SHA1
a7261b5b298262a592a2848a9fbb150f2a2b4409

SHA256
5d0d980ef653dd1de8f385e6080e63c7b535d6b614aff3f45bc75b76cab6fad6

SHA512
719b64d6ec6ae96cccd39109f478e0bdea13889d03208d901c02ad62eb04134d833ad6c4186929e262b4a571c485f7dde4fff8470926610547e3647a1cabf765

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\goopdateres_en.dll
Filesize
28KB

MD5
94a51f9d159e775d92c8c8d083ce6d16

SHA1
0fb24e465ace5a501c08cb5cb5de153439b250d5

SHA256
93e6cc6381a2ea20a8444e1c85155597a9ab4ceb45d4139b62ccc0d6bd2b654a

SHA512
b26144627c6c341ed60e5f062c310650fae9dcd1d926cc96a28b262fa0b6a976383e3e209614f276e44ed05a094bd0ed9f4414b887fec39cb79a0364047e60f9

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\npDropboxUpdate3.dll
Filesize
271KB

MD5
abd56056463ff57b610d9e4a6cdea5c0

SHA1
c96bca867bcef74ec0120973e828fb8b395e0901

SHA256
efa55f87deb6777e5fe258bb0c772007fd54cb78a45d87688533f8a3a6660e0a

SHA512
fce32ef85299f8e2d41aab991a3dfb4f8138f296b6b562e6e2d06c2d465b8391ec885c96721d8ac5eb8dee31e731c81eaa3f3d3ff20af97f23cc65d2aff976e1

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\psmachine.dll
Filesize
208KB

MD5
d6b7a975a4ca9f828fca4b45c7de14f0

SHA1
c543142358484cd23a04bd938490eda917508f89

SHA256
4fd651696b49bf2bb5a7b3de3b4a27513846fb32b84777bba8e99bb75ef2a6e0

SHA512
f61ae9d1659e82ab160522599259f1c94a383ca03292306b19e8bc7038f871f4d7d4df23b546e26e887e6588547c154b722a00a1d586036edf875ed44e759cde

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\psmachine.dll
Filesize
208KB

MD5
d6b7a975a4ca9f828fca4b45c7de14f0

SHA1
c543142358484cd23a04bd938490eda917508f89

SHA256
4fd651696b49bf2bb5a7b3de3b4a27513846fb32b84777bba8e99bb75ef2a6e0

SHA512
f61ae9d1659e82ab160522599259f1c94a383ca03292306b19e8bc7038f871f4d7d4df23b546e26e887e6588547c154b722a00a1d586036edf875ed44e759cde

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\psmachine.dll
Filesize
208KB

MD5
d6b7a975a4ca9f828fca4b45c7de14f0

SHA1
c543142358484cd23a04bd938490eda917508f89

SHA256
4fd651696b49bf2bb5a7b3de3b4a27513846fb32b84777bba8e99bb75ef2a6e0

SHA512
f61ae9d1659e82ab160522599259f1c94a383ca03292306b19e8bc7038f871f4d7d4df23b546e26e887e6588547c154b722a00a1d586036edf875ed44e759cde

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\psmachine.dll
Filesize
208KB

MD5
d6b7a975a4ca9f828fca4b45c7de14f0

SHA1
c543142358484cd23a04bd938490eda917508f89

SHA256
4fd651696b49bf2bb5a7b3de3b4a27513846fb32b84777bba8e99bb75ef2a6e0

SHA512
f61ae9d1659e82ab160522599259f1c94a383ca03292306b19e8bc7038f871f4d7d4df23b546e26e887e6588547c154b722a00a1d586036edf875ed44e759cde

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\psmachine.dll
Filesize
208KB

MD5
d6b7a975a4ca9f828fca4b45c7de14f0

SHA1
c543142358484cd23a04bd938490eda917508f89

SHA256
4fd651696b49bf2bb5a7b3de3b4a27513846fb32b84777bba8e99bb75ef2a6e0

SHA512
f61ae9d1659e82ab160522599259f1c94a383ca03292306b19e8bc7038f871f4d7d4df23b546e26e887e6588547c154b722a00a1d586036edf875ed44e759cde

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.415.1\psmachine.dll
Filesize
208KB

MD5
d6b7a975a4ca9f828fca4b45c7de14f0

SHA1
c543142358484cd23a04bd938490eda917508f89

SHA256
4fd651696b49bf2bb5a7b3de3b4a27513846fb32b84777bba8e99bb75ef2a6e0

SHA512
f61ae9d1659e82ab160522599259f1c94a383ca03292306b19e8bc7038f871f4d7d4df23b546e26e887e6588547c154b722a00a1d586036edf875ed44e759cde

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\Install\{BACD1645-4E24-491C-A336-55398BD7EB0F}\DropboxClient_158.4.4564.exe
Filesize
163.4MB

MD5
7dde8432ddd523c858d02638743445f2

SHA1
5088d0417436c49728ba86836eb6930e851b45a9

SHA256
4ac120fb105881d140e77b296f4515829afb52541bf35b3ad0fa1e7e6d8aa6e9

SHA512
1f50a67896199b955c163d36b2d023c452fb6f1fbfd6ebcb1bacf9b7ed335e6ad3502adb23edf9ae8d660f3f11855bfa6e710b40e83be700be5a979eebdf6f15

Download Submit
C:\Program Files (x86)\Dropbox\Update\Install\{BACD1645-4E24-491C-A336-55398BD7EB0F}\DropboxClient_158.4.4564.exe
Filesize
163.4MB

MD5
7dde8432ddd523c858d02638743445f2

SHA1
5088d0417436c49728ba86836eb6930e851b45a9

SHA256
4ac120fb105881d140e77b296f4515829afb52541bf35b3ad0fa1e7e6d8aa6e9

SHA512
1f50a67896199b955c163d36b2d023c452fb6f1fbfd6ebcb1bacf9b7ed335e6ad3502adb23edf9ae8d660f3f11855bfa6e710b40e83be700be5a979eebdf6f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\DropboxCrashHandler.exe
Filesize
128KB

MD5
33ef0054f91105b71faa3af03d6556fe

SHA1
bde714e038c39f09c91501944ac2f7f40f0c84b8

SHA256
d18eac5df36d4679377620f9ba7ae4b3caa7f7527e4f1b4e2c6a5faec3112187

SHA512
0711a5362d9c9fc45cd7f243d782b288a94d33d9df29ef007a3ca47ad9faaed3a5e797413f83f29ad9eddd017817cdfe1d1a8f9d76ecb4b3df5884d3d5f35488

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\DropboxUpdate.exe
Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\DropboxUpdate.exe
Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\DropboxUpdateBroker.exe
Filesize
74KB

MD5
ab6a7e6d5315b2b3619853f0d86a7cea

SHA1
3b02383800887565d6449930e3489ad42e82eb49

SHA256
67ee4bfe47ad30fe9cc51c9585ec5acca3b2ab2d7aac5c550fdefa0ac1caeb02

SHA512
7c2d4d620afda5f473b7106466cbbe11d61dd846b5dce19284d39f4fb534f0d9f5e2db103bc74bc584a2411a457f0121e9cb205b2b2fcd3afc88fffdd62e60d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\DropboxUpdateHelper.msi
Filesize
23KB

MD5
6d1ea0e9099f78478fc055c8c552550f

SHA1
2888760c0e530b7c0ee82dc8f36b042e7077f864

SHA256
5301f806c26e74c17f4ffaaa4006e0070152b374863cd0c2b48750d148946f05

SHA512
1a8e58580aee6db7e38c2727b8779aaad90592be29c204e6610e7c1f31ebeafc074183f26476f4342b5afc1f93aa42d4d61f66c7b1005d4584c9d9bd6ba8268f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\DropboxUpdateOnDemand.exe
Filesize
74KB

MD5
97c2263ee2a1b1a458550a4283e75819

SHA1
f73e8fd4e945132504f49b80ed36e9a9aea6e031

SHA256
f7c621948ff0c05eac41bd1caa06aac30488dfd3d800cf0538c574da9ef9aefc

SHA512
0673e0f69331090d7e3a705fe77cc2424709162ea3f9023ff2a7ef44af8e5f95e7a918eb0ac71d1ecdb3c994285e86526d2e6b91e052d159ede2fa068b9403a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdate.dll
Filesize
1.1MB

MD5
01fcad9acf3724382c4bad474bae9b2f

SHA1
a7261b5b298262a592a2848a9fbb150f2a2b4409

SHA256
5d0d980ef653dd1de8f385e6080e63c7b535d6b614aff3f45bc75b76cab6fad6

SHA512
719b64d6ec6ae96cccd39109f478e0bdea13889d03208d901c02ad62eb04134d833ad6c4186929e262b4a571c485f7dde4fff8470926610547e3647a1cabf765

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdate.dll
Filesize
1.1MB

MD5
01fcad9acf3724382c4bad474bae9b2f

SHA1
a7261b5b298262a592a2848a9fbb150f2a2b4409

SHA256
5d0d980ef653dd1de8f385e6080e63c7b535d6b614aff3f45bc75b76cab6fad6

SHA512
719b64d6ec6ae96cccd39109f478e0bdea13889d03208d901c02ad62eb04134d833ad6c4186929e262b4a571c485f7dde4fff8470926610547e3647a1cabf765

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_da.dll
Filesize
29KB

MD5
a6c39af20f7867809a53ad35e57208d0

SHA1
ad5a780ae45476578548a7300ad39f5db627e352

SHA256
9494e123b8f27a63b9f6ccac901b76fa094a32fd6b17b68a0b5ddc776ac2f92f

SHA512
58f20df001e2df8bb7d8643790e8abbc7f62677c47b03850835440318228901b3e28993c2e735aca064bff2c8bc163e944c58db6bd7252484de034edee57e4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_de.dll
Filesize
32KB

MD5
4cee15e4d16be2e0da88c2c40de921ed

SHA1
669bde91661b4f6280f6ed9584459b1af7a117ac

SHA256
c64ba6e4d08e6d272c48bd1a5a1d40173a9a77e437013501b7e86bb6a85f267c

SHA512
0680f49045fcd2b31f4bb7c49655c2ff46ad669748fb6bce72035d363ae59118afe14109a8f753d3a2d1c01ac0ed42f13ef57aec0d4b64f3f3471122c425b686

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_en.dll
Filesize
28KB

MD5
94a51f9d159e775d92c8c8d083ce6d16

SHA1
0fb24e465ace5a501c08cb5cb5de153439b250d5

SHA256
93e6cc6381a2ea20a8444e1c85155597a9ab4ceb45d4139b62ccc0d6bd2b654a

SHA512
b26144627c6c341ed60e5f062c310650fae9dcd1d926cc96a28b262fa0b6a976383e3e209614f276e44ed05a094bd0ed9f4414b887fec39cb79a0364047e60f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_es-419.dll
Filesize
30KB

MD5
5cafaba6975526bbf46a9abd16775751

SHA1
9ecd15e2c3b3ad7a5a266909de73dea7bbcc2844

SHA256
24e3703e0db3ce8c1df1b1417c6a9b59964a686f09c60e82804a26604af54403

SHA512
4bfda2f02c557e64c9d6e88f149fc9b46cc1aa2b3812a89a23ba79b6e217bdc1a5b5360b51509e5d2f834042512ead171236ba26fea66660bbbc7789d7dbd4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_es.dll
Filesize
29KB

MD5
3b709e33212a2f6d8e04c1a1c4d1d3e3

SHA1
269c6402a17646ad1f274459d572738c37127436

SHA256
8b7b7707b3ef0a96de325f7bcb1ce3154d21b5c2e447b39319859bdf02a206f5

SHA512
b6c1b8c1ee101267087e86057d09fa99b6987ec08e6967a935649a5d94c731e780a746bd1d53fb617d1bb2d78b6feea1a789455141fd3b27a7489cecc3366291

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_fr.dll
Filesize
31KB

MD5
2f878f673ef12776a1c25fdcdfe1ecfb

SHA1
0357f396953bf44915239905a0898349de55a845

SHA256
9aa0bd5078cb2e8295e01a31ec5b0333daf2e9c3b6b92144d731a898c6c4aa8a

SHA512
e6de3949206dd8eef3d4cc87ac233c14222cc0aa9d535ff2b284c5d2547a9825d063b619d3de5268f907eb81a9e011da660bf4a2b9935dd360cad2607c4e1479

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_id.dll
Filesize
28KB

MD5
de7c91588de8c7b8ead0b5c714e541cd

SHA1
706301e2dcc408f6b169121c16030050079652ff

SHA256
28c322c17bbdf642ca54e3e978a7006994507e0a9b2908082fb875a0893fecf8

SHA512
91d3fe759e18a34d967525c4e38401c38d4f8141e9949c75be6c5b2dbb8e1f4c8f1689bfde61bc01789946b4e539dbd8bc16b50698992bb747fb866a472660a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_it.dll
Filesize
30KB

MD5
a7bdc5df479788f9a0d351872fcffade

SHA1
b77e4c1af44158721b33b355fd4e60d20f56e4df

SHA256
4d2a9c357ff46c192a61db806ae495cb97cd7b69fadf3bf8487e7c9316841afe

SHA512
e0c47489a91d843270d1c4854f97e1593fefec30fbc870fe820e3b2a32b7f712bddba97dab41dbcb0681a11de80e831550baf9e38003e92c8c48b4c676243250

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_ja.dll
Filesize
24KB

MD5
3fbd81f562729e1ec88bcd192a45518a

SHA1
b044565158be0e91d28669177627cedda4eab4d5

SHA256
3a266cc688543cb954bdd23cd4b0b666d31ca291ef253d683ed9222adc3b9ad5

SHA512
ea00b5f5d8e6d08b81ab24ebc84cac9dab946899b1b4bdceb1b286c5223b21ffd6330e8a14ee61e5ba2d720763da57539beb16f35cec072c5e5f1422c5e4df87

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_ko.dll
Filesize
24KB

MD5
0d1e672709624c985d139eb51e12b45b

SHA1
434c6161a8549ff509b81c4b1f8c927e47026987

SHA256
d0b8ca2e01baee6a88a8ff09b8aeff66b710581b8ce7b3cd8f1dcfe1e85f7841

SHA512
004f8803665c210905e2b13b8e57e1c2711e596d84faf894483b5e4865e8f4839deb72a3f94dcf9fc683ba831115c2f344d263b0a19de923641e2f7258aaf087

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_ms.dll
Filesize
28KB

MD5
df0beb0c432a06e39e774223a86f92ba

SHA1
e9f3ea29f7fd748671f4367d163898749e4cb637

SHA256
32c4400b74b6e7c061649e2a7ffb85d60f073ff403e7202d66819c8b7139e1ad

SHA512
499f3d833dae27fc565fba9c6046e978d3dc430ee716fe640f54f85f6b08fb8d76de9224e1fb552673b188ff8a7b8389504456642614bf645e6b8e0b964eeb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_nl.dll
Filesize
30KB

MD5
ca27eb08f9e26608594ec90de1dfbd3f

SHA1
8b424bf6506d10d8fb9642f936f3444ecfff20a5

SHA256
27787be15f150ad03e2b4b4cecb5d680499f40e2e9646196293c8a927b8eef08

SHA512
3e5ca109b084cc4698dc79a9eb01845e6001cd9fa5ef22f632f844e121782960274b0d451a3dcc99dce2065c562bfb2c8d773a6862b2ed3d28bb7469c5b41913

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_no.dll
Filesize
29KB

MD5
6823b06d20b182544c1f1204270fe67c

SHA1
ea745b8b734dd9340432526db5780f32cffb4dc5

SHA256
8d2c618080745f934b70c91f80c1bc525b0f5bb6832b16a8a6d5af90db7cf761

SHA512
ad92b33f1ff9e7c34fc66722d6fd88c68d151bb49e2f4c2b815740c41a1dcb73f57d08814d79faa4ab4037ec30ea1f86cc42fa64e8231a1293473b668e6670b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_pl.dll
Filesize
30KB

MD5
e267fddcef93dec48308ea5b4f26aa0f

SHA1
e98186a587636976d6988ea56e12ddc95fa64716

SHA256
ff59bf12aac71c51ce205f91c8b86ed43f41b9791b73da71b0fab35940fa7525

SHA512
9837fb059f177a34a58cfe10f4916aba50c365cd973aa07dd69011585cff8f292d0c24a7e8e58596ed55c6993f123ba3374497362091ec320c12dd0a69cf7f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_pt-BR.dll
Filesize
29KB

MD5
e5844e1961521a74512af3dfb0e7bf41

SHA1
5ab9c9caf0432335710e58bdb8b871f718f10939

SHA256
a8b84c28d75d728951ec9e0269301a704a8b8c923c55970797f742ecdb6560a9

SHA512
0dca8e8a4e1fecfd8daf35b82d51dce81682afdff7c689268cacf0a44a0e3a0f82c50981d5dfed9b9cbd0864a3171a1c35ae0e0eecbbd420edac1a3c1154742c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_ru.dll
Filesize
29KB

MD5
194a1564ad7c77b389d066481684057c

SHA1
4b7e42f98d1603da64e4e187355c1072d89a837f

SHA256
97a7307fd47df4ab91e2d04f9536d364ba6835f61bd7a8fead28d9e78502361a

SHA512
82927025a2863b11eb2f9316ae30d9dcfbda8b8471aed7594f8964b24922148415e4fe158a0bdb76bdc930782afa7d9a6d517131fda6a93a1326661a75ce1dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_sv.dll
Filesize
29KB

MD5
00a8a5ee0e9ce8a7960ca396a68e6b6f

SHA1
966f22e1262ac99a520de606d5981dbadd3ca122

SHA256
8fd0c749d80f49e3e2efbf8a452e63fd6ac5a1c555650ce974fbc54ff0c6df5e

SHA512
081a92e3cec15bdbb75c47a628faf284acd588bdfb92abe692205a983acb2effae79fdfb1cd817aa18189ca4f2b70b63e7648fd3ed15bb7050cfd44cd047ec64

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_th.dll
Filesize
28KB

MD5
955d19824b2b2ef3511492b6e8a5124c

SHA1
574f30fbe7ab8735899c34a4b6042e6819c6b9a8

SHA256
55b0f407308fee60285e18f4b0db15a4fd7f05cebf0ac81450170cdce122bed6

SHA512
d76a34e23114363918aac0b773c0aac2019f50952dfff2c971e3a3ca42cbd3b971e639a17e459bef70024f1faa19207b5fce76a9d1539ff380b8e4dee9a19208

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_uk.dll
Filesize
28KB

MD5
34d547535beaf8ef1056178280661fd5

SHA1
be2f96e5247a66a40719213321c5ad81bcac770e

SHA256
1c963aff878a36a3e6cedae73c6f40e96ceedf98a7befd37b02f51c3cd8a8653

SHA512
ec3672a379cc52645328a4dd877eca6d59e76535eb2b8266f20f6453e00b4f13646fcef9177cc06d4b80f93ad3bee67a8f23facbd20c0ed1a3fd62d6073e32f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_zh-CN.dll
Filesize
22KB

MD5
bfc3d98151f2deaf8e34ca02d6fdcc15

SHA1
0d7fcffd94e9faf41e33168076ba42401bf5349c

SHA256
54db59a78d8ecf42a6fc9d658350e402080f356b2901f4d9042e73d47129c53e

SHA512
d4efd3904d8f14dce67c69073e1d89dd179236813e9dbcdd92694fddc0655bddf9fb0622fc867136687617a30b664f355f5078fea6d8ca983b5937cdf4cbf9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\goopdateres_zh-TW.dll
Filesize
22KB

MD5
eb283388c5871fbee36c1b6e51a8efe6

SHA1
15c1b671d290b9fc1be5a872ed3708a070c0ee39

SHA256
3a2285f89a802396800f32f29e9ecb916b32d5a57e1886d7b4b0322bf01ebbf7

SHA512
b78d33b15a617d551bdd0bcb67ab98ea4ab155c6f5beb67d5b1ca510c9fde6524a40ed0717fc5fb5e02049e92664cf5c68998fbb01ae9a3cea209cea457aa0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\npDropboxUpdate3.dll
Filesize
271KB

MD5
abd56056463ff57b610d9e4a6cdea5c0

SHA1
c96bca867bcef74ec0120973e828fb8b395e0901

SHA256
efa55f87deb6777e5fe258bb0c772007fd54cb78a45d87688533f8a3a6660e0a

SHA512
fce32ef85299f8e2d41aab991a3dfb4f8138f296b6b562e6e2d06c2d465b8391ec885c96721d8ac5eb8dee31e731c81eaa3f3d3ff20af97f23cc65d2aff976e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\psmachine.dll
Filesize
208KB

MD5
d6b7a975a4ca9f828fca4b45c7de14f0

SHA1
c543142358484cd23a04bd938490eda917508f89

SHA256
4fd651696b49bf2bb5a7b3de3b4a27513846fb32b84777bba8e99bb75ef2a6e0

SHA512
f61ae9d1659e82ab160522599259f1c94a383ca03292306b19e8bc7038f871f4d7d4df23b546e26e887e6588547c154b722a00a1d586036edf875ed44e759cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUME9A9.tmp\psuser.dll
Filesize
208KB

MD5
04315c52adda242cfa61ccf650f24fad

SHA1
a90eb31cc24ed3f765e3f6af5546331cea56a1ac

SHA256
39e1fa6a46f9e1099977f9813baf5554e832ca690c429d35f9e37af98c2fb744

SHA512
3014c959ebe84988def0d9e80cc38451e5c8fb389e48ee731e301abd3b6bfd083f4ab8f1ae097b9db8dc284b2d736a699f212600ec9a7e9419f0e104b6db9bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8B5A.tmp\System.dll
Filesize
11KB

MD5
c6e19f882ac7c89c517ec158d8bee0e3

SHA1
4bd07cb821aca4d2eb32e7f74ae620780d8b958d

SHA256
817929ce4af784af2f28db0eea5cc9a16fa28e8ed0b3bd497ed8dda0619207a3

SHA512
cbf559f48b66e2bdf9e0de75d48f169fe2a112e34981c1463856e50807ff05f63afb512afd99503126d9f700ed4eda9bfa45fd38ded5d55d4c8738043ec7e62f

Download Submit
memory/364-202-0x0000000000000000-mapping.dmp

Download
memory/940-206-0x0000000000000000-mapping.dmp

Download
memory/1232-204-0x0000000000000000-mapping.dmp

Download
memory/1360-203-0x0000000000000000-mapping.dmp

Download
memory/1360-165-0x0000000000000000-mapping.dmp

Download
memory/1660-213-0x0000000000000000-mapping.dmp

Download
memory/1824-205-0x0000000000000000-mapping.dmp

Download
memory/2528-210-0x0000000000000000-mapping.dmp

Download
memory/2612-201-0x0000000065BF0000-0x0000000065F79000-memory.dmp

Filesize
3.5MB

Download
memory/2612-194-0x0000000000000000-mapping.dmp

Download
memory/2956-209-0x0000000000000000-mapping.dmp

Download
memory/3040-207-0x0000000000000000-mapping.dmp

Download
memory/3120-211-0x0000000000000000-mapping.dmp

Download
memory/3428-180-0x0000000000000000-mapping.dmp

Download
memory/3456-172-0x0000000000000000-mapping.dmp

Download
memory/3948-132-0x0000000000000000-mapping.dmp

Download
memory/4176-190-0x0000000000000000-mapping.dmp

Download
memory/4432-183-0x0000000000000000-mapping.dmp

Download
memory/4972-208-0x0000000000000000-mapping.dmp

Download
memory/5052-212-0x0000000000000000-mapping.dmp

Download