1eca77d0b0cac66fe7a3a9605ef12f19244bedd475f347aea582824752e2b554

Analysis

max time kernel
73s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 13:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1eca77d0b0cac66fe7a3a9605ef12f19244bedd475f347aea582824752e2b554.exe
Size

771KB
MD5

1b4d7a040477229c80bb68c76d3545ad
SHA1

54efe7330611da9fed269eb3cf558357335bfac9
SHA256

1eca77d0b0cac66fe7a3a9605ef12f19244bedd475f347aea582824752e2b554
SHA512

a2ebb20598f90b61248a13d944274ab84b3020343adf92a17c47e492b750d1c6bb7d760f7c33bfe4b1dc8a661bbb754f17b6584903eb86f169993085131e9de9
SSDEEP

12288:U761vvrXBDZZmDmSh7SHSjX4z4ZV4kzI6OcGfAkx4tOF6j+Z:U7qvrXo7ZNX4z4YbcGfAkx4tNE

Score

8^/10

evasion persistence

Malware Config

Signatures

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Windows Service

T1543.003

pid	Process
3736	netsh.exe
860	netsh.exe
4456	netsh.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe\DisableExceptionChainValidation = "0"	DropboxUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	DropboxUpdate.exe

Executes dropped EXE 7 IoCs

pid	Process
2364	DropboxUpdate.exe
232	DropboxUpdate.exe
4608	DropboxUpdate.exe
408	DropboxUpdate.exe
1728	DropboxUpdate.exe
2320	DropboxUpdate.exe
4212	DropboxClient_189.4.8395.x64.exe

Loads dropped DLL 13 IoCs

pid	Process
2364	DropboxUpdate.exe
232	DropboxUpdate.exe
4608	DropboxUpdate.exe
4608	DropboxUpdate.exe
4608	DropboxUpdate.exe
4608	DropboxUpdate.exe
2364	DropboxUpdate.exe
408	DropboxUpdate.exe
1728	DropboxUpdate.exe
2320	DropboxUpdate.exe
2320	DropboxUpdate.exe
1728	DropboxUpdate.exe
4212	DropboxClient_189.4.8395.x64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	636	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	DropboxUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\backup.targetsize-256.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\passwords.targetsize-128.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\legacy\dropboxstatus-longnotification@2p5x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_uk.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\win32evtlog.pyd	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\web.targetsize-32.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\QtQuick\Controls\Private\MenuItemSubControls.qml	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\locales\he.pak	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\web.targetsize-24.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\QtQuick\Controls\TableViewColumn.qml	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\QtQuick\Controls\Styles\Base\images\spinner_medium.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\dark\dropboxstatus-x@2x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.817.1\npDropboxUpdate3.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\qt.conf	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\QtQuick\Controls\Styles\Desktop\ScrollViewStyle.qml	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\light\dropboxstatus-longnotification@2x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\QtGraphicalEffects\DirectionalBlur.qml	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\QtGraphicalEffects\qmldir	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\QtQuick\Controls\Styles\Desktop\MenuStyle.qml	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\dark\dropboxstatus-idle@3x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\locales\ja.pak	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\locales\lv.pak	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\QtQuick\Controls\Styles\Base\FocusFrameStyle.qml	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\legacy\dropboxstatus-longnotification@1p75x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdateres_en.dll	1eca77d0b0cac66fe7a3a9605ef12f19244bedd475f347aea582824752e2b554.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\gdoc.targetsize-256.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\logo.targetsize-20_contrast-black.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\web.targetsize-128.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\QtGraphicalEffects\LinearGradient.qml	DropboxClient_189.4.8395.x64.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Temp\GUT45F3.tmp	1eca77d0b0cac66fe7a3a9605ef12f19244bedd475f347aea582824752e2b554.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\web.targetsize-16.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\driver_amd64\dropbox.cat	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\dark\dropboxstatus-cam@1p75x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\locales\fil.pak	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\DropboxExt64.69.0.dll	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\ntdll_native.pyd	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\gdoc.targetsize-16.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\QtQuick\Controls\Styles\Base\SwitchStyle.qml	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\light\dropboxstatus-busy@3x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\PackageAssets\Assets\TinyTile.scale-200.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Strings\language-pl\Resources.resw	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\legacy\dropboxstatus-longnotification@3x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\wind3d11_native.pyd	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\TinyTile.contrast-black.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\dark\dropboxstatus-shortnotification@2p5x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\legacy\dropboxstatus-notification@2p5x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\legacy\dropboxstatus-notification@3x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\PackageAssets\Assets\TileSmall.contrast-white_scale-400.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\dark\dropboxstatus-cam@3x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\dark\dropboxstatus-logo@2x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\light\dropboxstatus-logo@3x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\images\03_Tray_Icon\win\light\dropboxstatus-snooze@3x.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\QtQuick\Controls\Styles\Base\TextAreaStyle.qml	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\api-ms-win-crt-private-l1-1-0.dll	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\libffi-7.dll	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\gsheet.targetsize-128.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\web.targetsize-256.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\locales\nb.pak	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\PackageAssets\Assets\StoreLogo.contrast-black_scale-150.png	Dropbox.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_id.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\Download\{CC46080E-4C33-4981-859A-BBA2F780F31E}\189.4.8395\DropboxClient_189.4.8395.x64.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\StoreLogo.contrast-white_scale-400.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\gsheet.targetsize-256.png	DropboxClient_189.4.8395.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Assets\gslides.targetsize-64.png	DropboxClient_189.4.8395.x64.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job	DropboxUpdate.exe
File created	C:\Windows\Installer\e574b22.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e574b22.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{099218A5-A723-43DC-8DB5-6173656A1E94}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C97.tmp	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job	DropboxUpdate.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e574b26.msi	msiexec.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1240	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\CLSID = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\Policy = "3"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DropboxUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DropboxUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E	DropboxUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass.1\ = "Dropbox Update Core Class"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachineFallback	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\LocalService = "dbupdatem"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback\CurVer\ = "DropboxUpdate.Update3WebMachineFallback.1.0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E38012B-D35D-4278-BBFD-E5AC871D3E60}\NumMethods	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\Elevation\Enabled = "1"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\Elevation\IconReference = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.817.1\\goopdate.dll,-1004"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DropboxUpdate.exe\AppID = "{76E258F0-DE86-4CEC-9D30-3F728A898741}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F84F5221-63AA-431E-A57C-D7D03649E3E6}\NumMethods\ = "8"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}\NumMethods	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A337332-37E4-4063-B4F3-6416846C8A33}\ProgID\ = "DropboxUpdate.CoreClass.1"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A89190B-400F-47DB-960A-7D5A1325A2C8}\ProxyStubClsid32\ = "{A378DB55-CBFE-483C-8697-710EAD506BBF}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DE7C611-9E6D-468F-8AA2-26C08DB4A687}\NumMethods\ = "10"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{831F99E1-2250-4065-8975-7408E726825F}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine\ = "Dropbox.OneClickProcessLauncher"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\VersionIndependentProgID\ = "DropboxUpdate.CoreMachineClass"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\VersionIndependentProgID\ = "DropboxUpdate.OnDemandCOMClassSvc"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C416C376-AEC5-4443-9D90-BEBA9434763B}\ProxyStubClsid32\ = "{A378DB55-CBFE-483C-8697-710EAD506BBF}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8158CAB-1B7C-4A15-860E-AAA364E77334}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass.1\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58237066-0A7A-4C18-B132-D7BE280A6327}\ProxyStubClsid32\ = "{A378DB55-CBFE-483C-8697-710EAD506BBF}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60ACA18E-54E6-43F8-A1A4-C4176B6C994E}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}\ProgID\ = "DropboxUpdate.CoCreateAsync.1.0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}\ProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\VersionIndependentProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF028154-CA20-4F73-ACBB-82451B78F1E6}\NumMethods\ = "6"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58237066-0A7A-4C18-B132-D7BE280A6327}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}\ = "IAppBundleWeb"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\LocalizedString = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.817.1\\goopdate.dll,-3000"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}\VersionIndependentProgID\ = "DropboxUpdate.Update3COMClassService"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\VersionIndependentProgID\ = "DropboxUpdate.Update3WebSvc"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{831F99E1-2250-4065-8975-7408E726825F}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CECD4BFB-9F43-4540-B72C-706BE66B375E}\NumMethods	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine.1.0\CLSID\ = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass\ = "Dropbox Update Core Class"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService\CurVer\ = "DropboxUpdate.Update3COMClassService.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E6CC2A7CB440C2A4DBE17EE5DAC2110B\5A812990327ACD34D85B163756A6E149	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC422F86-7267-4AF2-8F4F-A20C060621DE}\NumMethods\ = "13"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B35122D2-0036-4536-AEEA-EEA68E54A460}\ProxyStubClsid32\ = "{A378DB55-CBFE-483C-8697-710EAD506BBF}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\Elevation\Enabled = "1"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\Elevation	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}\LocalService = "dbupdate"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F448B4EA-A094-491A-BF61-9AF6CD450C7D}\ProxyStubClsid32	DropboxUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78F1393A-63FD-494A-BA89-2C3ECA4E8EC8}\InprocServer32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\LocalServer32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine.1.0\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}\LocalServer32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\AppID = "{76E258F0-DE86-4CEC-9D30-3F728A898741}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8158CAB-1B7C-4A15-860E-AAA364E77334}\NumMethods\ = "10"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F448B4EA-A094-491A-BF61-9AF6CD450C7D}\NumMethods\ = "9"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\VersionIndependentProgID\ = "Dropbox.OneClickProcessLauncherMachine"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EFBFAEAE-657C-4286-84C8-ECCE9A4B0C44}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78F1393A-63FD-494A-BA89-2C3ECA4E8EC8}\InprocServer32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8474489-B2C1-4CE8-852D-FF8A916C91F0}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\VersionIndependentProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\LocalServer32\ = "\"C:\\Program Files (x86)\\Dropbox\\Update\\1.3.817.1\\DropboxUpdateBroker.exe\""	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass\CurVer	DropboxUpdate.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2364	DropboxUpdate.exe
2364	DropboxUpdate.exe
636	msiexec.exe
636	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	DropboxUpdate.exe
Token: SeShutdownPrivilege	2364	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	2364	DropboxUpdate.exe
Token: SeSecurityPrivilege	636	msiexec.exe
Token: SeCreateTokenPrivilege	2364	DropboxUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	2364	DropboxUpdate.exe
Token: SeLockMemoryPrivilege	2364	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	2364	DropboxUpdate.exe
Token: SeMachineAccountPrivilege	2364	DropboxUpdate.exe
Token: SeTcbPrivilege	2364	DropboxUpdate.exe
Token: SeSecurityPrivilege	2364	DropboxUpdate.exe
Token: SeTakeOwnershipPrivilege	2364	DropboxUpdate.exe
Token: SeLoadDriverPrivilege	2364	DropboxUpdate.exe
Token: SeSystemProfilePrivilege	2364	DropboxUpdate.exe
Token: SeSystemtimePrivilege	2364	DropboxUpdate.exe
Token: SeProfSingleProcessPrivilege	2364	DropboxUpdate.exe
Token: SeIncBasePriorityPrivilege	2364	DropboxUpdate.exe
Token: SeCreatePagefilePrivilege	2364	DropboxUpdate.exe
Token: SeCreatePermanentPrivilege	2364	DropboxUpdate.exe
Token: SeBackupPrivilege	2364	DropboxUpdate.exe
Token: SeRestorePrivilege	2364	DropboxUpdate.exe
Token: SeShutdownPrivilege	2364	DropboxUpdate.exe
Token: SeDebugPrivilege	2364	DropboxUpdate.exe
Token: SeAuditPrivilege	2364	DropboxUpdate.exe
Token: SeSystemEnvironmentPrivilege	2364	DropboxUpdate.exe
Token: SeChangeNotifyPrivilege	2364	DropboxUpdate.exe
Token: SeRemoteShutdownPrivilege	2364	DropboxUpdate.exe
Token: SeUndockPrivilege	2364	DropboxUpdate.exe
Token: SeSyncAgentPrivilege	2364	DropboxUpdate.exe
Token: SeEnableDelegationPrivilege	2364	DropboxUpdate.exe
Token: SeManageVolumePrivilege	2364	DropboxUpdate.exe
Token: SeImpersonatePrivilege	2364	DropboxUpdate.exe
Token: SeCreateGlobalPrivilege	2364	DropboxUpdate.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 2364	3212	1eca77d0b0cac66fe7a3a9605ef12f19244bedd475f347aea582824752e2b554.exe	89
PID 3212 wrote to memory of 2364	3212	1eca77d0b0cac66fe7a3a9605ef12f19244bedd475f347aea582824752e2b554.exe	89
PID 3212 wrote to memory of 2364	3212	1eca77d0b0cac66fe7a3a9605ef12f19244bedd475f347aea582824752e2b554.exe	89
PID 2364 wrote to memory of 232	2364	DropboxUpdate.exe	93
PID 2364 wrote to memory of 232	2364	DropboxUpdate.exe	93
PID 2364 wrote to memory of 232	2364	DropboxUpdate.exe	93
PID 2364 wrote to memory of 4608	2364	DropboxUpdate.exe	96
PID 2364 wrote to memory of 4608	2364	DropboxUpdate.exe	96
PID 2364 wrote to memory of 4608	2364	DropboxUpdate.exe	96
PID 2364 wrote to memory of 408	2364	DropboxUpdate.exe	99
PID 2364 wrote to memory of 408	2364	DropboxUpdate.exe	99
PID 2364 wrote to memory of 408	2364	DropboxUpdate.exe	99
PID 2364 wrote to memory of 1728	2364	DropboxUpdate.exe	98
PID 2364 wrote to memory of 1728	2364	DropboxUpdate.exe	98
PID 2364 wrote to memory of 1728	2364	DropboxUpdate.exe	98
PID 2320 wrote to memory of 4212	2320	DropboxUpdate.exe	113
PID 2320 wrote to memory of 4212	2320	DropboxUpdate.exe	113
PID 2320 wrote to memory of 4212	2320	DropboxUpdate.exe	113

C:\Users\Admin\AppData\Local\Temp\1eca77d0b0cac66fe7a3a9605ef12f19244bedd475f347aea582824752e2b554.exe
"C:\Users\Admin\AppData\Local\Temp\1eca77d0b0cac66fe7a3a9605ef12f19244bedd475f347aea582824752e2b554.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\DropboxUpdate.exe
  "C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\DropboxUpdate.exe" /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKeXJWa29zTGNtSUw4blBUczFUc2xKUWNzN3dLRWh5ZEswMGRRc3VMUE92Y0FvTWR2YXdqRExMOXlqeFRBdnpEczdSTXpRM01EYTFORFl4TWxUU1VWQXFUaTB1enN6UGk4OU1BV28yTmpLenREUXpNRFV4TkxRME03RTBNTEkwTXpJME1EVTJBcW8yTjdRME1nSnhEYzFxQVF0YkhfSX5ATUVUQSJ9"
  2⤵
  - Sets file execution options in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:232
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4608
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKeXJWa29zTGNtSUw4blBUczFUc2xKUWNzN3dLRWh5ZEswMGRRc3VMUE92Y0FvTWR2YXdqRExMOXlqeFRBdnpEczdSTXpRM01EYTFORFl4TWxUU1VWQXFUaTB1enN6UGk4OU1BV28yTmpLenREUXpNRFV4TkxRME03RTBNTEkwTXpJME1EVTJBcW8yTjdRME1nSnhEYzFxQVF0YkhfSX5ATUVUQSJ9&nolaunch=0" /installsource taggedmi /sessionid "{1E45FAA2-50C9-4498-A740-0024145B4584}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1728
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVJFSlFVa1ZCVlZSSU9qcGphSEp2YldVNk9tVktlWEpXYTI5elRHTnRTVXc0YmxCVWN6RlVjMnhLVVdOek4zZExSV2g1WkVzd01HUlJjM1ZNVUU5MlkwRnZUV1IyWVhkcVJFeE1PWGxxZUZSQmRucEVjemRTVFhwUk0wMUVZVEZPUkZsNFRXeFVVMVZXUVhGVWFUQjFlbk42VUdrNE9VMUJWMjh5VG1wTGVuUkVVWHBOUkZWNFRreFJNRTAzUlRCTlRFa3dUWHBKTUUxRVZUSkJjVzh5VGpkUk1FMW5TbmhFWXpGeFFWRjBZa2hmU1g1QVRVVlVRU0o5IiBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuODE3LjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUU0NUZBQTItNTBDOS00NDk4LUE3NDAtMDAyNDE0NUI0NTg0fSIgdXNlcmlkPSJ7OUFEOTA1M0EtODhDQS00NTc5LTk4MUMtRDA0NDlCNjFGNjRGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezIyODRGNTVELUYwNkEtNEY2RS1BNEUwLThFMDg0MzQ4MEYyRX0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntEODk2OEZGMi1FMEIxLTRBMTMtQTNFMi1DOUYyOTk1RjNCQzZ9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuODE3LjEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Program Files (x86)\Dropbox\Update\Install\{358D8E15-8295-455E-B00A-25E4ACE4509D}\DropboxClient_189.4.8395.x64.exe
  "C:\Program Files (x86)\Dropbox\Update\Install\{358D8E15-8295-455E-B00A-25E4ACE4509D}\DropboxClient_189.4.8395.x64.exe" /S /DBData:eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKeXJWa29zTGNtSUw4blBUczFUc2xKUWNzN3dLRWh5ZEswMGRRc3VMUE92Y0FvTWR2YXdqRExMOXlqeFRBdnpEczdSTXpRM01EYTFORFl4TWxUU1VWQXFUaTB1enN6UGk4OU1BV28yTmpLenREUXpNRFV4TkxRME03RTBNTEkwTXpJME1EVTJBcW8yTjdRME1nSnhEYzFxQVF0YkhfSX5ATUVUQSIsIm9tYWhhLWluc3RhbGxlci1pZCI6Ins5QUQ5MDUzQS04OENBLTQ1NzktOTgxQy1EMDQ0OUI2MUY2NEZ9IiwicmVxdWVzdF9zZXF1ZW5jZSI6MH0 /InstallType:MACHINE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:4212
- - C:\Program Files (x86)\Dropbox\Client_189.4.8395\Dropbox.exe
    "C:\Program Files (x86)\Dropbox\Client\..\Client_189.4.8395\Dropbox.exe" /install /InstallType:MACHINE /InstallDir:"C:\Program Files (x86)\Dropbox\Client" /KillEveryone:YES /IsAutoUpdate:
    3⤵
    PID:1500
  - - C:\Windows\system32\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall firewall delete rule name=Dropbox
      4⤵
      Modifies Windows Firewall
      PID:3736
  - - C:\Windows\system32\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any protocol=tcp localport=17500-17510
      4⤵
      Modifies Windows Firewall
      PID:860
  - - C:\Windows\system32\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any protocol=udp localport=17500
      4⤵
      Modifies Windows Firewall
      PID:4456
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe /S "C:\Program Files (x86)\Dropbox\Client\189.4.8395\DropboxOfficeAddin64.14.dll"
      4⤵
      PID:5100
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      PID:3660
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:1636
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /S "C:\Program Files (x86)\Dropbox\Client\189.4.8395\DropboxOfficeAddin.14.dll"
      4⤵
      PID:4204
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt64.69.0.dll"
      4⤵
      PID:4520
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt.69.0.dll"
      4⤵
      PID:3884
  - - C:\Windows\System32\sc.exe
      C:\Windows\System32\sc.exe failure DbxSvc reset= 3600 actions= restart/5000/restart/30000//
      4⤵
      Launches sc.exe
      PID:1240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxPackage C27EB4BA.DropboxOEM | Remove-AppxPackage"
      4⤵
      PID:2752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell "Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In \"C27EB4BA.DropboxOEM\" | Remove-ProvisionedAppxPackage -Online"
      4⤵
      PID:3156
    - - C:\Users\Admin\AppData\Local\Temp\342DDE12-9CFA-4622-A3C9-DBC6FD348C5B\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\342DDE12-9CFA-4622-A3C9-DBC6FD348C5B\dismhost.exe {0553AC45-2272-487F-B6AA-A5DDA02D34E4}
        5⤵
        
        PID:64
- C:\Program Files (x86)\Dropbox\Update\1.3.817.1\DropboxCrashHandler.exe
  "C:\Program Files (x86)\Dropbox\Update\1.3.817.1\DropboxCrashHandler.exe" /crashhandler
  2⤵
  PID:2480
- C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
  "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVJFSlFVa1ZCVlZSSU9qcGphSEp2YldVNk9tVktlWEpXYTI5elRHTnRTVXc0YmxCVWN6RlVjMnhLVVdOek4zZExSV2g1WkVzd01HUlJjM1ZNVUU5MlkwRnZUV1IyWVhkcVJFeE1PWGxxZUZSQmRucEVjemRTVFhwUk0wMUVZVEZPUkZsNFRXeFVVMVZXUVhGVWFUQjFlbk42VUdrNE9VMUJWMjh5VG1wTGVuUkVVWHBOUkZWNFRreFJNRTAzUlRCTlRFa3dUWHBKTUUxRVZUSkJjVzh5VGpkUk1FMW5TbmhFWXpGeFFWRjBZa2hmU1g1QVRVVlVRU0lzSW5KbGNYVmxjM1JmYzJWeGRXVnVZMlVpT2pCOSIgcHJvdG9jb2w9IjMuMCIgdmVyc2lvbj0iMS4zLjgxNy4xIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezFFNDVGQUEyLTUwQzktNDQ5OC1BNzQwLTAwMjQxNDVCNDU4NH0iIHVzZXJpZD0iezlBRDkwNTNBLTg4Q0EtNDU3OS05ODFDLUQwNDQ5QjYxRjY0Rn0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9IntFNjRFQ0UwNy05MTk3LTQ0MjItOUMxMy04QTI5NEMwRDY1NTJ9Ij48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7Q0M0NjA4MEUtNEMzMy00OTgxLTg1OUEtQkJBMkY3ODBGMzFFfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTg5LjQuODM5NSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImJ1aWxkaWQ9bWFpbnxUaHUsIDMxIERlYyAyMDk5IDIzOjU5OjU5IEdNVCIgaW5zdGFsbGFnZT0iLTEiPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRfdGltZV9tcz0iMzg1NDciIGRvd25sb2FkZWQ9IjE5ODU4Mzg0OCIgdG90YWw9IjE5ODU4Mzg0OCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  PID:4668

C:\Windows\SysWOW64\regsvr32.exe
/S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt.69.0.dll"
1⤵
PID:4072

C:\Windows\system32\regsvr32.exe
/S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt64.69.0.dll"
1⤵
PID:4948

C:\Windows\system32\regsvr32.exe
/S "C:\Program Files (x86)\Dropbox\Client\189.4.8395\DropboxOfficeAddin64.14.dll"
1⤵
PID:1264

C:\Windows\system32\DbxSvc.exe
C:\Windows\system32\DbxSvc.exe
1⤵
PID:4088

C:\Windows\SysWOW64\regsvr32.exe
/S "C:\Program Files (x86)\Dropbox\Client\189.4.8395\DropboxOfficeAddin.14.dll"
1⤵
PID:1152

C:\Program Files (x86)\Dropbox\Update\1.3.817.1\DropboxUpdateOnDemand.exe
"C:\Program Files (x86)\Dropbox\Update\1.3.817.1\DropboxUpdateOnDemand.exe" -Embedding
1⤵
PID:1156
- C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
  "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ondemand
  2⤵
  PID:228

C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
"C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /firstrun 1 /noappwasrunning /DBData:eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKeXJWa29zTGNtSUw4blBUczFUc2xKUWNzN3dLRWh5ZEswMGRRc3VMUE92Y0FvTWR2YXdqRExMOXlqeFRBdnpEczdSTXpRM01EYTFORFl4TWxUU1VWQXFUaTB1enN6UGk4OU1BV28yTmpLenREUXpNRFV4TkxRME03RTBNTEkwTXpJME1EVTJBcW8yTjdRME1nSnhEYzFxQVF0YkhfSX5ATUVUQSIsInJlcXVlc3Rfc2VxdWVuY2UiOjB9
1⤵
PID:3852
- C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
  "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" -type:crashpad-handler --no-upload-gzip --no-rate-limit --capture-python --no-identify-client-via-url --database=C:\Users\Admin\AppData\Local\Dropbox\Crashpad --metrics-dir=0 --url=https://d.dropbox.com/report_crashpad_minidump --https-pin=0x23,0xf2,0xed,0xff,0x3e,0xde,0x90,0x25,0x9a,0x9e,0x30,0xf4,0xa,0xf8,0xf9,0x12,0xa5,0xe5,0xb3,0x69,0x4e,0x69,0x38,0x44,0x3,0x41,0xf6,0x6,0xe,0x1,0x4f,0xfa --https-pin=0xaf,0xf9,0x88,0x90,0x6d,0xde,0x12,0x95,0x5d,0x9b,0xeb,0xbf,0x92,0x8f,0xdc,0xc3,0x1c,0xce,0x32,0x8d,0x5b,0x93,0x84,0xf2,0x1c,0x89,0x41,0xca,0x26,0xe2,0x3,0x91 --https-pin=0xb9,0x4c,0x19,0x83,0x0,0xce,0xc5,0xc0,0x57,0xad,0x7,0x27,0xb7,0xb,0xbe,0x91,0x81,0x69,0x92,0x25,0x64,0x39,0xa7,0xb3,0x2f,0x45,0x98,0x11,0x9d,0xda,0x9c,0x97 --https-pin=0x5a,0x88,0x96,0x47,0x22,0xe,0x54,0xd6,0xbd,0x8a,0x16,0x81,0x72,0x24,0x52,0xb,0xb5,0xc7,0x8e,0x58,0x98,0x4b,0xd5,0x70,0x50,0x63,0x88,0xb9,0xde,0xf,0x7,0x5f --https-pin=0xfe,0xa2,0xb7,0xd6,0x45,0xfb,0xa7,0x3d,0x75,0x3c,0x1e,0xc9,0xa7,0x87,0xc,0x40,0xe1,0xf7,0xb0,0xc5,0x61,0xe9,0x27,0xb9,0x85,0xbf,0x71,0x18,0x66,0xe3,0x6f,0x22 --https-pin=0x76,0xee,0x85,0x90,0x37,0x4c,0x71,0x54,0x37,0xbb,0xca,0x6b,0xba,0x60,0x28,0xea,0xdd,0xe2,0xdc,0x6d,0xbb,0xb8,0xc3,0xf6,0x10,0xe8,0x51,0xf1,0x1d,0x1a,0xb7,0xf5 --https-pin=0x6d,0xbf,0xae,0x0,0xd3,0x7b,0x9c,0xd7,0x3f,0x8f,0xb4,0x7d,0xe6,0x59,0x17,0xaf,0x0,0xe0,0xdd,0xdf,0x42,0xdb,0xce,0xac,0x20,0xc1,0x7c,0x2,0x75,0xee,0x20,0x95 --https-pin=0x1e,0xa3,0xc5,0xe4,0x3e,0xd6,0x6c,0x2d,0xa2,0x98,0x3a,0x42,0xa4,0xa7,0x9b,0x1e,0x90,0x67,0x86,0xce,0x9f,0x1b,0x58,0x62,0x14,0x19,0xa0,0x4,0x63,0xa8,0x7d,0x38 --https-pin=0x87,0xaf,0x34,0xd6,0x6f,0xb3,0xf2,0xfd,0xf3,0x6e,0x9,0x11,0x1e,0x9a,0xba,0x2f,0x6f,0x44,0xb2,0x7,0xf3,0x86,0x3f,0x3d,0xb,0x54,0xb2,0x50,0x23,0x90,0x9a,0xa5 --https-pin=0xbc,0xfb,0x44,0xaa,0xb9,0xad,0x2,0x10,0x15,0x70,0x6b,0x41,0x21,0xea,0x76,0x1c,0x81,0xc9,0xe8,0x89,0x67,0x59,0xf,0x6f,0x94,0xae,0x74,0x4d,0xc8,0x8b,0x78,0xfb --https-pin=0xab,0x98,0x49,0x52,0x76,0xad,0xf1,0xec,0xaf,0xf2,0x8f,0x35,0xc5,0x30,0x48,0x78,0x1e,0x5c,0x17,0x18,0xda,0xb9,0xc8,0xe6,0x7a,0x50,0x4f,0x4f,0x6a,0x51,0x32,0x8f --https-pin=0x49,0x5,0x46,0x66,0x23,0xab,0x41,0x78,0xbe,0x92,0xac,0x5c,0xbd,0x65,0x84,0xf7,0xa1,0xe1,0x7f,0x27,0x65,0x2d,0x5a,0x85,0xaf,0x89,0x50,0x4e,0xa2,0x39,0xaa,0xaa --https-pin=0x56,0x32,0xd9,0x7b,0xfa,0x77,0x5b,0xf3,0xc9,0x9d,0xde,0xa5,0x2f,0xc2,0x55,0x34,0x10,0x86,0x40,0x16,0x72,0x9c,0x52,0xdd,0x65,0x24,0xc8,0xa9,0xc3,0xb4,0x48,0x9f --https-pin=0x2a,0x8f,0x2d,0x8a,0xf0,0xeb,0x12,0x38,0x98,0xf7,0x4c,0x86,0x6a,0xc3,0xfa,0x66,0x90,0x54,0xe2,0x3c,0x17,0xbc,0x7a,0x95,0xbd,0x2,0x34,0x19,0x2d,0xc6,0x35,0xd0 --https-pin=0x32,0xb6,0x4b,0x66,0x72,0x7a,0x20,0x63,0xe4,0x6,0x6f,0x3b,0x95,0x8c,0xb0,0xaa,0xee,0x57,0x6a,0x5e,0xce,0xfd,0x95,0x33,0x99,0xbb,0x88,0x74,0x73,0x1d,0x95,0x87 --https-pin=0xf5,0x3c,0x22,0x5,0x98,0x17,0xdd,0x96,0xf4,0x0,0x65,0x16,0x39,0xd2,0xf8,0x57,0xe2,0x10,0x70,0xa5,0x9a,0xbe,0xd9,0x7,0x94,0x0,0xd9,0xf6,0x95,0x50,0x69,0x0 --https-pin=0x67,0xdc,0x4f,0x32,0xfa,0x10,0xe7,0xd0,0x1a,0x79,0xa0,0x73,0xaa,0xc,0x9e,0x2,0x12,0xec,0x2f,0xfc,0x3d,0x77,0x9e,0xa,0xa7,0xf9,0xc0,0xf0,0xe1,0xc2,0xc8,0x93 --https-pin=0x19,0x6,0xc6,0x12,0x4d,0xbb,0x43,0x85,0x78,0xd0,0xe,0x6,0x6d,0x50,0x54,0xc6,0xc3,0x7f,0xf,0xa6,0x2,0x8c,0x5,0x54,0x5e,0x9,0x94,0xed,0xda,0xec,0x86,0x29 --https-pin=0x1d,0x75,0xd0,0x83,0x1b,0x9e,0x8,0x85,0x39,0x4d,0x32,0xc7,0xa1,0xbf,0xdb,0x3d,0xbc,0x1c,0x28,0xe2,0xb0,0xe8,0x39,0x1f,0xb1,0x35,0x98,0x1d,0xbc,0x5b,0xa9,0x36 --annotation=machine_id=54283972-31eb-44bb-adba-4e057460c33c --annotation=platform=win "--annotation=platform_version=10 2004" --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ffec3d74378,0x7ffec3d74338,0x7ffec3d74348
  2⤵
  PID:2484
- C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
  "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" -type:exit-monitor -method:collectupload -session-token:2de3547d-9bc5-48de-9ea4-a17535d8746c -target-handle:668 -target-shutdown-event:664 -target-restart-event:672 "-target-command-line:\"C:\Program Files (x86)\Dropbox\Client\Dropbox.exe\" /firstrun 1 /noappwasrunning /DBData:eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKeXJWa29zTGNtSUw4blBUczFUc2xKUWNzN3dLRWh5ZEswMGRRc3VMUE92Y0FvTWR2YXdqRExMOXlqeFRBdnpEczdSTXpRM01EYTFORFl4TWxUU1VWQXFUaTB1enN6UGk4OU1BV28yTmpLenREUXpNRFV4TkxRME03RTBNTEkwTXpJME1EVTJBcW8yTjdRME1nSnhEYzFxQVF0YkhfSX5ATUVUQSIsInJlcXVlc3Rfc2VxdWVuY2UiOjB9" -python-version:3.8.17 -process-type:main -handler-pipe:\\.\pipe\crashpad_3852_YDNZYTRQICWBIRLF
  2⤵
  PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:2768
- C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
  "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /restartexplorer
  2⤵
  - Drops file in Program Files directory
  PID:4212
- C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
  "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" --type=gpu-process --field-trial-handle=4964,16548020009230116092,10349751807564493385,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --crashpad-handler-ipc-pipe-name="\\.\pipe\crashpad_3852_YDNZYTRQICWBIRLF" --crashpad-annotations="product_name:desktop_client,buildid:main,buildno:Dropbox-win-189.4.8395,platform:win,platform_version:10 2004" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4976 /prefetch:2
  2⤵
  PID:2712
- C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
  "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=4964,16548020009230116092,10349751807564493385,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=none --standard-schemes=dbx-local --secure-schemes=dbx-local --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
  "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" --type=gpu-process --field-trial-handle=4964,16548020009230116092,10349751807564493385,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --crashpad-handler-ipc-pipe-name="\\.\pipe\crashpad_3852_YDNZYTRQICWBIRLF" --crashpad-annotations="product_name:desktop_client,buildid:main,buildno:Dropbox-win-189.4.8395,platform:win,platform_version:10 2004" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=5292 /prefetch:2
  2⤵
  PID:1276
- C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
  "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" --type=gpu-process --field-trial-handle=4964,16548020009230116092,10349751807564493385,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --crashpad-handler-ipc-pipe-name="\\.\pipe\crashpad_3852_YDNZYTRQICWBIRLF" --crashpad-annotations="product_name:desktop_client,buildid:main,buildno:Dropbox-win-189.4.8395,platform:win,platform_version:10 2004" --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=5676 /prefetch:2
  2⤵
  PID:3444
- C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
  "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" --type=renderer --field-trial-handle=4964,16548020009230116092,10349751807564493385,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --standard-schemes=dbx-local --secure-schemes=dbx-local --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="C:\Program Files (x86)\Dropbox\Client\189.4.8395\resources\app.asar" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
  "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" --type=renderer --field-trial-handle=4964,16548020009230116092,10349751807564493385,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --standard-schemes=dbx-local --secure-schemes=dbx-local --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="C:\Program Files (x86)\Dropbox\Client\189.4.8395\resources\app.asar" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9644 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
  "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" --type=renderer --field-trial-handle=4964,16548020009230116092,10349751807564493385,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --lang=en-US --standard-schemes=dbx-local --secure-schemes=dbx-local --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="C:\Program Files (x86)\Dropbox\Client\189.4.8395\resources\app.asar" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:5328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4044

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1564

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5380

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4188

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5484

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5596

Network

DNS

2.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.181.190.20.in-addr.arpa

IN PTR

Response
DNS

2.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.181.190.20.in-addr.arpa

IN PTR
DNS

2.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.181.190.20.in-addr.arpa

IN PTR
DNS

2.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.181.190.20.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

client.dropbox.com

DropboxUpdate.exe

Remote address:

8.8.8.8:53

Request

client.dropbox.com

IN A

Response

client.dropbox.com

IN CNAME

client-env.dropbox-dns.com

client-env.dropbox-dns.com

IN A

162.125.64.13
POST

https://client.dropbox.com/client/updates/pings

DropboxUpdate.exe

Remote address:

162.125.64.13:443

Request

POST /client/updates/pings HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/plain
User-Agent: Dropbox Update/1.3.817.1;winhttp
X-Dropbox-Update-Interactivity: bg
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Content-Length: 807
Host: client.dropbox.com

Response

HTTP/1.1 200 OK

Cache-Control: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Server-Response-Time: 59
Content-Type: text/html; charset=utf-8
Accept-Encoding: identity,gzip
Date: Tue, 26 Dec 2023 13:51:53 GMT
Server: envoy
X-Dropbox-Is-Upstream-Batch: true
Content-Length: 214
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Robots-Tag: noindex, nofollow, noimageindex
Vary: Accept-Encoding
X-Dropbox-Response-Origin: far_remote
X-Dropbox-Request-Id: 5eb814f031bc4e92a6db926639a951c7
DNS

195.233.44.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.233.44.23.in-addr.arpa

IN PTR

Response

195.233.44.23.in-addr.arpa

IN PTR

a23-44-233-195deploystaticakamaitechnologiescom
DNS

13.64.125.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.64.125.162.in-addr.arpa

IN PTR

Response
POST

https://client.dropbox.com/client/updates/service

DropboxUpdate.exe

Remote address:

162.125.64.13:443

Request

POST /client/updates/service HTTP/2.0
host: client.dropbox.com
cache-control: no-cache
pragma: no-cache
content-type: text/plain
user-agent: Dropbox Update/1.3.817.1;winhttp
x-dropbox-update-interactivity: fg
x-last-hr: 0x0
x-last-http-status-code: 0
x-retry-count: 0
content-length: 846

Response

HTTP/2.0 200

cache-control: no-cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-server-response-time: 89
content-type: text/html; charset=utf-8
accept-encoding: identity,gzip
date: Tue, 26 Dec 2023 13:51:50 GMT
server: envoy
x-dropbox-is-upstream-batch: true
content-length: 1027
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-robots-tag: noindex, nofollow, noimageindex
vary: Accept-Encoding
x-dropbox-response-origin: far_remote
x-dropbox-request-id: fdbe8e062e1546d18237c243865a61d0
DNS

edge.dropboxstatic.com

Remote address:

8.8.8.8:53

Request

edge.dropboxstatic.com

IN A

Response

edge.dropboxstatic.com

IN CNAME

edge-static-env.dropbox-dns.com

edge-static-env.dropbox-dns.com

IN A

162.125.64.22
DNS

edge.dropboxstatic.com

Remote address:

8.8.8.8:53

Request

edge.dropboxstatic.com

IN A
DNS

edge.dropboxstatic.com

Remote address:

8.8.8.8:53

Request

edge.dropboxstatic.com

IN A
HEAD

https://edge.dropboxstatic.com/dbx-releng/client/DropboxClient_189.4.8395.x64.exe

Remote address:

162.125.64.22:443

Request

HEAD /dbx-releng/client/DropboxClient_189.4.8395.x64.exe HTTP/2.0
host: edge.dropboxstatic.com
accept: */*
accept-encoding: identity
user-agent: Microsoft BITS/7.8
x-last-hr: 0x0
x-last-http-status-code: 0
x-retry-count: 0

Response

HTTP/2.0 200

server: envoy
date: Tue, 26 Dec 2023 13:51:57 GMT
content-type: application/x-ms-dos-executable
content-length: 198583848
last-modified: Mon, 18 Dec 2023 20:36:31 GMT
cache-control: max-age=2419200
x-robots-tag: noindex, nofollow, noimageindex
strict-transport-security: max-age=31536000; includeSubDomains
x-cached: HIT
accept-ranges: bytes
x-dropbox-response-origin: remote
x-dropbox-request-id: 06932248d51e4d0292d53a2ac4374be9
GET

https://edge.dropboxstatic.com/dbx-releng/client/DropboxClient_189.4.8395.x64.exe

Remote address:

162.125.64.22:443

Request

GET /dbx-releng/client/DropboxClient_189.4.8395.x64.exe HTTP/2.0
host: edge.dropboxstatic.com
accept: */*
accept-encoding: identity
if-unmodified-since: Mon, 18 Dec 2023 20:36:31 GMT
user-agent: Microsoft BITS/7.8
x-last-hr: 0x0
x-last-http-status-code: 0
x-retry-count: 0

Response

HTTP/2.0 200

server: envoy
date: Tue, 26 Dec 2023 13:51:57 GMT
content-type: application/x-ms-dos-executable
content-length: 198583848
last-modified: Mon, 18 Dec 2023 20:36:31 GMT
cache-control: max-age=2419200
x-robots-tag: noindex, nofollow, noimageindex
strict-transport-security: max-age=31536000; includeSubDomains
x-cached: HIT
accept-ranges: bytes
x-dropbox-response-origin: remote
x-dropbox-request-id: 8feb04cc008a434492c2b08e6b73ce01
DNS

22.64.125.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.64.125.162.in-addr.arpa

IN PTR

Response
DNS

22.64.125.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.64.125.162.in-addr.arpa

IN PTR
DNS

Remote address:

8.8.8.8:53

Response

16.234.44.23.in-addr.arpa

IN PTR

a23-44-234-16deploystaticakamaitechnologiescom
DNS

Remote address:

8.8.8.8:53

Response

settings-win.data.microsoft.com

IN CNAME

atm-settingsfe-prod-geo2.trafficmanager.net

atm-settingsfe-prod-geo2.trafficmanager.net

IN CNAME

settings-prod-weu-1.westeurope.cloudapp.azure.com

settings-prod-weu-1.westeurope.cloudapp.azure.com

IN A

51.124.78.146
DNS

Remote address:

8.8.8.8:53

Response
DNS

Remote address:

8.8.8.8:53

Response

slscr.update.microsoft.com

IN CNAME

sls.update.microsoft.com

sls.update.microsoft.com

IN CNAME

glb.sls.prod.dcat.dsp.trafficmanager.net

glb.sls.prod.dcat.dsp.trafficmanager.net

IN A

52.165.165.26
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR
DNS

d.dropbox.com

Remote address:

8.8.8.8:53

Request

d.dropbox.com

IN A

Response

d.dropbox.com

IN CNAME

d.v.dropbox.com

d.v.dropbox.com

IN CNAME

d-edge.v.dropbox.com

d-edge.v.dropbox.com

IN A

162.125.8.20
DNS

d.dropbox.com

Remote address:

8.8.8.8:53

Request

d.dropbox.com

IN A
DNS

20.8.125.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.8.125.162.in-addr.arpa

IN PTR

Response
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

api.dropboxapi.com

Remote address:

8.8.8.8:53

Request

api.dropboxapi.com

IN A

Response

api.dropboxapi.com

IN CNAME

api.dropbox.com

api.dropbox.com

IN CNAME

api-env.dropbox-dns.com

api-env.dropbox-dns.com

IN A

162.125.64.19
DNS

19.64.125.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.64.125.162.in-addr.arpa

IN PTR

Response

162.125.64.13:443

https://client.dropbox.com/client/updates/pings

tls, http

DropboxUpdate.exe

3.1kB
5.6kB
11
9

HTTP Request

POST https://client.dropbox.com/client/updates/pings

HTTP Response

200
162.125.64.13:443

https://client.dropbox.com/client/updates/service

tls, http2

DropboxUpdate.exe

5.0kB
11.4kB
24
22

HTTP Request

POST https://client.dropbox.com/client/updates/service

HTTP Response

200
162.125.64.22:443

https://edge.dropboxstatic.com/dbx-releng/client/DropboxClient_189.4.8395.x64.exe

tls, http2

1.3MB
28.4MB
19199
20468

HTTP Request

HEAD https://edge.dropboxstatic.com/dbx-releng/client/DropboxClient_189.4.8395.x64.exe

HTTP Response

200

HTTP Request

GET https://edge.dropboxstatic.com/dbx-releng/client/DropboxClient_189.4.8395.x64.exe

HTTP Response

200
23.44.234.16:80
52.142.223.178:80

52 B
1
13.95.31.18:443
162.125.8.20:443

d.dropbox.com

tls

48.9kB
4.5kB
46
22
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
15
14
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
15
14
204.79.197.200:443

tse1.mm.bing.net

tls

17.6kB
455.3kB
346
344
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
15
14
162.125.6.20:443

d.dropbox.com

tls

646 B
3.5kB
5
4
162.125.64.13:443

client.dropbox.com

tls

5.8kB
22.9kB
28
28
162.125.64.19:443

api.dropboxapi.com

tls

1.1kB
5.5kB
10
11
162.125.6.20:443

d.dropbox.com

tls

21.4kB
6.0kB
25
17
162.125.6.20:443

d.dropbox.com

tls

1.1kB
4.0kB
10
8

8.8.8.8:53

2.181.190.20.in-addr.arpa

dns

284 B
157 B
4
1

DNS Request

2.181.190.20.in-addr.arpa

DNS Request

2.181.190.20.in-addr.arpa

DNS Request

2.181.190.20.in-addr.arpa

DNS Request

2.181.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

292 B
144 B
4
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

284 B
157 B
4
1

DNS Request

59.128.231.4.in-addr.arpa

DNS Request

59.128.231.4.in-addr.arpa

DNS Request

59.128.231.4.in-addr.arpa

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

client.dropbox.com

dns

DropboxUpdate.exe

64 B
117 B
1
1

DNS Request

client.dropbox.com

DNS Response

162.125.64.13
8.8.8.8:53

195.233.44.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

195.233.44.23.in-addr.arpa
8.8.8.8:53

13.64.125.162.in-addr.arpa

dns

72 B
122 B
1
1

DNS Request

13.64.125.162.in-addr.arpa
8.8.8.8:53

edge.dropboxstatic.com

dns

204 B
126 B
3
1

DNS Request

edge.dropboxstatic.com

DNS Request

edge.dropboxstatic.com

DNS Request

edge.dropboxstatic.com

DNS Response

162.125.64.22
8.8.8.8:53

22.64.125.162.in-addr.arpa

dns

144 B
122 B
2
1

DNS Request

22.64.125.162.in-addr.arpa

DNS Request

22.64.125.162.in-addr.arpa
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

dns

210 B
1

DNS Response

51.124.78.146
8.8.8.8:53

dns

135 B
1
8.8.8.8:53

dns

146 B
1
8.8.8.8:53
8.8.8.8:53
162.159.36.2:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

dns

160 B
1

DNS Response

52.165.165.26
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

194.178.17.96.in-addr.arpa

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

d.dropbox.com

dns

118 B
114 B
2
1

DNS Request

d.dropbox.com

DNS Request

d.dropbox.com

DNS Response

162.125.8.20
8.8.8.8:53

20.8.125.162.in-addr.arpa

dns

71 B
121 B
1
1

DNS Request

20.8.125.162.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

api.dropboxapi.com

dns

64 B
140 B
1
1

DNS Request

api.dropboxapi.com

DNS Response

162.125.64.19
8.8.8.8:53

19.64.125.162.in-addr.arpa

dns

72 B
122 B
1
1

DNS Request

19.64.125.162.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e574b25.rbs

Filesize
7KB

MD5
4fa33d3b357f3c31d78a5fb67c1505ee

SHA1
ae670e86612a30175179507bd466c63337bb434d

SHA256
a491fca19af370288c2341572cc62e2c8848a17de1ce452ad6fb350ad7b40547

SHA512
9d897f061488477dd15bdc5d8fb226fb0e95be912ccba15f5d63e611acfee65db721f7c74727c543276f75e6750a56b9cc58d6b8d36795a265719ebcaa33f4dd

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\backup.png

Filesize
6KB

MD5
1521c0a628944271f2bc1e19978913db

SHA1
62dcff433a57e17a24eae81638744df31068f693

SHA256
5bfc58e4b27a8405effcf108856d2650299afcf55eab83e95370c9b6066709b0

SHA512
39c0b9ab739bb777ff1e2c64d71e910d6859f50f0b0f243d34610f30f4b312185ae70f715880b4918b272f01e51e5be127f2b40c37cb3419ca3650c2248b66bc

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\binder.png

Filesize
2KB

MD5
873fbb8d6c4031515ffe4fa2fca98f1c

SHA1
6647f17a25a2e11e8b43ea057c14d77d8b0485c8

SHA256
f582ca6fdf085b23240b35411040b0b5bff6c2ec1ed5b2c0f7add35c88c65914

SHA512
1c29ccf8be145285a85783b979294af651582564d62839766c549d9a76ead223c7db73abe2de65fd30fbc30a174c14677eea4f4258374cfeb519b5a2e75ceb09

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\external_drive.png

Filesize
6KB

MD5
2c5ff4c40104d73684602b8822502e79

SHA1
bb8034e2603fbd74408239b733e47f2fff668d5f

SHA256
971d455f91faf6bf320ed366f0881fc613c3228daa9ed91e0d6c864ece1a735e

SHA512
b4270bcd6cf9badc7ba7343760863961da179ba1f87545e61c27f37b4d652cf0333c5451f7ffc52628ba0d24861d6a692d0eb9d3ee247511a735b6f7b5f10743

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\gsheet.png

Filesize
1KB

MD5
8029ccc1e62854e19c74582fdc915634

SHA1
4dc6094aecb1bfdf87cdc0123a2f1f905bc83df2

SHA256
70f5bf52350b6aaf67ad1296a947ba2a87c12dbbef76d1c3f73fec723977a81b

SHA512
f37822df1dc52e955b990b138a88064edd92d134773c4dd0950e298ee7f8812e16cdfd64f6511c45f9618c99d8343ac2b973f67b5a852bda0e4c8f267caf6d1b

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\gslides.png

Filesize
1KB

MD5
d698a0f00979142b5991ab54db41ad64

SHA1
ded38ecebbb506d1b8b719c57f5ac8614dded702

SHA256
c6ed27af06f6d5e565469d95bd7ac077418971bb1dc7f2fe068d07cf0f84284e

SHA512
cadb690d88987de1ce8ea1d1fa2f93e86e6ea093a9623f5bc48d2f8cbb6e29d05525d358595902a0179b516b043bede63e2c7df3313a2658c84d2dfda0af0536

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\logo.contrast-black.png

Filesize
850B

MD5
b832b83311da4c4ed1ab6841faf9e095

SHA1
5ec25bd5ce1914ee348afa22ffa79163b59b644a

SHA256
f1169f6b53191be05946e9ced0dbb6676b61ac9902db3218e69eb5ed4252d67a

SHA512
f5895b26b61d31046c97de5ba04d2d18587941c3e39e85e2d9a2de3bce7bff608011849dbea1982e4a2401e1c4b0a02c566e9d63c2dcfe3a2b69ecf9a473bb31

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\logo.contrast-black_scale-125.png

Filesize
1KB

MD5
990a230b37c6ecd355eac8e6b47190f7

SHA1
c1be5515f7c2779a0bd7e837ed97b433d2d908b4

SHA256
08a92e353e5c573045edc67b2c58fe245d5ad40c3c3e63edcf4ebcb0f1efc5bf

SHA512
68e52f6ce78e91b01d06b06b51d9930ed413f258f53447d0b394dc5e2661be6e51bcfe25cb818f3a1c55385a3f9d8e695c4d759fb2d677b18822f89f8d4e607d

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\logo.contrast-black_scale-150.png

Filesize
1KB

MD5
fedd073d6396e035e8cca6e7d38bcdb0

SHA1
2c686dfb2916c094419481c2c1f70fd73b2ff944

SHA256
bacbe3c51cc9b59f42b3b5e246d9c2e3843a08369d7551bfe53e6542a847e9f6

SHA512
93e48632646b930a4984441cd29723e1272cbfd5b005e38459dba831f0da7d530b1a9da06da8d632e75cce62a8f3ee61fa36b0dfe0ba9a74641323145857ce2a

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\logo.contrast-black_scale-200.png

Filesize
1KB

MD5
040cd2d93b51d1ba57d7b98cadfbc5dd

SHA1
cdc1c3bf0a2a916bcf474927604c2e4755f0c5a0

SHA256
742e2f2a19e3158f1df75cbac15400b9ff4f14e6f4cbea5c856d1a8e07d52cb0

SHA512
18678967c92ee3ea29c4169e8ce602795e9908fac2e6a113d87e7f67bf74779f92befe732f6be201aa3f70b0edae8b3ce845d1f857fc90e0c6a82022300cf3b8

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\logo.contrast-black_scale-400.png

Filesize
2KB

MD5
543d527e790ad5aadb487c3dfd251d13

SHA1
11dde867dba701cf21998165e0612d0c481f590c

SHA256
a722bae20339682d00edc12d01930b8ea9670d3a48f4e85e5d8c483a2f9f3f6f

SHA512
7402b45649d81e09e7b01a24f6cb73e0c10ff120715f57a803959d9cf3e994178f363fd722c604c7b6a942e54d860ba63dc1d7050a706b8f1595c0bf0eae08ac

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\logo.contrast-white.png

Filesize
829B

MD5
5667327e1c37cac08cfb45f4fa04fa16

SHA1
d6ec47f3a5276a4081f24922b9510e691bef098f

SHA256
b483f895037bb12a7d9f4678382479abbfc67a898d5da76606011d133e119396

SHA512
319f81c5023197b1011f58f074ce7aae81210201db56f7af21d436c710489511c17a02e584416c6787b1cb31e06b67dcc232700b38994d2e1dd1db402f3f2095

Download Submit
C:\Program Files (x86)\Dropbox\Client\189.4.8395\Assets\logo.contrast-white_scale-125.png

Filesize
966B

MD5
0c932b40eba76ff9015a1f55a1dd1776

SHA1
e25b4506a79eeb7a586c811f6b5e626df6537cc7

SHA256
e8449b860cf4eaf5b894a606ca19951e4ca9561e0dd2e8a82b142bcee256a846

SHA512
52f34233a3e64b4beba4c8d268a1449dab42fe68d3723651d8ac80d7a5d7a4935f5b742c49fada9a0ddef3996415f99953df5088a68f1483cfcae08e9b610428

Download Submit
C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\Strings\language-es-ES\Resources.resw

Filesize
7KB

MD5
fed758a433fae9f6bd6461b769845d55

SHA1
89f1efcb9a9d568af64b109b72ed6ab77803f15e

SHA256
75997383b6597a725ecdc87f688ef632e218bb627bb724c347416937deab768f

SHA512
a04a35ca6129feea3987e261d24fbd4b2419511119ebce5c7f3d34d369eee122ecd16cad395a73812f255498ede9782d8eaec4fa7e966e340353b35600ca0977

Download Submit
C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\VCRUNTIME140.dll

Filesize
92KB

MD5
2b94a246ef671642aa3e8c9cd9adf414

SHA1
a94d3964851ab14022a54e9d95bf4378190c9d64

SHA256
5fb38c367aefb93940896f51fb38292c6c1076f2ba86068f5fd40fcaf628f1f9

SHA512
9dc1e17fd025590a1067e92dd70908a71cff52954afea2bfacacbccc799b78ac27b755b41ba37e951a169b443252db90ce9ba75e69c67a816c2cf59ec5219edc

Download Submit
C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\dropbox_core.dll

Filesize
382KB

MD5
bd79544d0a8f215dff8b32d32e85f9cf

SHA1
b5721333ae8e21c2441ba50883323a6f96491fbe

SHA256
1ce6fa857b463b430d6b95e0dc6e91b3dac30e275268ef5c554c68d2766d6cc5

SHA512
c2d3bca07b796f8b834727044f1b51b3e6fe235ff2eef3ff76d8b111e363b19e3bc6199fc20bb8f4cd43d0c1750e981db6393545ee8732f97f9431cb200a5dc9

Download Submit
C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\python38.dll

Filesize
384KB

MD5
fd8b76f710d1e29a6b96032c64c03f61

SHA1
8ca56ef2f38f7404d38903d63a5dea9d7f414356

SHA256
b19697bcd4530859c883b4e11cfeea5c7a156050a360294bb55f9bd51b88dfaa

SHA512
011f0f2323b63ce17799c9b3fa994527c7668bafcf9084ac5ccfc573c7bb72b9f3295a6877a32f967abb29fef38f5290e2b4be6cfc0b7bfdbb5802a93c4c77a4

Download Submit
C:\Program Files (x86)\Dropbox\Client_189.4.8395\189.4.8395\python38.dll

Filesize
381KB

MD5
9fc3ab634f684afa96840e6a207b9bdd

SHA1
a7c76f8fa32370e0d3bf520170468b20409e3936

SHA256
3a191298db2c53c7b3b02ba406a14a4e7b220becc17871a93694e2efc8e18d45

SHA512
6fff65cee4dfe8cb04a12018ea46292e10a7d4ce48a8d27adbf085406e7d80f04b6b52235e3db11adcb0f07ea7dc2a68f73b04367cdef722e49825229c831a92

Download Submit
C:\Program Files (x86)\Dropbox\Client_189.4.8395\Dropbox.exe

Filesize
382KB

MD5
1f018a14ce3819356f8dd4775a9a2843

SHA1
87bb1e719bdc29d16bdc35f9c5c21f7b0fcc37dd

SHA256
e8856090c195de4501d81429763df76fb109490cd5f871d26d342a4381e9c0ad

SHA512
b9802563f14c3db037bc8b124761c5a0bef763b258ac1804e6c5d1d7d0e3ea62dbd72106098a5eabd81ed65108d13df22cdc0291d04335146d9dbef86cdced0c

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\@PaxHeader

Filesize
28B

MD5
52049e156cdc3a529f021044fc2066fa

SHA1
399a765110915b69e57329a2690990c9e20fb2a2

SHA256
eb7ae0eb1420c4dd29c8e597fc0cc5531b0f2c7b5f72275ce5ac4c4eb375cb6b

SHA512
482d1cf304a799f6daf4fe3608994f7026e40acedda4a582638633ab115dc728a6c1b3e29763cf61d0d23b9b6e50a372f0fec50ab825e054ba70bb552d720e1c

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\DropboxCleanup.exe

Filesize
299KB

MD5
8fa7f9a62ea19f3691e8a24833a5bc25

SHA1
23f0825ce2f4731cc73e82ca814872b512d333dd

SHA256
0d9c6de8a57443bffe718d3256fdd467b8970124ba65d8accb6f47dc54d46d72

SHA512
3d8243c4a42f96d549b09797f39b0f2fbef54d643ee4048c24eb6a1b748ef07ecd6bfdc142fe4c13838b0c07957b5e558ebf98fb7bdcc841d49fcff0a06eccf4

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\DropboxCrashHandler.exe

Filesize
129KB

MD5
e3214461da70a51d0fe6ab76dcc753c1

SHA1
5ce885de14919fd7ba6ce35726480b098eaf5acc

SHA256
2e3925b6c2175a98024551fea9e0b8dbc54f4107322c97b1493add40ed8ab73b

SHA512
67668b4ce7102480a0f37113922c9197ebe90619a2cded3a484024902f167bc005fe11f50e3d9509e2d4a4cbad1865f61b20189ddf37e916ff01bbf38e9e2aa6

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\DropboxUpdate.exe

Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\DropboxUpdateHelper.msi

Filesize
26KB

MD5
ad80274ebc288f8bcbfd7bf1e6b784a2

SHA1
7bfa68f1fa73986dd9c13ee719a2c0bc9bc2b9e8

SHA256
0772c75f19a0e35b3b02831563a72897d68fc7eb2b304f2d7cc58eca0a00cfe5

SHA512
d6a37fc7da74544d672ba98f07dbe2f521216ac1b383209d943ee0d8ff9aa9a66aa8bfe933a0df5baad7740ad913b559f89cb57de44acf5d4cfcc11f3bd177af

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\DropboxUpdateOnDemand.exe

Filesize
75KB

MD5
7d0be196d264cf662aa2edfff9fbde8c

SHA1
58820a86a093b91ba563402d1e9be233c19de9de

SHA256
70272968ff5e1c47883ecb74680cf3a298af7b87ccacb932a57a0198ed69a65e

SHA512
78f1621513b5404c53a485258d9a027ba619ca570bfb018e1a1f1eaca23ab4e79bd714c2cc3d1ab55ba0abb84c0af7b64d14bb7ac89225a5d2c817c75d1b9927

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdate.dll

Filesize
1.1MB

MD5
4afe69cbfdbf9914ec0c597f5bc5a1f9

SHA1
88e03e83a62e5fc37c94b26e6e5547b4ca7ead9d

SHA256
34b68127792f3c80c4a3e616c9c8cff8e53533518f80c4aac78f2aaa26e9615a

SHA512
1cc19966856b1495334d606ea8e9269f9203a6cb5d9dbb919c3485b0ff9e1941305af062e3a0e740afd2d2d6be8a4d50882c428c8058a2b1f8dbba4cd59f8fe9

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdateres_da.dll

Filesize
32KB

MD5
1ac5617cafffbb69ab768095c77b4306

SHA1
c120a49e4886f839fb96c84f87727dd023fcec19

SHA256
8fadf121a5766032bfddd0f6342dd6e2a612996370ed1f5c548f5cbb5ac548f9

SHA512
fd26156f9651f5237df3461128547496ab623c5a34c691f410177c3198608de8618a199f48f3a02155ed3fcb8d9717fd3c3cc8834013a99f1dffa4f3d8913ff0

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdateres_de.dll

Filesize
35KB

MD5
8ec648743a036ef57ee419488b01387f

SHA1
afa9fca0cfb21cc1f05b31f1b55b1f47e18f0a88

SHA256
9373bfaac15573f63b42cbcd39e4ef15a06d6a27696541f1274a2aef25570e70

SHA512
a7af27890c0fe3f86bff9ae03734442a2c0b4d9315a5a6221531270caa8dd6e55e66659f6c1062d589a08a41a92dc4101f76430d528694b037de73b4407e4e5a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdateres_en.dll

Filesize
31KB

MD5
fc198c77a954eb0eda8424eac724584f

SHA1
d1bdeb781372cd4907e519c2fd81094441385536

SHA256
67d5c3f8a6e9415deef22148a4216518a7ee52b468ba6bb1c67020d56d9e3745

SHA512
74572d8422a57046ccf5729eae36c396028b9162581dad80f20299fa11426bf453a7ba5a34022ec3103a7b995aa9e77f5dc44ba9de1570b03b964b38559306d6

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdateres_id.dll

Filesize
31KB

MD5
5ea2ba9a437c4b6bfbb228356ea3be59

SHA1
19d27cf893537002313808a4e32581f344e4eaca

SHA256
e0d5ea9edec2692553371e4579a63d5dc7c554867f3f90ebec722d97d2af87b5

SHA512
fb78b0c4d7066922cfa7a234e6e2023042d3e2f25cc6a6be5eb26782d836bf30f090eb15be77b4c211e9c7fd8bc28b7e92e50cb7bb2a045412c74e8982049fcb

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdateres_ja.dll

Filesize
27KB

MD5
d22b960d1fa795eb7996d1be6a02aab2

SHA1
e526d5ce5719e1de891169305a367677f76e6e7a

SHA256
016567f8ee776cb57dfbc7e6a8908bef7004fd9abab4286800863c745c08e1c0

SHA512
40064f12538c55c2589bfa40ac8559aef71177ff7379e89c68ccb509c012a4295977eaf87e3a7be50c30e36d276b798217d7ce902240480f54f35fe44497d2ce

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdateres_ms.dll

Filesize
31KB

MD5
6922f23814bd549972b548acc4e6afce

SHA1
17a6e724904a09175b1c3ecf40e6929b89662585

SHA256
d7e3c82e12447a9aa4085317f65447607b75f62fa89edd38fb5621dbaad9211d

SHA512
f59d9e56e2a06fbd8853bccae6e69f6b51c07bc9c18c84e559d6e81bdec90c51c555676891d9a9c6233faedfacfd15941abd1c033710e14ba028cf82557109eb

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdateres_no.dll

Filesize
32KB

MD5
6bfb6b741d1eb83a8d1a96680bc6da51

SHA1
9263e45de354b17b9091b688ac63aa31796647e1

SHA256
8a1622e758b4cdcdcef80095f59c604ba878b1c853d66a338459b4de32ed5fdb

SHA512
d65093e4c85cfa22054c9c09113a36360b23214ccf7f6cdf84df0d4d8a905ffa6a20e8385fb3fcf78fb96d91ce49f29826c07ee81fc62507218b48ef6231a5ed

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdateres_pt-BR.dll

Filesize
32KB

MD5
2ea9dbc90cf842de5ac5cced84d83a8d

SHA1
2a63a275a4d4252d4e92a2e2d5827f1cc1789a4b

SHA256
b500301065031c6826991f0b0e712e2ac09c465f686b27e0aa5121a9d2bc2529

SHA512
57d50c6124273655e4cbd3c476882b7795e3d58c44121c5260bb9efcfed75fb708e622eb4e67dd4e1dfb3fa7e1b9680ae35a51248c8dc901c64c6fc708c46fa2

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdateres_sv.dll

Filesize
32KB

MD5
c8a5dea2d0343249eac44e0dc550b2dd

SHA1
681081760d2983f2025e21356397b5bc067c3501

SHA256
401263a24666710b8895e0d5fa5857f7d86c4ec21595573894e07517e94b52ff

SHA512
bfceea37a5e525738380ee9049daca1913da5603ead0057f5e8f54022961db1cdf0da370e1af8b841997f1e46514eb5f4e3c4492cba66c83d6eaba1a568fe05a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\goopdateres_zh-CN.dll

Filesize
25KB

MD5
0a62f2c2d232d98a8438a3d449a520f3

SHA1
308fef4ccf6926977e5bc1064f554fab0d4ba36a

SHA256
084a88a2171690934370cc603c0d809ffb9f0e55aeaa4055f38af2239d0606e5

SHA512
db74ca3fce77ce1207041494c9b4d1e86c39e9e796e8e8a31ac53e6db187b4cdc70f3b330d77db0ec0b2282b76fe9da379e7065c042993fd9044e5c1c7dec13a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\npDropboxUpdate3.dll

Filesize
273KB

MD5
52d461eb7ce99d0e6901eef682d83bb5

SHA1
c317560a11a91287dd31db5eeb2a1145f711c09d

SHA256
e07b2a1d2c932fc38d3fa6401ff0be653250a1e8173311a9312ef9478da28e2a

SHA512
429d18c1d8482469916627e32fd938f7d770b391e50f249b79bc7e0553f6b1633fdd0f0e54c069e23a22d8a174047c71dfbfc7740a026b414d56556accfd2bab

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM45F2.tmp\psuser.dll

Filesize
211KB

MD5
732dfd011b5e71f1f18229e93d8ae039

SHA1
6ff911e082622bb6ba0f43734a17de3963a29c43

SHA256
56ec8884c392f95202d07959414d256c737354ad3243971ef47e44a32f011aa5

SHA512
376df248b77a07df573b1fb3fe111d0ba4f9e91e4fbedfda24732159bb4eb359e3f6e91de13f6f698896a0a64a39c68b0a8d125efd588b5ece762daf985099fb

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\DropboxUpdateBroker.exe

Filesize
75KB

MD5
2677fb41f870e8a05cd60d4b7861e300

SHA1
b5275ca2df2865b96fc359757564febb44f34278

SHA256
4988fdaeb6a33a3169a9ea445f5bc00b7bdacb78f7ed6a98b2ad2eb73b551ff2

SHA512
d4aae16b4ba3b0b6b247fa29ca5baaf322ff0f6d941596f6ff2bf5eb1184162e2a1802d97f3040bfac3ab162259c8e4115445d23dab459e65fbad5cdd06e5ed1

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_es-419.dll

Filesize
33KB

MD5
07cf9b2367462de21cd1c1ee5ef076ae

SHA1
15676dfe46d54e7a609fea052010b847709535ee

SHA256
4d43704f744093b41f9d3315c508933a91c481732b84e0b14bf642aa5d03e020

SHA512
a96d4b80215adc19f7af295e863017bf895038ea1346222337842139d9e5de018f8706fbb251d4012db262bc608a9ae4ae21dca08df3a5621d7e00281a491942

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_es.dll

Filesize
33KB

MD5
0e13d60b08d0653ccad9cd22cf13ec85

SHA1
2ac7fef4c9be1efca0c68ce7bb4b623d2824994f

SHA256
7dc6bb82fb6133e879309b0200aec7ae7c6346deb05a53daf1803443db3c8cbb

SHA512
94909d3e43cb0a90c6fc595fb24c5a90df4f9574bbc4f447dd534e6114c14f6905bb07a758719fd45fd357f28575bdd3043335ac0dbfe498ff3c286654b9ce6a

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_fr.dll

Filesize
34KB

MD5
ffdd38e5ae41822c584b092eefed9df0

SHA1
91da41c12fa3afcac80d0077c0b3fce918b5a4f2

SHA256
3f3ac9e29e480d1c6eb271a538bb966953c9464659d044cdccd8c99df7f703a1

SHA512
e06d12b1caf8c23496c7a75f7454443ba721691e245d183ec750e95b013423310e921587c0d95e5ecce1a816c8b538290f3018b098c788f0e14403fa3cce9a0c

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_it.dll

Filesize
33KB

MD5
cf26a8d0d58a87db417185922c761687

SHA1
e28c3c48594d5aef78966d0e210dd826c2f69a2d

SHA256
83c860a5942fd6b307c428869a1debb188fa4a8dc27d2ffe4abe0b8453254e7b

SHA512
fad6342c211b0597a9962c0bceb853e07f705f42baf92ac7a288fe5ea608c038923f509d9d77041eaecfa6f5f926138b524ee6cd4154526169eabb675c5ee9b9

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_ko.dll

Filesize
27KB

MD5
19b6ce8683c1d7a6ed07b93966b5e415

SHA1
9ec79b491b4cc71fe6a3431ceb5fc26a217fed57

SHA256
4638e83c8e01e837078797f8ce2e4015a05aa7e6ee121dda107adc473f4c281b

SHA512
1fb52b00a2ed152a199357bff6fe4f994c7ba434bc3f3da960cf2a9ea52f41dae9cd3a0b840c87e25ff463077f1c32fc0f354fb24288c46a251e51b47f57ce80

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_nl.dll

Filesize
34KB

MD5
7d26147723dcf53d0d1b10f98f891d91

SHA1
501674d1e4d53d0d6b92875c65118f7f5ceccf66

SHA256
5f577d78457e5010c90b3614f94eb3b03f4f66c752191e25ce2b4f397d481ad9

SHA512
deefae29107edd6c240308b7e05680b1f9a8f2525fff29a6cc47742345a21f285c6285440c26a36555b97b1d73e8b16a712177f8fcef70aea6d5da0e35123f15

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_pl.dll

Filesize
33KB

MD5
1eadd3df335b90ee62a74966c1693af5

SHA1
21e5152b54f08317f13b6c97ffd67d4d42e76aae

SHA256
16ffbd7af2dc7d11199bd769ac3355efb39b4267f0758ef8d60ce4bdf927d394

SHA512
9b9776d5e0e47acc6234913faf2421da4c896abe84f7129a928393d5ccc491ff8a92b82ef3b76b493e620bc6942e3248bc364f8669ebe2444fe477ed37956e8c

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_ru.dll

Filesize
33KB

MD5
ce5254b7aa5cc2482449b12995976bc0

SHA1
d8aba69d1b11eae587c1e5357e08f3c66acc1c1e

SHA256
8e5ddf0615b84665e5cb5b13a0d5f72167c82dc4a86cc49616ea445f6b801eaf

SHA512
5dc50fec4f9685f74d4638ed0e2f8e4c493ddc10af0416a1fc495782962d16b158bae71171338230bd17d91cc686c3e9b82febb006c634791560385328b3ed3a

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_th.dll

Filesize
31KB

MD5
1881415301940deb7d45b120a39679c7

SHA1
3bcc72d91e9a1c35f5b52768c9a77a0faf2f16e0

SHA256
63e7af52e0f6e41c351d33ed4928647ab3abbca3c767de570891c3ada13d4e1e

SHA512
6f35a017af72df217eb3e511f57d8c4796cfd996f30308cedf7b44c16cff3d34fbf5745df00398c1232e7f685425a2269cd1d35184c6b2007afaefed25549188

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_uk.dll

Filesize
32KB

MD5
17c6392aad88515222ffc54dad9a0f36

SHA1
9f0dad897f9648167b9f005b7e2ab86c6161e6d5

SHA256
cbd96676b5097470250dc8285c6523ed598ccb58a4990c78abba79d4e1a67e9e

SHA512
b5bd6ab5325e772347ab8de55ecaae8546b46bd9dc559c17c3b965b4627cfa25c406f4ca6bbe17f22e21678c80a3ec03260242f29b1beb817d78639e37a2f940

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\goopdateres_zh-TW.dll

Filesize
25KB

MD5
dbd5fa781509ed7d863ca11877f2a28e

SHA1
1b52ae5bb49c06ec7c25b7675093846978dc6856

SHA256
2217e104660a21c2c9be0ad68846fbb4f7ee16510ece768f055d9e9cbbd60a9b

SHA512
7d9b04cbc040ed6c4df8e10fbafec70500c9fcfe228a86e8ccbec4945bf04ecca6a475e20f4cbd36e5a89c6847e6107496ee23e36db0d748104bb01af8985505

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.817.1\psmachine.dll

Filesize
211KB

MD5
70663a8818622003e50b36bb392b880e

SHA1
23670b780d232e70a6cfa5b2d350992d43ef722a

SHA256
3582062df2b1120e6cbe47a4c5066b0f3e0959518ab572a62f2817e55bab6518

SHA512
0a62442874598ed8e7986a99dd9d9d4d07e987586454731feea6427fd9b2190d5d2fc502e2efade839d010ac7e11135daf0921275a911037284ebfbf8bd3c3e0

Download Submit
C:\Program Files (x86)\Dropbox\Update\Install\{358D8E15-8295-455E-B00A-25E4ACE4509D}\DropboxClient_189.4.8395.x64.exe

Filesize
1024KB

MD5
c3bf4ef6383d7a2823434b4db75fddad

SHA1
6818af165bd5090aa4fbba87acb42e6c72493ff5

SHA256
5f887ab8e41388a0ca8fc6cd714ab29854be6b153472992fbd48401fe3348538

SHA512
c137e4d17f82270e71662c4b3e998bf4349b2c8584f9f2560389e72cbdb3f02abd715ed990c2374b3c8f56e456771be1dd1ab4f09314e00d6493480e63e8af67

Download Submit
C:\Program Files (x86)\Dropbox\Update\Install\{358D8E15-8295-455E-B00A-25E4ACE4509D}\DropboxClient_189.4.8395.x64.exe

Filesize
95KB

MD5
717697e62ae5345a874494fe1d5e7983

SHA1
cdc590157c3f6e12f9c200bd13f48c0fce0f8366

SHA256
9e289d05d3b877626d753bac99f7bcbd4440fc6d02c47f75af3cc4a68bbbb7d7

SHA512
d9ed875df2885599805b3efaf4ee784ba142eb3a1d4c31bcae441f0307608e01ccab47256667e31677b6a83173a933ff150cb9cbab82af54cc38c5c2b8d04149

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm16F0.tmp\System.dll

Filesize
11KB

MD5
c6e19f882ac7c89c517ec158d8bee0e3

SHA1
4bd07cb821aca4d2eb32e7f74ae620780d8b958d

SHA256
817929ce4af784af2f28db0eea5cc9a16fa28e8ed0b3bd497ed8dda0619207a3

SHA512
cbf559f48b66e2bdf9e0de75d48f169fe2a112e34981c1463856e50807ff05f63afb512afd99503126d9f700ed4eda9bfa45fd38ded5d55d4c8738043ec7e62f

Download Submit
C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job

Filesize
924B

MD5
8b9939b75958c4927c8bce0262d7f797

SHA1
0f2573a98629b5ec6a154310cbcfc1573589f9f7

SHA256
22411166c201f6de9fd90b1607da75a9ec225f46905a214de10f848b707d622d

SHA512
5a30893cbe53d9f80bd64bbdc680e31c498a96f2bd52f8a3064c6eb9a5a6699e8db9b50440ff5becb9d705eef51936a6d44fd3c5df08ad8268da7fb9ce0aa2a7

Download Submit
memory/1276-5648-0x00000227FF8F0000-0x00000227FFA1A000-memory.dmp

Filesize
1.2MB

Download
memory/1728-374-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2364-67-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/2712-5496-0x000001BFFBA30000-0x000001BFFBB5A000-memory.dmp

Filesize
1.2MB

Download
memory/2712-5495-0x00007FFEE0780000-0x00007FFEE0781000-memory.dmp

Filesize
4KB

Download
memory/2752-5081-0x00007FFEC2750000-0x00007FFEC3211000-memory.dmp

Filesize
10.8MB

Download
memory/2752-5074-0x000001781DE40000-0x000001781DE50000-memory.dmp

Filesize
64KB

Download
memory/2752-5076-0x000001781E1A0000-0x000001781E1B6000-memory.dmp

Filesize
88KB

Download
memory/2752-5078-0x000001781E230000-0x000001781E256000-memory.dmp

Filesize
152KB

Download
memory/2752-5077-0x000001781E1C0000-0x000001781E1CA000-memory.dmp

Filesize
40KB

Download
memory/2752-5073-0x00007FFEC2750000-0x00007FFEC3211000-memory.dmp

Filesize
10.8MB

Download
memory/2752-5063-0x000001781DE50000-0x000001781DE72000-memory.dmp

Filesize
136KB

Download
memory/2752-5075-0x000001781DE40000-0x000001781DE50000-memory.dmp

Filesize
64KB

Download
memory/3156-5094-0x000001D8635A0000-0x000001D8635C4000-memory.dmp

Filesize
144KB

Download
memory/3156-5091-0x00007FFEC2750000-0x00007FFEC3211000-memory.dmp

Filesize
10.8MB

Download
memory/3156-5092-0x000001D863490000-0x000001D8634A0000-memory.dmp

Filesize
64KB

Download
memory/3156-5093-0x000001D863490000-0x000001D8634A0000-memory.dmp

Filesize
64KB

Download
memory/3156-5427-0x00007FFEC2750000-0x00007FFEC3211000-memory.dmp

Filesize
10.8MB

Download
memory/3444-5551-0x0000029BFB320000-0x0000029BFB321000-memory.dmp

Filesize
4KB

Download
memory/3444-5552-0x0000029BFB320000-0x0000029BFB321000-memory.dmp

Filesize
4KB

Download
memory/3444-5559-0x0000029BFB320000-0x0000029BFB321000-memory.dmp

Filesize
4KB

Download
memory/3444-5557-0x0000029BFB320000-0x0000029BFB321000-memory.dmp

Filesize
4KB

Download
memory/3444-5558-0x0000029BFB320000-0x0000029BFB321000-memory.dmp

Filesize
4KB

Download
memory/3444-5553-0x0000029BFB320000-0x0000029BFB321000-memory.dmp

Filesize
4KB

Download
memory/3444-5563-0x0000029BFB320000-0x0000029BFB321000-memory.dmp

Filesize
4KB

Download
memory/3444-5562-0x0000029BFB320000-0x0000029BFB321000-memory.dmp

Filesize
4KB

Download
memory/3444-5561-0x0000029BFB320000-0x0000029BFB321000-memory.dmp

Filesize
4KB

Download
memory/3444-5560-0x0000029BFB320000-0x0000029BFB321000-memory.dmp

Filesize
4KB

Download
memory/3852-5462-0x00007FFEBE5C0000-0x00007FFEBEAF8000-memory.dmp

Filesize
5.2MB

Download
memory/3852-5602-0x0000024F780F0000-0x0000024F78578000-memory.dmp

Filesize
4.5MB

Download
memory/3852-5461-0x00007FFEC10E0000-0x00007FFEC131F000-memory.dmp

Filesize
2.2MB

Download
memory/3852-5460-0x00007FFEC1320000-0x00007FFEC155A000-memory.dmp

Filesize
2.2MB

Download
memory/3852-5463-0x0000024F780F0000-0x0000024F78578000-memory.dmp

Filesize
4.5MB

Download
memory/3852-5604-0x0000024F02830000-0x0000024F02831000-memory.dmp

Filesize
4KB

Download
memory/4120-5651-0x000001A36DF80000-0x000001A36E0AA000-memory.dmp

Filesize
1.2MB

Download
memory/4120-5541-0x00007FFEE0240000-0x00007FFEE0241000-memory.dmp

Filesize
4KB

Download
memory/4120-5544-0x00007FFEE00D0000-0x00007FFEE00D1000-memory.dmp

Filesize
4KB

Download
memory/4188-5624-0x0000000003E80000-0x0000000003E81000-memory.dmp

Filesize
4KB

Download
memory/5128-5682-0x000002ADD61F0000-0x000002ADD631A000-memory.dmp

Filesize
1.2MB

Download
memory/5328-5683-0x0000021BDC6F0000-0x0000021BDC81A000-memory.dmp

Filesize
1.2MB

Download
memory/5380-5610-0x00000240C6260000-0x00000240C6280000-memory.dmp

Filesize
128KB

Download
memory/5380-5612-0x00000240C6880000-0x00000240C68A0000-memory.dmp

Filesize
128KB

Download
memory/5380-5608-0x00000240C62A0000-0x00000240C62C0000-memory.dmp

Filesize
128KB

Download
memory/5484-5635-0x000001982E620000-0x000001982E640000-memory.dmp

Filesize
128KB

Download
memory/5484-5632-0x000001982E220000-0x000001982E240000-memory.dmp

Filesize
128KB

Download
memory/5484-5630-0x000001982E260000-0x000001982E280000-memory.dmp

Filesize
128KB

Download
memory/5552-5670-0x0000022FB9500000-0x0000022FB9520000-memory.dmp

Filesize
128KB

Download
memory/5552-5673-0x0000022FB9910000-0x0000022FB9930000-memory.dmp

Filesize
128KB

Download
memory/5552-5668-0x0000022FB9540000-0x0000022FB9560000-memory.dmp

Filesize
128KB

Download
memory/5568-5594-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/6048-5652-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.