117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-03-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
Size

770KB
MD5

4b2d016a2c5149c6625b780ec6e5de14
SHA1

93dd8911cc99a46d56c6d05a0da0a2a409b48c5a
SHA256

117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717
SHA512

dd3c0733b9681bd5469489da8989ec759b69c4f56ac0b3c22bc45ad4cad212b9952951f08252543e2232c5a499501c8ee71a8e9517604a21e22ab31203a96f81
SSDEEP

24576:O7eit0t9EsyC1XS64DbvYwdzv1n4WwwS6u3sK:O7eimfEsr1X/4wwbn4Wpi

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe\DisableExceptionChainValidation = "0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe	DropboxUpdate.exe

Executes dropped EXE 7 IoCs

pid	Process
2688	DropboxUpdate.exe
1068	DropboxUpdate.exe
2512	DropboxUpdate.exe
1276	DropboxUpdate.exe
2580	DropboxUpdate.exe
2468	DropboxUpdate.exe
1464	DropboxClient_195.4.4995.x64.exe

Loads dropped DLL 28 IoCs

pid	Process
548	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
2688	DropboxUpdate.exe
2688	DropboxUpdate.exe
2688	DropboxUpdate.exe
2688	DropboxUpdate.exe
1068	DropboxUpdate.exe
1068	DropboxUpdate.exe
1068	DropboxUpdate.exe
2688	DropboxUpdate.exe
2512	DropboxUpdate.exe
2512	DropboxUpdate.exe
2512	DropboxUpdate.exe
2512	DropboxUpdate.exe
2688	DropboxUpdate.exe
2688	DropboxUpdate.exe
2688	DropboxUpdate.exe
2688	DropboxUpdate.exe
1276	DropboxUpdate.exe
2580	DropboxUpdate.exe
2580	DropboxUpdate.exe
2580	DropboxUpdate.exe
2468	DropboxUpdate.exe
2468	DropboxUpdate.exe
2468	DropboxUpdate.exe
2468	DropboxUpdate.exe
2580	DropboxUpdate.exe
2468	DropboxUpdate.exe
1464	DropboxClient_195.4.4995.x64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	684	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7C5C79D5EA2EAA218D5C63883951605	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7C5C79D5EA2EAA218D5C63883951605	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751	DropboxUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\DropboxUpdateHelper.msi	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_ko.dll	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.761.1\goopdateres_no.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\Qt5Network.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-core-file-l1-1-0.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\tprt.cp38-win_amd64.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-crt-stdio-l1-1-0.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-crt-time-l1-1-0.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\Assets\TinyTile.contrast-black_scale-100.png	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\taskdialog_native.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\Assets\StoreLogo.scale-400.png	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_id.dll	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.761.1\goopdateres_fr.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-crt-conio-l1-1-0.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-crt-filesystem-l1-1-0.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\dropbox_core.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\ntdll_native.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\winenumhandles_native.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.761.1\goopdateres_ru.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\PyQt5.QtWidgets.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\_win32sysloader.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-core-rtlsupport-l1-1-0.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\isotope_python.cp38-win_amd64.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\progresstaskdialog_native.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_es-419.dll	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.761.1\goopdateres_th.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\Qt5Core.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\user32_native.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\win32event.pyd	DropboxClient_195.4.4995.x64.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\@PaxHeader	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\win32pipe.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\Assets\TinyTile.contrast-black_scale-125.png	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\Assets\StoreLogo.scale-200.png	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\Assets\TileSmall.contrast-black.png	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\DropboxUpdateBroker.exe	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_ja.dll	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_zh-TW.dll	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Update\1.3.761.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-core-util-l1-1-0.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\ffmpeg.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.761.1\goopdate.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-crt-locale-l1-1-0.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\Assets\TileSmall.contrast-black_scale-200.png	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\win32print.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.761.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\PyQt5.QtQuick.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-core-processthreads-l1-1-1.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-core-sysinfo-l1-1-0.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\shcore_native.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\vccorlib140.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\psuser.dll	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_es.dll	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\PyQt5.QtQml.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\dropbox_crashpad.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\kernel32_native.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\Assets\StoreLogo.contrast-black_scale-125.png	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\Assets\StoreLogo.scale-125.png	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_de.dll	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\PyQt5.QtNetwork.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-core-heap-l1-1-0.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\api-ms-win-crt-environment-l1-1-0.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\gdiplus_native.pyd	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Client_195.4.4995\195.4.4995\msvcp140_1.dll	DropboxClient_195.4.4995.x64.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\@PaxHeader	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job	DropboxUpdate.exe
File opened for modification	C:\Windows\Installer\f7677bf.msi	msiexec.exe
File created	C:\Windows\Installer\f7677c2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI93B9.tmp	msiexec.exe
File created	C:\Windows\Installer\f7677c4.msi	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job	DropboxUpdate.exe
File created	C:\Windows\Installer\f7677bf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7677c2.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\CLSID = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\Policy = "3"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DropboxUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DropboxUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DropboxUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DropboxUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd1900000001000000100000003b878212830eb36469856f1c683b836c040000000100000010000000e67b586f7046bfe0aa51f6660b119dd90f00000001000000200000003689022b62bd20e807ccc1f32720ab2a9eeb0712e84cc373464b29cc436def97140000000100000014000000b76ba2eaa8aa848c79eab4da0f98b2c59576b9f41800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee4b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f0000002000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	DropboxUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DropboxUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DropboxUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\ServiceParameters = "/comsvc"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A89190B-400F-47DB-960A-7D5A1325A2C8}\ProxyStubClsid32\ = "{AF00043F-18CA-495E-95D8-EADBC89BE365}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync.1.0	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassSvc\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc.1.0\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\AppID = "{76E258F0-DE86-4CEC-9D30-3F728A898741}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58237066-0A7A-4C18-B132-D7BE280A6327}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine\ = "Dropbox Update Broker Class Factory"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\ = "Dropbox.OneClickProcessLauncher"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC422F86-7267-4AF2-8F4F-A20C060621DE}\NumMethods\ = "13"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher\ = "Dropbox Update Process Launcher Class"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\ProgID\ = "DropboxUpdate.OnDemandCOMClassMachineFallback.1.0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine.1.0	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\ProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5A812990327ACD34D85B163756A6E149\Complete	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A89190B-400F-47DB-960A-7D5A1325A2C8}\ = "ICurrentState"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass.1\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}\ = "ServiceModule"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CECD4BFB-9F43-4540-B72C-706BE66B375E}\NumMethods\ = "10"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine.1.0\ = "Dropbox.OneClickProcessLauncher"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\VersionIndependentProgID\ = "DropboxUpdate.OnDemandCOMClassMachineFallback"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D412914-1C4F-447D-80D2-E7F9BB302B05}\NumMethods	DropboxUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9614AA6E-82BE-4E1C-A68F-C7DFDAB2FEE8}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\LocalServer32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\Elevation\IconReference = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.761.1\\goopdate.dll,-1004"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A337332-37E4-4063-B4F3-6416846C8A33}\ProgID\ = "DropboxUpdate.CoreClass.1"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEF2D6E-1CE5-4823-88D0-7F727719D0A2}\ProxyStubClsid32\ = "{AF00043F-18CA-495E-95D8-EADBC89BE365}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher.1.0\CLSID	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9614AA6E-82BE-4E1C-A68F-C7DFDAB2FEE8}\InprocHandler32\ThreadingModel = "Both"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine.1.0\CLSID\ = "{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\ProgID\ = "DropboxUpdate.CoreMachineClass.1"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C416C376-AEC5-4443-9D90-BEBA9434763B}\ = "IGoogleUpdate3"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8158CAB-1B7C-4A15-860E-AAA364E77334}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc.1.0\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\SourceList\Net\1 = "C:\\Program Files (x86)\\Dropbox\\Update\\1.3.761.1\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine\CurVer\ = "DropboxUpdate.CredentialDialogMachine.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D412914-1C4F-447D-80D2-E7F9BB302B05}\NumMethods\ = "4"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}\ = "DropboxUpdate CredentialDialog"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C52C4100-E8C6-438B-AEAC-43C99F7CCC26}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine.1.0\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\VersionIndependentProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\ProgID	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\Elevation\Enabled = "1"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DropboxUpdate.exe\AppID = "{96D1EED3-701E-4FE5-B996-A543A8465897}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}\AppID = "{96D1EED3-701E-4FE5-B996-A543A8465897}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass\CLSID\ = "{3A337332-37E4-4063-B4F3-6416846C8A33}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\Elevation\Enabled = "1"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}\VersionIndependentProgID\ = "DropboxUpdate.CoCreateAsync"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback.1.0	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\LocalServer32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine\CurVer\ = "DropboxUpdate.OnDemandCOMClassMachine.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass.1\CLSID\ = "{3A337332-37E4-4063-B4F3-6416846C8A33}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F448B4EA-A094-491A-BF61-9AF6CD450C7D}\NumMethods	DropboxUpdate.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	DropboxUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	DropboxUpdate.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 4b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f0000001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee140000000100000014000000b76ba2eaa8aa848c79eab4da0f98b2c59576b9f40f00000001000000200000003689022b62bd20e807ccc1f32720ab2a9eeb0712e84cc373464b29cc436def97040000000100000010000000e67b586f7046bfe0aa51f6660b119dd91900000001000000100000003b878212830eb36469856f1c683b836c0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	DropboxUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	DropboxUpdate.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd1900000001000000100000003b878212830eb36469856f1c683b836c040000000100000010000000e67b586f7046bfe0aa51f6660b119dd90f00000001000000200000003689022b62bd20e807ccc1f32720ab2a9eeb0712e84cc373464b29cc436def97140000000100000014000000b76ba2eaa8aa848c79eab4da0f98b2c59576b9f41800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	DropboxUpdate.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2688	DropboxUpdate.exe
684	msiexec.exe
684	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	DropboxUpdate.exe
Token: SeShutdownPrivilege	2688	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	2688	DropboxUpdate.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeSecurityPrivilege	684	msiexec.exe
Token: SeCreateTokenPrivilege	2688	DropboxUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	2688	DropboxUpdate.exe
Token: SeLockMemoryPrivilege	2688	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	2688	DropboxUpdate.exe
Token: SeMachineAccountPrivilege	2688	DropboxUpdate.exe
Token: SeTcbPrivilege	2688	DropboxUpdate.exe
Token: SeSecurityPrivilege	2688	DropboxUpdate.exe
Token: SeTakeOwnershipPrivilege	2688	DropboxUpdate.exe
Token: SeLoadDriverPrivilege	2688	DropboxUpdate.exe
Token: SeSystemProfilePrivilege	2688	DropboxUpdate.exe
Token: SeSystemtimePrivilege	2688	DropboxUpdate.exe
Token: SeProfSingleProcessPrivilege	2688	DropboxUpdate.exe
Token: SeIncBasePriorityPrivilege	2688	DropboxUpdate.exe
Token: SeCreatePagefilePrivilege	2688	DropboxUpdate.exe
Token: SeCreatePermanentPrivilege	2688	DropboxUpdate.exe
Token: SeBackupPrivilege	2688	DropboxUpdate.exe
Token: SeRestorePrivilege	2688	DropboxUpdate.exe
Token: SeShutdownPrivilege	2688	DropboxUpdate.exe
Token: SeDebugPrivilege	2688	DropboxUpdate.exe
Token: SeAuditPrivilege	2688	DropboxUpdate.exe
Token: SeSystemEnvironmentPrivilege	2688	DropboxUpdate.exe
Token: SeChangeNotifyPrivilege	2688	DropboxUpdate.exe
Token: SeRemoteShutdownPrivilege	2688	DropboxUpdate.exe
Token: SeUndockPrivilege	2688	DropboxUpdate.exe
Token: SeSyncAgentPrivilege	2688	DropboxUpdate.exe
Token: SeEnableDelegationPrivilege	2688	DropboxUpdate.exe
Token: SeManageVolumePrivilege	2688	DropboxUpdate.exe
Token: SeImpersonatePrivilege	2688	DropboxUpdate.exe
Token: SeCreateGlobalPrivilege	2688	DropboxUpdate.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2688	548	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe	28
PID 548 wrote to memory of 2688	548	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe	28
PID 548 wrote to memory of 2688	548	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe	28
PID 548 wrote to memory of 2688	548	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe	28
PID 548 wrote to memory of 2688	548	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe	28
PID 548 wrote to memory of 2688	548	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe	28
PID 548 wrote to memory of 2688	548	117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe	28
PID 2688 wrote to memory of 1068	2688	DropboxUpdate.exe	29
PID 2688 wrote to memory of 1068	2688	DropboxUpdate.exe	29
PID 2688 wrote to memory of 1068	2688	DropboxUpdate.exe	29
PID 2688 wrote to memory of 1068	2688	DropboxUpdate.exe	29
PID 2688 wrote to memory of 1068	2688	DropboxUpdate.exe	29
PID 2688 wrote to memory of 1068	2688	DropboxUpdate.exe	29
PID 2688 wrote to memory of 1068	2688	DropboxUpdate.exe	29
PID 2688 wrote to memory of 2512	2688	DropboxUpdate.exe	31
PID 2688 wrote to memory of 2512	2688	DropboxUpdate.exe	31
PID 2688 wrote to memory of 2512	2688	DropboxUpdate.exe	31
PID 2688 wrote to memory of 2512	2688	DropboxUpdate.exe	31
PID 2688 wrote to memory of 2512	2688	DropboxUpdate.exe	31
PID 2688 wrote to memory of 2512	2688	DropboxUpdate.exe	31
PID 2688 wrote to memory of 2512	2688	DropboxUpdate.exe	31
PID 2688 wrote to memory of 1276	2688	DropboxUpdate.exe	32
PID 2688 wrote to memory of 1276	2688	DropboxUpdate.exe	32
PID 2688 wrote to memory of 1276	2688	DropboxUpdate.exe	32
PID 2688 wrote to memory of 1276	2688	DropboxUpdate.exe	32
PID 2688 wrote to memory of 1276	2688	DropboxUpdate.exe	32
PID 2688 wrote to memory of 1276	2688	DropboxUpdate.exe	32
PID 2688 wrote to memory of 1276	2688	DropboxUpdate.exe	32
PID 2688 wrote to memory of 2580	2688	DropboxUpdate.exe	33
PID 2688 wrote to memory of 2580	2688	DropboxUpdate.exe	33
PID 2688 wrote to memory of 2580	2688	DropboxUpdate.exe	33
PID 2688 wrote to memory of 2580	2688	DropboxUpdate.exe	33
PID 2688 wrote to memory of 2580	2688	DropboxUpdate.exe	33
PID 2688 wrote to memory of 2580	2688	DropboxUpdate.exe	33
PID 2688 wrote to memory of 2580	2688	DropboxUpdate.exe	33
PID 2468 wrote to memory of 1464	2468	DropboxUpdate.exe	37
PID 2468 wrote to memory of 1464	2468	DropboxUpdate.exe	37
PID 2468 wrote to memory of 1464	2468	DropboxUpdate.exe	37
PID 2468 wrote to memory of 1464	2468	DropboxUpdate.exe	37
PID 2468 wrote to memory of 1464	2468	DropboxUpdate.exe	37
PID 2468 wrote to memory of 1464	2468	DropboxUpdate.exe	37
PID 2468 wrote to memory of 1464	2468	DropboxUpdate.exe	37

C:\Users\Admin\AppData\Local\Temp\117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe
"C:\Users\Admin\AppData\Local\Temp\117658764c1ba53cd7070be85df5f43ffcb69c82a8d6bdd974f7c09d99846717.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:548
- C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\DropboxUpdate.exe
  "C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\DropboxUpdate.exe" /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3dDdBME56TXhNelExTVRVeU5ySzBNREF4TjdBd01iSXdzd1FTbHFhV1JrREt3TGdXQUo3YURhVX5ATUVUQSJ9"
  2⤵
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:1068
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2512
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVpVcDVjbFpwY0U5TVV6ZFBlazB0VEhvd2VGSnpiRWwzZERkQk1FNTZUWGhOZWxFeFRWUlZlVTV5U3pCTlJFRjRUamRCZDAxaVNYZHpkMUZUYkhGaFYxSnJSRXQzVEdkWFFVbzNZVVJoVlg1QVRVVlVRU0o5IiBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuNzYxLjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTcyOTk5NjktRTM3My00NTUwLTlCMDctMkQ1QUE5QzZGMzgwfSIgdXNlcmlkPSJ7NDUyNzIxQkYtMjMxRS00Q0U0LThERDEtNjFFNzFDN0NFNEUxfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezk2QTlBOEE3LTgzRUUtNEEwOC1BQjhDLUVDRUEwMTUwODk2Mn0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntEODk2OEZGMi1FMEIxLTRBMTMtQTNFMi1DOUYyOTk1RjNCQzZ9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuNzYxLjEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    PID:1276
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3dDdBME56TXhNelExTVRVeU5ySzBNREF4TjdBd01iSXdzd1FTbHFhV1JrREt3TGdXQUo3YURhVX5ATUVUQSJ9&nolaunch=0" /installsource taggedmi /sessionid "{17299969-E373-4550-9B07-2D5AA9C6F380}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2580

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Program Files (x86)\Dropbox\Update\Install\{9D006808-FADA-471F-ACD0-FAB9D9C131B8}\DropboxClient_195.4.4995.x64.exe
  "C:\Program Files (x86)\Dropbox\Update\Install\{9D006808-FADA-471F-ACD0-FAB9D9C131B8}\DropboxClient_195.4.4995.x64.exe" /S /DBData:eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3dDdBME56TXhNelExTVRVeU5ySzBNREF4TjdBd01iSXdzd1FTbHFhV1JrREt3TGdXQUo3YURhVX5ATUVUQSIsIm9tYWhhLWluc3RhbGxlci1pZCI6Ins0NTI3MjFCRi0yMzFFLTRDRTQtOEREMS02MUU3MUM3Q0U0RTF9IiwicmVxdWVzdF9zZXF1ZW5jZSI6MH0 /InstallType:MACHINE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7677c3.rbs

Filesize
7KB

MD5
07221e1d1c9afaa26ac62bc38ff69d23

SHA1
6ddfe1cb6da56878c3d0bd1738fa8ea18713fd45

SHA256
1409bc3d8b42ff076d40e4634f1456b02fd2ed70f0b2c3d34eb150b875184791

SHA512
3d93f93888de7f1cc2eb5a4acda0c4b85bc87282217d7dc82127d0adfc5fe0e27190721b39e093868b450e694e5b89dd9837434f1f8d807877f078babf3db38e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\DropboxCleanup.exe

Filesize
299KB

MD5
8fa7f9a62ea19f3691e8a24833a5bc25

SHA1
23f0825ce2f4731cc73e82ca814872b512d333dd

SHA256
0d9c6de8a57443bffe718d3256fdd467b8970124ba65d8accb6f47dc54d46d72

SHA512
3d8243c4a42f96d549b09797f39b0f2fbef54d643ee4048c24eb6a1b748ef07ecd6bfdc142fe4c13838b0c07957b5e558ebf98fb7bdcc841d49fcff0a06eccf4

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\DropboxCrashHandler.exe

Filesize
129KB

MD5
4d0ccec5560d013004c6143a8b46b4fd

SHA1
4881c84035d327999e156555233b85e2d5e252b0

SHA256
02618e6399ae8e99df5a4f523239451e5a5d23a8c80ea5afeecfeb29de4be4a7

SHA512
f2f5c6784f100a933328b8c2a403c233e42f81ee339c189c088afbb48f3e73a2bea2500e69e88ac6ddd0c27204eaf91811c6b35bd3d42ca67288cede6cb62f3b

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\DropboxUpdateBroker.exe

Filesize
75KB

MD5
4d3a85b133ad6bc102c7849638ae5e6f

SHA1
5a065bb75c30a6e4b0988cb8aec9cb7e863a2ed9

SHA256
244584df7838f51b0125dbdc8ece45c3f734c281afe26ced86bc1d11f187d416

SHA512
8800ec0d2a6aa4f068dbffb90c3f0e966a0836e5a3c4d2590707653ca8cbfa04b33bccb4a99d94f3a92b8c184b1b5f0d755aa732fb5e1c9486f67ba3534688d5

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\DropboxUpdateHelper.msi

Filesize
26KB

MD5
fb467307098a998d3836ca8b87157a4a

SHA1
c3733d4f6e14198f3e7125bdd71f7cdc1115a793

SHA256
3af0421ca92962c0154145dc06a223bfecc59a58966d860d232703a32d08a820

SHA512
851c2919cfda7e38325ce7ad1bb3f4b129e1508da65c7592ec53f4854ec012d925464bc52597c3ce0591e829347e56ecfe3f1ea6fa7f10f825ce6e6317831fa9

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\DropboxUpdateOnDemand.exe

Filesize
75KB

MD5
934bc0439cc3b11c2d6d9031119326b2

SHA1
64f3eb19c1ddc3d07da2f868be54a70adcd83455

SHA256
7a016aeb36269947e4961cc030d857557d14e1e954d10bdf6a264f992b647d45

SHA512
e0e279d0e68d1c6e2abdd673baa24ad1ce5cf2743f9ac3515687551aaec14407909fc79d439d58d86e4347182b16c7e1a8bfa00216b330cbbd721a8b75633ef4

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdate.dll

Filesize
1.1MB

MD5
8cef863dae49754afb4e31853341aa4f

SHA1
379825bd7d7305eaac49c61fbb553b515cd79f6b

SHA256
cc4e06440aaa7d81abb2b8935343f6f3c0b5736c1a20bfb53b0af0b41c49b7bf

SHA512
4ba532692cfa675791e329fe665dcbb078a6df7002a8b4a5e2940028ec004e594b25e387a55f0b372a7a939d4c558faceb2e9d7c79e264f2b1609bccf1626bf7

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_da.dll

Filesize
32KB

MD5
c1289300556d83492daa4f52a65139eb

SHA1
44d408489dc076ba4319f4a4b54d45ab267d5429

SHA256
1f117457bff89326e78d3bfe7dc2dce747211377c2e31fdbabd7e167905074c8

SHA512
feee885575a91381635e2745f93e885454d8c85fb781462898318e3293a33d0be92d2885b0ae89fc4ad6215d88afa45b6e5ee991aadbf09f84af083a90c81b66

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_de.dll

Filesize
35KB

MD5
c521b614d63ec286b5c4a0e156910cf1

SHA1
292c175d80940682072bf95ab1a6b9d7f52618da

SHA256
4bb880b2382a38c928fabf2d8e6540343a01942a97a889811e04052a7f1b71c5

SHA512
16b1a19edc03e1e2d42c091b60705ed4d09ce940379a211ec4ed350430998fa074653dabdafb3e1d27e8f4cd5cc5392f63c51740e6b053f8030066fd836a87f7

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_es-419.dll

Filesize
33KB

MD5
06ae1601082b29d493dbb8731fac371f

SHA1
8722c25e4846fb8733ad1fc684c47b18d7e07bac

SHA256
33c14929455ea3407eac56f69fe139c4808af89b8c4f53c2f2d56f7ce13fc774

SHA512
67ec944daeeab6e76f37391d88cbffbf4469587f6692d8094636260b3ad46a6eeba1ee29094f47e747ee38b4d875bb4260d523e9e28dafba9018aa4112852db8

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_es.dll

Filesize
33KB

MD5
cbd733f6f431980bbded51780f807a4f

SHA1
5fdbd3ba5cd93357807b7b2147df87359c6fd8c4

SHA256
b38ba975563441ad456949a97602d95a6ad0cb277806c56e5a84122fcbd01fbe

SHA512
b0e7d1388f3ce70a168809b4b73a16032bca599796643ca94e04600ef736f4de2b3a5ff18c6c01cdfeb30526811e28a66a3ae5f0ba38e9bb9d7d4905653ff32a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_fr.dll

Filesize
34KB

MD5
d6c2a3a4680bbfa54c8fd105db5f6071

SHA1
adbf86ebba0d83302c8bf2cd9d07a5a4ba310dc6

SHA256
edd23030a7f718224168ba619b96519fe13171d7039805304e9e68bdaf53327f

SHA512
335efc531479d0a88d377a0c4ec3025d71e0b3c764042737cc5f3fe6aa01bc6a8b089299f4719889de27eadf58a845da654d0fc5720d42550e5366a0b7f05fad

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_id.dll

Filesize
31KB

MD5
7aaaf7daa74593d3f4f26bacbd87ae1e

SHA1
b49641ba3a3690567e7eeacc4683c893f9672c2f

SHA256
e91dc5fedc46d162e4af252974dd6d3ecc20c4f8133cfe8a934627435b09203f

SHA512
27c11bef4e3b420b7931de7f4a35761f8fa31fb38bbf192feece6b56b0f0abf8d59303abe4f69bc0d43c01f8b9d7720251325ef331b76fd881ec683b7625f350

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_it.dll

Filesize
33KB

MD5
e4be28c214d66ff84d507d2ddaa41a68

SHA1
5f7043e2c373144ae5aa8ff295c050455ba5b54a

SHA256
30de5ef5d420fa72c80ceccedefb1c74e4b13ab3ceae05086244600c4370dd2f

SHA512
df59b8e9ae09c2fe47d1b951c164c4b539c39ca033931c770b8f2aaa638522a874b1af7934eda8d3d286a4f6bcd01e1f1c00b0a06629d74f4bc4b962f000e4e9

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_ja.dll

Filesize
27KB

MD5
14f49d411f86f6f73d4ba696800d5280

SHA1
c681a09a04cbc3e7ae9b69066d803fea2c06364c

SHA256
b9a6bd0e5e6532f5f0ee4d625d13bf820674e487fbdf9c3f090072aa34ed3bf7

SHA512
47b87103391bf5f00c5187050b99410dc6d4211ab573942e1177e844c7753ddb381450da7a2214ae3052a3837667ad7cb3e019c0d2ee0a65314c25c49cd96d0f

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_ko.dll

Filesize
27KB

MD5
3c648323082d51a2aa0beb8d4b068d99

SHA1
8b232373b3b8f5c122cdea4259220b21f9b47c25

SHA256
ee343316f429686295fd62c66e3bee4b006760e6d4b1841f3a3d70b0765b8f76

SHA512
26be89433ce1591564fb8688e0bf648df6053eac979f1d04d92e17303f83d82584d415eb0a1d5ef5269b610b34e30b6079fa8d234255282cc7dcd2cfab440e92

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_ms.dll

Filesize
31KB

MD5
5735bedbd9ecb7f3264671a747431a22

SHA1
cefe8703b0f7bc334d704601a736d4c49897d561

SHA256
a675677c5db2529e0c0b3bada5dc0adbf8046246b11d46f8fb5b8a2428e3f7d8

SHA512
4ffd2c3ac40a9c872d0096345942283a4fe258947feb6ba3d8cf8498b582cca071689fbc5766b2eca68ee1a4d250fe587600a7589e647d867dc04467c10692ae

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_nl.dll

Filesize
34KB

MD5
6feeeec9d49faea1d07d35f618ff2f23

SHA1
13bca7bdb651cf980b15f8cf831f0f192549e129

SHA256
f0629fd15bf50a051d8cefa88955bbdbcb43168b4df5cc1ffa94381710a48080

SHA512
6f92583fdc7be218989e92900efcb8b490201ed3c14aa7038a4667a8b2f8d6730fcc91a8d8d2d0db6a691905fb3862c183dfcfa1b595d430d49ee8af158b171b

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_no.dll

Filesize
32KB

MD5
c6d0bb6d261d4673764028a860b047c4

SHA1
81d01245f156d84ff8c195b1c806005d2a28d882

SHA256
daa873a1e8474e955544dd08c239651f5ca71fcec4da725f3a9018942285d8b1

SHA512
9099a62cadd41f33d05c3b6eb0af1d37509d3b1f2fcd402024b19a1dd744223e9ec8601959808d1175ad1aca01a2a6ca97cc1d74f37839c39c7b164c0b7b5be4

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_pl.dll

Filesize
33KB

MD5
f41720449445622dbe926ab2223dae35

SHA1
b09cd888ea2100ace9025863a7718715c8f52cad

SHA256
e5634445f290c02062f328923a17f6cf64d97b8ec2f39b2dcdc17abd68b5804c

SHA512
25b13cb517c6001b9e4b49960ca9006719b646c351e70f425d90dd8a79d7697bd3ff101c62afb389d94e1406fd6685d65d346ba49397a68fda65b301fb839cc9

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_pt-BR.dll

Filesize
32KB

MD5
4cd53b5d1df90f73457c89a16686c8ef

SHA1
b3dfe49d83a9bb7229a2eb0d90baeb8d3757b744

SHA256
acc7058a00f86c96ee393d1c9b9edc072346c540492607114879ce912a6a077a

SHA512
aa3915284922ac976bff80ba0fa180b2659ed4ec8918161bb4b54180426ef2032cb031cf5818100277a7b109304dcca1ff47cbd8201e92d53c64a7e3cc2bacdd

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_ru.dll

Filesize
33KB

MD5
8683871b8e01236278c1aebb7a1272dc

SHA1
dce879e813dca7ebf3e72cbcc112beb9b3913b57

SHA256
21517e571c100bc5d46b71e3c3dac9469fccdb7111317689f4bf3a61299d4637

SHA512
2108f15a684d49dd489f7f779ea633700cd9f2330635e179c1cacaa81d2f674f90d3c04feb020b632af38404597e1645ef6278aa2ee524d3817902559fd4f1e0

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_sv.dll

Filesize
32KB

MD5
5ec05b764e42833537994957353d2613

SHA1
aa1f98972522b263ed686bcb180fe3575fbb2370

SHA256
7a1bc16bca6cf3fd914df3b485321be79cc339e8d590693702ca36da8b084028

SHA512
71d71525dd29dff48c423b2ace985098794f26c52c4cdcc57ad52a0ab8bf55c6eafb8a990880c016ccac6c0c7d7709bf53293ec520bc97eee32843a27d6fd1e8

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_th.dll

Filesize
31KB

MD5
e88b95b7cb9bdcc4d770cb6fa8fb292c

SHA1
1493522b0d008256f5c53f39547e770a800ad123

SHA256
f36f30e19a55a2194087eb6373f08a6f7ad68bf939da12c69132e346dc79242d

SHA512
b65dbc0a408bc38fda0e520c8c3cc5803d8b711bcf3fce684a9e9401282200c9ff4b06d296189ba8e960ba9fee009af7f8383bea8e82f16848782cd5d8e6283d

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_uk.dll

Filesize
32KB

MD5
a2b1957643377100b1c777316b813438

SHA1
1e83f73e3bd0f24ab7b41079ec22c270ec92cd65

SHA256
ae96fc8006b7201b041473a10c498ae4889c6eb81cdf0bee4270ca7a2745395a

SHA512
e5efb0bd54e237a5b7d2bcec805aa093b71ed92ec1ebc739d1c499d1579072e065e2906b377624faac5722739d24c8694cc805f2a5f9a5d1c8ed19b793363c85

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_zh-CN.dll

Filesize
25KB

MD5
08b03f0884831793e56960403b4e0987

SHA1
f3ded14d42c162b5bd831bb1b7a109e6959239da

SHA256
07f5d695f61c2885f22149c5cef669c365e1086a825e0ea20cf5f49db71b3ffd

SHA512
cf53ebcbd25f302e2e4f43eab00b8436640797b0d05a01eeb4bb0b6cae478db8f29e5191cc105d971069a816a4938467b0321c1e64aa5d4d4c4f2d1934cf9c04

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_zh-TW.dll

Filesize
25KB

MD5
381d2ce762cb24b3aa67424ea6598990

SHA1
03d4280434452da4b8116345ea183752a8db9560

SHA256
44fcaf1bb65cc2b6a670363341330aaebbb1f47d6b42990af20671d9f83be4be

SHA512
09cadcba6ee86f4dbcfcecee4173c146c22ec78b8edb111f9665cab289ddfd448494e32c6e3e11dcf9fea2f782751f777c4bb59a96d6691d337c55d69f3ac523

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\npDropboxUpdate3.dll

Filesize
273KB

MD5
7d4353547b80786631735c397cf3b82a

SHA1
c51f475af0e95cd56f11565cf503f2f92fe1ef78

SHA256
4275c513a038d1a3eb3f64030aabb17d2ad7fadd314f67baed452405d94938f6

SHA512
5e4df0b91ef9d3a9bf9c08684d376a68c4cfcbf2a500d0e0d9f6c54aa32f777a24d4b2efe312c9db73c4819f009e3b3dad7720f4fa9932f48900e57820a09cbd

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\psmachine.dll

Filesize
211KB

MD5
23b51c1f7a2a52176837de18b5ee30ad

SHA1
cd78068f1d3101c922a9313693d0ea796f70920f

SHA256
8e7cb942bbac612139b9a23c3c88cae2f2f468b0985c5e232371ef06075bd9fd

SHA512
e3b9d18b0ec79d8c0176a595656f6b06fcaf5b1033037b6394ebdf9d064e0ad3219159aa659d6c6c3dca859e2fd0489821310f9bc08117d3cb6ded948a19fdf5

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\psuser.dll

Filesize
211KB

MD5
ea45813115295a608fefca9601dbeef5

SHA1
5d5d0f6162cc07fc9f06b8da6a97dde099c7f78b

SHA256
58d2cba2d3d3b35976f4f64a799d6ee35bf8f133adc6042a622b17f19edb3fb2

SHA512
9d2f162368005e79e0849e5378b66ae076c4dea742511880a3e4bacd55da4742683c2b7ccfc69e493e22ddf19fa437d5b1bb9987e3ec577782fc322a8b94ce79

Download Submit
C:\Program Files (x86)\Dropbox\Update\Download\{CC46080E-4C33-4981-859A-BBA2F780F31E}\195.4.4995\DropboxClient_195.4.4995.x64.exe

Filesize
190.3MB

MD5
ac306c3cafd210a54204968d2bed7a5f

SHA1
1b432f1a232ea0fc827669f345cbca3caa49f193

SHA256
74434df44fd509ec3f9ac8a5c46b5234da8421bcf22e9396846396e0c738c3ba

SHA512
6edd9b969b1570e75b3d13476885b78b3bd5f17239aa0fdbc9a155e4d77c40f7dc249f05bfbc1844ea3d789316dc4c0f57a038595fdd80cb109f4939dcb3e4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6089.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar60BB.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job

Filesize
906B

MD5
01e6ec07b3637e7a2dd39ffb29afe299

SHA1
37cf2c209dfbe53b98be987f3868b2bf36b72cba

SHA256
e9a6599758af78feb7f82618578cd9c1ed39f7b6556389f7572da659628f3073

SHA512
ab1077882651d1ecce2017caee692a8ec68ee4497379bae1376d148b15691f7eb1c3bce7f15a58a8b63c9f6bc82f5c142d3b293704621b1d2dbe77699fac717a

Download Submit
\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\DropboxUpdate.exe

Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
\Program Files (x86)\Dropbox\Temp\GUM5D4C.tmp\goopdateres_en.dll

Filesize
31KB

MD5
fb58b2bcb59b4bcdc4b2142738bebec6

SHA1
c6f7bd3777bb869ea02ce83775a3b5565e76f99e

SHA256
73fe9b8c32d0545908852ac342b20bdbdeccc11450ec43361027470f5e398c11

SHA512
2798f2d7b832ba3f1ef18ef11315401cdcb9d1e519bb56dc836a7519c0f9ca75a68e3491500a0a43dcf595ce3877efec13992a381004b5816ee9c9403159518d

Download Submit
memory/2580-404-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2580-440-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2688-93-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download