67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27

Analysis

max time kernel
144s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
Size

783KB
MD5

ae4c5ec9d33b2d6aa3fbb5236b621b34
SHA1

b2002af14ee4f032a9dcf8babe6cc6fe3a82a692
SHA256

67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27
SHA512

0d31f8e81e1bd220727f0ed08d961790e239ea7208b9d59cb797f79e4c01b9f7cbb664c667453485c10e00f61eaa1bd4171166275d0230fa2aa668fa57043032
SSDEEP

24576:C7M1iJHJT1DGh9idqu8HoHUp+JUsLauA:C7FTQIhGoSsLaZ

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

DropboxUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe\DisableExceptionChainValidation = "0"	DropboxUpdate.exe

Executes dropped EXE 6 IoCs

Processes:

DropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exe

pid process

2820 DropboxUpdate.exe
848 DropboxUpdate.exe
2856 DropboxUpdate.exe
3056 DropboxUpdate.exe
3064 DropboxUpdate.exe
2908 DropboxUpdate.exe

pid	process
2820	DropboxUpdate.exe
848	DropboxUpdate.exe
2856	DropboxUpdate.exe
3056	DropboxUpdate.exe
3064	DropboxUpdate.exe
2908	DropboxUpdate.exe

Loads dropped DLL 26 IoCs

Processes:

67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exe

pid	process
1064	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
2820	DropboxUpdate.exe
2820	DropboxUpdate.exe
2820	DropboxUpdate.exe
2820	DropboxUpdate.exe
848	DropboxUpdate.exe
848	DropboxUpdate.exe
848	DropboxUpdate.exe
2820	DropboxUpdate.exe
2856	DropboxUpdate.exe
2856	DropboxUpdate.exe
2856	DropboxUpdate.exe
2856	DropboxUpdate.exe
2820	DropboxUpdate.exe
2820	DropboxUpdate.exe
2820	DropboxUpdate.exe
2820	DropboxUpdate.exe
3056	DropboxUpdate.exe
3064	DropboxUpdate.exe
3064	DropboxUpdate.exe
3064	DropboxUpdate.exe
2908	DropboxUpdate.exe
2908	DropboxUpdate.exe
2908	DropboxUpdate.exe
2908	DropboxUpdate.exe
3064	DropboxUpdate.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

3 1160 msiexec.exe

flow	pid	process
3	1160	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in System32 directory 6 IoCs

Processes:

DropboxUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7C5C79D5EA2EAA218D5C63883951605	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7C5C79D5EA2EAA218D5C63883951605	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038	DropboxUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038	DropboxUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exeDropboxUpdate.exe

description	ioc	process
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_th.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdate.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\psuser.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_id.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_uk.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_zh-CN.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_es.dll	DropboxUpdate.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Temp\GUT32B5.tmp	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_sv.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_pl.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_zh-TW.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_de.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_es-419.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_pt-BR.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\npDropboxUpdate3.dll	DropboxUpdate.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\@PaxHeader	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_no.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdateOnDemand.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_en.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_nl.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_th.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdateHelper.msi	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdateBroker.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxUpdateOnDemand.exe	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_da.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_it.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_ms.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_es-419.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_da.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_it.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxCrashHandler.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\psmachine.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_ja.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_ko.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_no.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\psmachine.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxCrashHandler.exe	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxUpdateBroker.exe	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxUpdate.exe	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxCleanup.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_es.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_ko.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_id.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_pt-BR.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_ru.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxUpdateHelper.msi	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_fr.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_en.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_fr.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_sv.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_zh-TW.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\psuser.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_de.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_ru.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdate.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_uk.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\@PaxHeader	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_ms.dll	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_nl.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.911.1\goopdateres_zh-CN.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxCleanup.exe	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exeDropboxUpdate.exe

description	ioc	process
File created	C:\Windows\Installer\f774c80.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f774c7e.ipi	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job	DropboxUpdate.exe
File created	C:\Windows\Installer\f774c7b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54D6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job	DropboxUpdate.exe
File opened for modification	C:\Windows\Installer\f774c7b.msi	msiexec.exe
File created	C:\Windows\Installer\f774c7e.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DropboxUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

DropboxUpdate.exe

pid process

3056 DropboxUpdate.exe

pid	process
3056	DropboxUpdate.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

DropboxUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\CLSID = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\Policy = "3"	DropboxUpdate.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

DropboxUpdate.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	DropboxUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DropboxUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	DropboxUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd1900000001000000100000003b878212830eb36469856f1c683b836c040000000100000010000000e67b586f7046bfe0aa51f6660b119dd90f00000001000000200000003689022b62bd20e807ccc1f32720ab2a9eeb0712e84cc373464b29cc436def97140000000100000014000000b76ba2eaa8aa848c79eab4da0f98b2c59576b9f41800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee4b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f0000002000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DropboxUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DropboxUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DropboxUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DropboxUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

Processes:

DropboxUpdate.exeDropboxUpdate.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID\ = "{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D412914-1C4F-447D-80D2-E7F9BB302B05}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}\ProxyStubClsid32\ = "{FE504B1C-2666-4039-831D-655FAA0FB97B}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\VersionIndependentProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C416C376-AEC5-4443-9D90-BEBA9434763B}\NumMethods\ = "10"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E38012B-D35D-4278-BBFD-E5AC871D3E60}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C416C376-AEC5-4443-9D90-BEBA9434763B}\ = "IGoogleUpdate3"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine.1.0\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3363994D-A786-4A32-A745-48B9B6EA709A}\VersionIndependentProgID\ = "DropboxUpdate.ProcessLauncher"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC422F86-7267-4AF2-8F4F-A20C060621DE}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\VersionIndependentProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05378308-2559-4C71-B758-7DACD5A359BA}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A89190B-400F-47DB-960A-7D5A1325A2C8}\NumMethods\ = "24"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\ProgID\ = "DropboxUpdate.CoreMachineClass.1"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE504B1C-2666-4039-831D-655FAA0FB97B}\InProcServer32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine\CurVer	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F448B4EA-A094-491A-BF61-9AF6CD450C7D}\NumMethods\ = "9"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService.1.0	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CECD4BFB-9F43-4540-B72C-706BE66B375E}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\Elevation	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58237066-0A7A-4C18-B132-D7BE280A6327}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\LocalServer32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine.1.0\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\Elevation\IconReference = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.911.1\\goopdate.dll,-1004"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass.1\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90AC42F5-B136-4079-B7A1-0A61FC86685D}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\LocalServer32\ = "\"C:\\Program Files (x86)\\Dropbox\\Update\\1.3.911.1\\DropboxUpdateOnDemand.exe\""	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8158CAB-1B7C-4A15-860E-AAA364E77334}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90AC42F5-B136-4079-B7A1-0A61FC86685D}\NumMethods	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine\CurVer\ = "DropboxUpdate.OnDemandCOMClassMachine.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService\CLSID\ = "{96D1EED3-701E-4FE5-B996-A543A8465897}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}\VersionIndependentProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60ACA18E-54E6-43F8-A1A4-C4176B6C994E}\NumMethods\ = "4"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher\CurVer	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\Elevation	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\ = "Dropbox.OneClickProcessLauncher"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DE7C611-9E6D-468F-8AA2-26C08DB4A687}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CECD4BFB-9F43-4540-B72C-706BE66B375E}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback.1.0\CLSID\ = "{49423331-2B41-4EDE-838E-F8C8F3F6BF62}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService.1.0\ = "Update3COMClass"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CECD4BFB-9F43-4540-B72C-706BE66B375E}\ProxyStubClsid32\ = "{FE504B1C-2666-4039-831D-655FAA0FB97B}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\ProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync.1.0\ = "CoCreateAsync"	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B35122D2-0036-4536-AEEA-EEA68E54A460}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync.1.0\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}\LocalServer32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService.1.0\CLSID\ = "{96D1EED3-701E-4FE5-B996-A543A8465897}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C52C4100-E8C6-438B-AEAC-43C99F7CCC26}\NumMethods\ = "42"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDA8FC46-0F9A-4A8C-8764-3B80880A9AEB}\NumMethods\ = "14"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\ProgID\ = "DropboxUpdate.Update3WebMachineFallback.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5A812990327ACD34D85B163756A6E149\Complete	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\ProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine\ = "DropboxUpdate CredentialDialog"	DropboxUpdate.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

DropboxUpdate.exeDropboxUpdate.exeDropboxUpdate.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	DropboxUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	DropboxUpdate.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 4b0000000100000044000000420033003900380042003800300031003300340046003700320032003000390035003400370034003300390044004200320031004100420033003000380044005f0000001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee140000000100000014000000b76ba2eaa8aa848c79eab4da0f98b2c59576b9f40f00000001000000200000003689022b62bd20e807ccc1f32720ab2a9eeb0712e84cc373464b29cc436def97040000000100000010000000e67b586f7046bfe0aa51f6660b119dd91900000001000000100000003b878212830eb36469856f1c683b836c0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	DropboxUpdate.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd1900000001000000100000003b878212830eb36469856f1c683b836c040000000100000010000000e67b586f7046bfe0aa51f6660b119dd90f00000001000000200000003689022b62bd20e807ccc1f32720ab2a9eeb0712e84cc373464b29cc436def97140000000100000014000000b76ba2eaa8aa848c79eab4da0f98b2c59576b9f41800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	DropboxUpdate.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DropboxUpdate.exemsiexec.exe

pid process

2820 DropboxUpdate.exe
2820 DropboxUpdate.exe
1160 msiexec.exe
1160 msiexec.exe

pid	process
2820	DropboxUpdate.exe
2820	DropboxUpdate.exe
1160	msiexec.exe
1160	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DropboxUpdate.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2820	DropboxUpdate.exe
Token: SeShutdownPrivilege	2820	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	2820	DropboxUpdate.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeSecurityPrivilege	1160	msiexec.exe
Token: SeCreateTokenPrivilege	2820	DropboxUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	2820	DropboxUpdate.exe
Token: SeLockMemoryPrivilege	2820	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	2820	DropboxUpdate.exe
Token: SeMachineAccountPrivilege	2820	DropboxUpdate.exe
Token: SeTcbPrivilege	2820	DropboxUpdate.exe
Token: SeSecurityPrivilege	2820	DropboxUpdate.exe
Token: SeTakeOwnershipPrivilege	2820	DropboxUpdate.exe
Token: SeLoadDriverPrivilege	2820	DropboxUpdate.exe
Token: SeSystemProfilePrivilege	2820	DropboxUpdate.exe
Token: SeSystemtimePrivilege	2820	DropboxUpdate.exe
Token: SeProfSingleProcessPrivilege	2820	DropboxUpdate.exe
Token: SeIncBasePriorityPrivilege	2820	DropboxUpdate.exe
Token: SeCreatePagefilePrivilege	2820	DropboxUpdate.exe
Token: SeCreatePermanentPrivilege	2820	DropboxUpdate.exe
Token: SeBackupPrivilege	2820	DropboxUpdate.exe
Token: SeRestorePrivilege	2820	DropboxUpdate.exe
Token: SeShutdownPrivilege	2820	DropboxUpdate.exe
Token: SeDebugPrivilege	2820	DropboxUpdate.exe
Token: SeAuditPrivilege	2820	DropboxUpdate.exe
Token: SeSystemEnvironmentPrivilege	2820	DropboxUpdate.exe
Token: SeChangeNotifyPrivilege	2820	DropboxUpdate.exe
Token: SeRemoteShutdownPrivilege	2820	DropboxUpdate.exe
Token: SeUndockPrivilege	2820	DropboxUpdate.exe
Token: SeSyncAgentPrivilege	2820	DropboxUpdate.exe
Token: SeEnableDelegationPrivilege	2820	DropboxUpdate.exe
Token: SeManageVolumePrivilege	2820	DropboxUpdate.exe
Token: SeImpersonatePrivilege	2820	DropboxUpdate.exe
Token: SeCreateGlobalPrivilege	2820	DropboxUpdate.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe
Token: SeTakeOwnershipPrivilege	1160	msiexec.exe
Token: SeRestorePrivilege	1160	msiexec.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exeDropboxUpdate.exe

description	pid	process	target process
PID 1064 wrote to memory of 2820	1064	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe	DropboxUpdate.exe
PID 1064 wrote to memory of 2820	1064	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe	DropboxUpdate.exe
PID 1064 wrote to memory of 2820	1064	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe	DropboxUpdate.exe
PID 1064 wrote to memory of 2820	1064	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe	DropboxUpdate.exe
PID 1064 wrote to memory of 2820	1064	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe	DropboxUpdate.exe
PID 1064 wrote to memory of 2820	1064	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe	DropboxUpdate.exe
PID 1064 wrote to memory of 2820	1064	67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 848	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 848	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 848	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 848	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 848	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 848	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 848	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 2856	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 2856	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 2856	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 2856	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 2856	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 2856	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 2856	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3056	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3056	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3056	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3056	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3056	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3056	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3056	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3064	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3064	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3064	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3064	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3064	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3064	2820	DropboxUpdate.exe	DropboxUpdate.exe
PID 2820 wrote to memory of 3064	2820	DropboxUpdate.exe	DropboxUpdate.exe

C:\Users\Admin\AppData\Local\Temp\67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe
"C:\Users\Admin\AppData\Local\Temp\67728acae680cdea3a816a247677286bef1a6e654825774cb2774dbec0cb8d27.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxUpdate.exe
  "C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxUpdate.exe" /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd1ZqYkVLd2pBVUFILWxaQlo1U1UxZTRsWVFCQ2NkQkoxQ05LRjlGaE5wVTVXS18yNGNqcHVPLXpBMzVjN20xSWZJMWhYYi1VVDM5NTZfM0REQlhHOGZ4OVBjM0lnT205YWRZZFVzT2RaQ2dFU0RiRkd4TVl3anBXakpsNWhMQTBJREtxMVJjbU93VUl5Z3VFS0Ywa2dsak5BbHM3bl96NElJMW9jblhZTk44WkxjNENtMjdQc0QtcEFyZXd-fkBNRVRBIn0"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:848
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2856
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVJFSlFVa1ZCVlZSSU9qcGphSEp2YldVNk9tVktkMVpxWWtWTGQycEJWVUZJTFd4YVFsbzFVMVV4WlRSc1dWRkNRMk5rUWtveFEwNUxSamxHYUU1d1ZUVlhTMTh5TkdOcWNIVlBMWHBCTXpWak4yMHhTV1pKTVdoWVlpMVZWRE01TlRaZk0wUkVRbGhIT0daNE9WQmpNMGxuVDIwNVlXUlpaRlZ6VDJSYVEyZEZVMFJpUmtkNFRWbDNhbkJYYWtwc05XaE1RVEJKUkV0eE1WSmpiVTkzVlVsNVozVkZTMFl3YTJkc2FrNUJiSE0zYmw5Nk5FbEpNVzlqYmxoWlRrNDRXa3hqTkVOdE1qZFFjMFF0Y0VGeVpYZC1ma0JOUlZSQkluMCIgcHJvdG9jb2w9IjMuMCIgdmVyc2lvbj0iMS4zLjkxMS4xIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezI3OERCODI3LTA5MjktNDMwMS04Rjc5LTdCMzUyQTFERjQwOH0iIHVzZXJpZD0iezcwQTA5MEEwLURDNzMtNEI2Ni1BMENELTk1QzBDREI0OUIwRH0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9IntEOEI5MjZERi1FMjAxLTRBQ0ItQkY0Ri02MDhDQjg1NkYzQzl9Ij48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7RDg5NjhGRjItRTBCMS00QTEzLUEzRTItQzlGMjk5NUYzQkM2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjkxMS4xIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies system certificate store
    PID:3056
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd1ZqYkVLd2pBVUFILWxaQlo1U1UxZTRsWVFCQ2NkQkoxQ05LRjlGaE5wVTVXS18yNGNqcHVPLXpBMzVjN20xSWZJMWhYYi1VVDM5NTZfM0REQlhHOGZ4OVBjM0lnT205YWRZZFVzT2RaQ2dFU0RiRkd4TVl3anBXakpsNWhMQTBJREtxMVJjbU93VUl5Z3VFS0Ywa2dsak5BbHM3bl96NElJMW9jblhZTk44WkxjNENtMjdQc0QtcEFyZXd-fkBNRVRBIn0&nolaunch=0" /installsource taggedmi /sessionid "{278DB827-0929-4301-8F79-7B352A1DF408}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3064

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f774c7f.rbs

Filesize
7KB

MD5
7826d92bdfba0d5f6f384b8da8aaf90c

SHA1
ca1e563cf3bcbcaa4309ca2ce9cad20dde46d21f

SHA256
9244f007bf039a0d1f36ed3dbdbf33972b2d184f6f5d64410fc58306d16bd0e4

SHA512
d1772c7a15a00ac21c2f4a928bd01e2062414983e6211a116d824f6a47791b70204cbf831eb4e2c466f05452e0a6450e66a2585a7da5aee8313004e8b3e82d56

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxCleanup.exe

Filesize
323KB

MD5
a00bde016bdb87f3a975fc5e92dcee17

SHA1
664cbe91e0628cb3780b1666d568c2d1ab77d294

SHA256
5b2bcbf5bdebbba87cf3adc3830351861b7152ab5b9923560836ab865f10504a

SHA512
331e80a6e40e6a47cac247e1d64d612eaeb4980a91034449b4736bc13f82d5cc4db61875b05abe3eb9639b8bd2f52043051d7cb9545d11831fb8be88834de556

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxCrashHandler.exe

Filesize
130KB

MD5
3b607e9ae169797c5112736dd445db25

SHA1
076e59938996baf436888e2ecb536353071e0adf

SHA256
e7141aeb22ea3165a4f7fb8c4d210151575f1b95ef545e0978a2174598a08265

SHA512
1a80b6ed790d3325c365de14d7bdd4d98473c2cfd8a4eb5d97f99d9383946e6c9e892820e54182b06359f495cc42f261e455e3097413c605f0f208d7b6e3c2cd

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxUpdate.exe

Filesize
127KB

MD5
8ad76e0b347bb690697535ce95b1c656

SHA1
10d2622a3965d21215a953ed924d01788a9805ed

SHA256
7655221b493047c61285e1de78807d0584920b0d14d150e2487da9728b1926f3

SHA512
35fbda7f05865b3a50454dba5ba3738eb8a5fd6d2eea5e9415d8d517811d51c50cca6c7b47a5b19f1ff1f4101567137fe18805f4f740289456da1ff2af682504

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxUpdateBroker.exe

Filesize
76KB

MD5
0cd7fddf34527ffbc563277cea3f575b

SHA1
cb83cd412163c3e89789e2cf3054a4110b72b998

SHA256
f4d066ce16ca47b19f5acec41155906ba08e0a6a565108ea77ae6c8f1136a55c

SHA512
fb50ddccd59a5bd9989f0eb5e44fcaa074e023328587d90d3dee740888b7b67b9f84270a55acaa4a6a523987c5edaab99ed39dedc7b1ca9c88aed87ffc9e600a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxUpdateHelper.msi

Filesize
44KB

MD5
9ab89a05f39ef9f354de6d4074bf105b

SHA1
19cb4715f2f24b70a41a7cd33193a48f79a2fe93

SHA256
df7c8bcdbcf6247c25abdc09d332858b01450225a4ebb29ac6df4f713691b399

SHA512
ff5c51a2d11fac17d829d63fe7b43edf9fbd5acabdbc668d4eec495ef6edc5079cd9fd8b4d39902f4881920f61494966f8464009db4542a13c284da1cd6c8341

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\DropboxUpdateOnDemand.exe

Filesize
76KB

MD5
2ecab51764bc64fa9472eea19cba6ed0

SHA1
3412685e6d900c028e2818e99fe6ed1566a54830

SHA256
22729f1b9b966c1adfa268a806856b22e1769a5ff6e56475b0d286b9bf507314

SHA512
bf5914f482265dcaab858b457dc032893c49073f081a858b51e7575212d11fe4603e90da538a521a6b4817115d7b71783b985de083476a78e4649fcf94410744

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdate.dll

Filesize
1.1MB

MD5
eefc49f19dc8e732750b382e13cee819

SHA1
315a225ac014b3f8e8ed77c8fd5f7f7f75e8352a

SHA256
b0a29239fe624adb271a557409727eea317702f65f34f1ed84c55de6bc77cb25

SHA512
e8c5a7c30552b6688ba716d3f565abda7334f3ec2026ea8482eacf3d7b9396bf13fe76263a911002fc752d492f98303fd8dd3d8b478fe1fd5219e2e1835d1f00

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_da.dll

Filesize
33KB

MD5
126ce0740c8eae19471301f903c27108

SHA1
9a6e94d91f3e0c72df906b5f386a90c061aeebf7

SHA256
a315a0732a38934cddeddc8b403104dc10bd97f66d70ae1a60ef72fd4230beee

SHA512
1512d98f7d721c66c50a9dd799749366c64d9856e8bec788dde46eaf91c3459bbea08fe67cd6aeb851001d6b047e0db82002cb69e56e16a2fff551575fcf332b

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_de.dll

Filesize
36KB

MD5
e0991c448cd818500f6c8f7509a84a40

SHA1
8f02d704805158e19c4b135bd3a9d5bd86e405e1

SHA256
c5212e357b3cba3564f357df0133735d9b5d482dc3e3ab70810bd72a62f3ca4d

SHA512
39ac38bc3679b54d500019d9014b4c78636f0fd23afa89605517939b164bed4efe7e38af1ab74cea5a9fcbbaa2548780c1037d570553c1d33c0d9b99cdfb4380

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_en.dll

Filesize
32KB

MD5
094b3376219215b2fea6acc3a9103b25

SHA1
20879bf11c9ab154616068adf70832a3c3e0d26f

SHA256
a4f9ef601bdf067426c30827957a2097653eea3f326b0ac6f679db4947202922

SHA512
88a25a91e1077ad2046c361b19ef33a6b66ba9f856999e7d0f41b0e4593d7d6d1a052254f8082623b1b098f0424f19b9b4f21fb989ae60bac855e221c3c1b09e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_es-419.dll

Filesize
34KB

MD5
6f21fdbec64a196fd9bb392e88428775

SHA1
baa928d714957c11613e36746a3cad6f71175021

SHA256
d8decf8a92badf2c9d512dfb16d4af9d6ae45b7eea80890cbf69c79ca3070935

SHA512
a930a346a5006ae20c53ba03c2763e9363a901ce9631edb26caec3697c9c6374bb664228eb5b1493c03379ea52ec50775658ca185c8717c984d768873ba1c34b

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_es.dll

Filesize
34KB

MD5
9cb5bb68af81808db323c3a30533e451

SHA1
e0bd3c40d54a2b8b9283c27d2d455a5afd9ec600

SHA256
c6d0b0916e358b0bd6ed02f3d9cecd7ef5a57fa273ecc164b556f2dd9b879ba1

SHA512
7f82bc54d72de4d2e74da3cde82aa538c16cac7641265599bd4680f6bf7c675e7883282984234eed2ab9b84b0a44164197d1c77fc37f94a2344a48b79aee3c99

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_fr.dll

Filesize
35KB

MD5
54dd28b2eddeec387c2de9b216532153

SHA1
0a163e432d3cc744c4755cf1b2b7bc7bed5de3ab

SHA256
a8034afac342ec89b918da3c466d396401da8cb97e8d7730d1fd7a7ecff125d9

SHA512
af5e976f13bcb3a2ba38b46f4c2df8b04a2b74359d21b299d13d0ea359a3e8791ca815470893aafd79ccb46583c96f046ff27e93c9780819fbc52716e7671ec9

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_id.dll

Filesize
32KB

MD5
192d4311141487c6e5b8e9e53245907a

SHA1
27294bbe84a29f2e5a7e05590a1c13a2bf22b153

SHA256
a151bf2ffca80ecbb38a8cfa3db30002dcb42749e4ff3c768ee3aae2cb9ecedd

SHA512
77a45d7842270d39abbc30bf3301840450fde871a88e29522c6f159bd0e4645aea02c89e7058c8325a922e0a8f5c531403b23254de7caa5324291ecb140a0c6e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_it.dll

Filesize
34KB

MD5
7aa209b91e208c4157a947975f312416

SHA1
ceec1c84d319170ab5eb9d670aa20b6673b80dad

SHA256
4c6fdca461a0caf39110dddfad734f0e1ad3656d8a11b8b1279dbe05594818b8

SHA512
c78afaca62a6e928273be6ed2cac8ebee760eb668f86864821da6ee492546413a2fd29bb0a4980ac6c2f81dffd65689ce5019f7992dc499fd9a750895b6e8ffc

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_ja.dll

Filesize
28KB

MD5
b96eb4559e725359525e82e283ec4779

SHA1
136481b3d4b9feda5a7126af6f15e98cba22e350

SHA256
5d45d00e17e5a0a9d322299bfedb9aaeb17469120f1b9c374f0d3badcd8e0598

SHA512
ae820ea2341065390c5a37d462ebc8f96ef74e5241d4592cc53b94bf20341960200316530a7e77fbe2e0bd7d48f1e102d34be7b2dd248e77f2e9b2879b4be96e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_ko.dll

Filesize
28KB

MD5
2d116334e9d12666417575547433fc70

SHA1
3f824d9b27edfd3086cc1fbd6bf4d04e1a33b132

SHA256
98868e4ed9918de9ab3e2388595235c10defee540999203dd712ad15c8304c99

SHA512
0a4ef8e79243b265cef3dfe0262c48e2739495a032bcd91fa0264a90a1ecf62d2e1d60cb13f4ebf1b3c150c0bc35ac07beab93a6a256978b68f41e7d27f5944a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_ms.dll

Filesize
32KB

MD5
a390231d487ab42345b0c0250ed767b8

SHA1
33bff729a689e7ce1e631b20d53e29d2cf5c3014

SHA256
d3a0a2a7a7cd083645242c224607f3cb66a933c8f433d72771b3693ee88f3c56

SHA512
4987ff6abf27a9789a0bc08fc39fb1f48efc52bf7efc907e35720b3eb3d1937ae0db233b0c7f1a3c0e6c037b60aa0f74d38126c6c0e2a3d8a8cc792950a895a4

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_nl.dll

Filesize
35KB

MD5
eb5c039ed11bbd25008c9ea40534e3cf

SHA1
609683ef8699c6232feb39ace66a28afcdbe8ab2

SHA256
a33e1ca83c2b43014527c687388fada28fe2d940b9e8622c81c635fa093135c1

SHA512
89311f2333ec99fdd44ae04c3610bb5655e877583164d35bd7ef09d396396512f94ad90f7ac7ffb0edb1ce801f269c7c8d271124dadcec9a681ff160f27e4ca6

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_no.dll

Filesize
33KB

MD5
144294e8d5a1feb77b717ecbf7d5e86a

SHA1
f42d6826645f1202243c8f410a42ca2e75ed69c8

SHA256
ea0bee6774f927317c05a0ac7eb036c1bef672249dc8fee390449eb26b40997d

SHA512
6477e500135adc425105c804b517fb527257b2648ec0497c10519f3388aa2394520983bf7de593386ae2c1893d37e0ff9040e6fa0eb0ad3f3845a82eea8d3b93

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_pl.dll

Filesize
34KB

MD5
49e4bb26edf1551a6a75d8f99e7e7c60

SHA1
b3b20d24505b66918b31647701419993ebb67639

SHA256
6b97ece1f16a2f1d99392f0880b99262537b0f7d59897d9a974150a25ec4f335

SHA512
aca6106b463c4218a8de3b78a59c14a28d873b5851d570beab4abec1f9db0a42d1194ace06ea42a4f37a60cf141288d3340e206ed089e0649386c6a9ce229c42

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_pt-BR.dll

Filesize
33KB

MD5
6867ab5d7515e5e2b04ecc9c8c511d68

SHA1
53d829f2a3c868976a691f1bea92a5c5d4657086

SHA256
908f345025c31d766b3189fbcf8457047603b69e2b9e91146d30c0962ce4d801

SHA512
55071ed358a5d64efa6d4797f53ab8b20a3b41e3127e6509a0c6dd6e09a5363bef4c66bd6685a5f89ac4bb6e38c5582264ae97f84c4ec164d30f9bfbed89541a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_ru.dll

Filesize
34KB

MD5
431768cfa5ed3774107aec0cddf23abd

SHA1
eda72761c54fc3e2d426d715b9181609807be468

SHA256
f3d3c07ce75e2be074a28d0201faeac7e858a67b274bc112d414dddf02078c6e

SHA512
f3c7da9d5e661b1efdcf10d99d3e28b30d21fa6a15fd00bb0a75e3fb2fd28d468237534005cda27edae3b488708df7b0fc31c81f92c9ce9b2636c8945cd632ac

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_sv.dll

Filesize
33KB

MD5
f5279d96c1aa2a1feffc82a329864085

SHA1
595bb28ec374961c0c87c85a0a037000d0160d5c

SHA256
5db6737fae50622909f09fc276cc2d47a1e67a5670fe39352bbd1768dc443ae2

SHA512
843eba27c78e52900d78c5624983d941a85b1618785d6125ed5d645f1344f82ea64bd3d4899144f19f06a5bfe86a8321d593e23813df024af91b835c55bead5e

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_th.dll

Filesize
32KB

MD5
f12bf39090960bf9dd933a3fbb21cb69

SHA1
f165202357d25c6f5def8911fa43c7f140a15ed3

SHA256
c34d0bdfe4af1b31543327659d5579899c1c63429d7c725a34294c47d97102d0

SHA512
572b24b4489768f09d64f4db172a0a28bb92d2c45051ec5817ab8cfe3879cb33c5ba26b62229a3ccb3459e3806167feabeedc1307277150357b13a5fb2fb077c

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_uk.dll

Filesize
33KB

MD5
488bf1cf2b04d2dd682e1ef0f23f5f3a

SHA1
6fa6b21a4a42855a01c8af26c9ca945494ec039b

SHA256
45f844c94c19257a09573568f96cc1a4aa368d2cc9e9280a6ad267de4c564aa4

SHA512
205a24425da59854e2ccb101813d8522b1032d1d1f6bb61188b47fbd2da1608fc0573eadfdf1dbe6766ed56d860f5777af0ad4665fe86533abaa5cb532a75a4a

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_zh-CN.dll

Filesize
26KB

MD5
14d2c6eb631ec1557263d249b1e2e2fb

SHA1
51e3889627cf72398f603f188f0be91ee9925899

SHA256
9b4e3e8bf366562f9b019611ef542e02c45e4fb5659e672a77545e1392083db0

SHA512
82ae111a8cc04dcb45fa10657ff5b5d13192527e42f8b7af58a3769feed713a8f43530cda2daba54d839bf5b14d6817382f585f54dd70521f07039bc252451b8

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\goopdateres_zh-TW.dll

Filesize
26KB

MD5
fb5996aa43ca35aa2785b78dfba27b2d

SHA1
2cef3511e920552d86d055bafe822c7249ab8ec8

SHA256
f185c7b48767aa5757f87ba76a96c9aca200e44e98dfffa7a23a2deb04a315cf

SHA512
53afd7236364e33a90da001993e32aa6f1a95b8ba73eed0cb5dd499acf22406e25937038262cf6697c5e970435e0b5ad11eb7d8b53a6fb6501a3e23fd742438c

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\npDropboxUpdate3.dll

Filesize
274KB

MD5
bed3f629455188556d54e8868cc3705b

SHA1
4ed92e45fc62b6427fecd5d94f2ac1a53d072ac8

SHA256
aaf37e7be50fb5ea738ccdd615c7985b9efdaea43290094c6696ae0f6348051f

SHA512
123a68c0ca8e315d7bb2193ade5f2a57a1bac36ba8d7b8cc542ecc629065067dbfae30683ed1c85cf652b372ce569ea4d3f30692b78bfcd9f030f9d0c449b9fd

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\psmachine.dll

Filesize
212KB

MD5
57250ac3da5cfe80eac551f4231a73f5

SHA1
e075cbfb7590e4702d9a9e4abb693c0b2e8a89ff

SHA256
40b05834d9f30e8f07ee22c1d115a0a95d8d95489b4078aa0b640dee7c6a111c

SHA512
8ea8d7a64cc881a2c73bbb6ed3b60574cf582c4b28570b253b4ca50060cfeff0e8df37cb37837e8a0e52e76cdb6f51e572b8be178704fb3093f07f4bdbbdcb94

Download Submit
C:\Program Files (x86)\Dropbox\Temp\GUM32B4.tmp\psuser.dll

Filesize
212KB

MD5
0fa0151b62cf23391917784b5adf0e1f

SHA1
89dfe00691d97cd9b2904519c6292ab6b36bfb82

SHA256
bc519e9f04c84a2287e8f274743a23a425995156e9c882c09695f13d4095e196

SHA512
1adc6b20ab17bf462a00b86fbdcadc576c37d3a5752ef0940a33843cb9a1d74081d543e3e2ea28aa3b160b638b07864b943d856933bb29c31bea7067e0975daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3555.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar35B5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job

Filesize
906B

MD5
356e90bf8f9ef73d590c82bad2bb5295

SHA1
2d24931c4188f133d27e52ac43bb0c01b1b9291c

SHA256
841797f0ea0f7eb6dd1e9207f4655b40789421e8a2f8117f2a80687e38f03628

SHA512
3db8d9ead30bc333f14618a40b6578ac796c733f5a858449f514ba486ec23d03abd272d39e56ba1b50a54e34d323747142c11840a6586403aa7a1907709c6c5d

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2820-92-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download