b9a5a63980cef2dbb5135885592654d6539bf73b154c1ba037b0d2833f05e967

Analysis

max time kernel
79s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2022, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9a5a63980cef2dbb5135885592654d6539bf73b154c1ba037b0d2833f05e967.exe
Size

678KB
MD5

aba7daf8c24b65e565492e35ea74b67a
SHA1

fd1d9f5cc6741ccea79137be5ab3065df62df3c6
SHA256

b9a5a63980cef2dbb5135885592654d6539bf73b154c1ba037b0d2833f05e967
SHA512

de0b322b24a261975b174c23b333af08a0cc057b10c01b1b393dbc231e315a54db183282cf026c6831d09d9ada48f4de0fbeb96df5292e436021ec2fed9af809
SSDEEP

12288:H/iSuWgJQQNHrfZA4lzI3Xc1KruEquZJ7WAFcvBJV503sHldphqzO:H/iygFNHBlzUXaEqs6ZJV5TleO

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	5036	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
1448	DropboxUpdate.exe
4144	DropboxUpdate.exe
5056	DropboxUpdate.exe
4564	DropboxUpdate.exe
2388	DropboxUpdate.exe
3260	DropboxUpdate.exe
3032	DropboxUpdate.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe\DisableExceptionChainValidation = "0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe	DropboxUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DropboxUpdate.exe

Loads dropped DLL 13 IoCs

pid	Process
1448	DropboxUpdate.exe
4144	DropboxUpdate.exe
5056	DropboxUpdate.exe
5056	DropboxUpdate.exe
5056	DropboxUpdate.exe
5056	DropboxUpdate.exe
1448	DropboxUpdate.exe
4564	DropboxUpdate.exe
2388	DropboxUpdate.exe
3260	DropboxUpdate.exe
3260	DropboxUpdate.exe
2388	DropboxUpdate.exe
3032	DropboxUpdate.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_de.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_ja.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_nl.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\DropboxUpdateHelper.msi	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\DropboxCrashHandler.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_ms.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_no.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_pt-BR.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_zh-TW.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdate.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_en.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_es.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_fr.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_ko.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_ru.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\psuser.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_da.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_es-419.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_uk.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\DropboxUpdateBroker.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\DropboxUpdateOnDemand.exe	DropboxUpdate.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_id.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_th.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_zh-CN.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\npDropboxUpdate3.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_sv.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_it.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_pl.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.241.1\psmachine.dll	DropboxUpdate.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e56d297.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job	DropboxUpdate.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job	DropboxUpdate.exe
File created	C:\Windows\Installer\e56d297.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{099218A5-A723-43DC-8DB5-6173656A1E94}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID90F.tmp	msiexec.exe
File created	C:\Windows\Installer\e56d29a.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\CLSID = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\Policy = "3"	DropboxUpdate.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc.1.0\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05378308-2559-4C71-B758-7DACD5A359BA}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync.1.0	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync\CurVer\ = "DropboxUpdate.CoCreateAsync.1.0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A337332-37E4-4063-B4F3-6416846C8A33}\ProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26334014-27BC-4508-B7F6-255838230C16}\InprocHandler32\ = "C:\\Program Files (x86)\\Dropbox\\Update\\1.3.241.1\\psmachine.dll"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C52C4100-E8C6-438B-AEAC-43C99F7CCC26}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B35122D2-0036-4536-AEEA-EEA68E54A460}\ProxyStubClsid32\ = "{13F7EDC4-472B-4ECA-B815-8CD83AFF21B5}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}	DropboxUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DropboxUpdate.exe	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{831F99E1-2250-4065-8975-7408E726825F}\ = "IGoogleUpdate3Web"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachineFallback\CurVer	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}\ = "IAppBundleWeb"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\VersionIndependentProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F448B4EA-A094-491A-BF61-9AF6CD450C7D}\ProxyStubClsid32	DropboxUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26334014-27BC-4508-B7F6-255838230C16}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine.1.0\CLSID\ = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\LocalServer32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8158CAB-1B7C-4A15-860E-AAA364E77334}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90AC42F5-B136-4079-B7A1-0A61FC86685D}\ProxyStubClsid32\ = "{13F7EDC4-472B-4ECA-B815-8CD83AFF21B5}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDA8FC46-0F9A-4A8C-8764-3B80880A9AEB}\ProxyStubClsid32\ = "{13F7EDC4-472B-4ECA-B815-8CD83AFF21B5}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEF2D6E-1CE5-4823-88D0-7F727719D0A2}\ = "IBrowserHttpRequest2"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\ = "ServiceModule"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}\ = "CoCreateAsync"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine\CurVer	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}\ProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass.1\CLSID\ = "{3A337332-37E4-4063-B4F3-6416846C8A33}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine\CurVer	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher\ = "Dropbox Update Process Launcher Class"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\VersionIndependentProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\ProgID\ = "Dropbox.OneClickProcessLauncherMachine.1.0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{76E258F0-DE86-4CEC-9D30-3F728A898741}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13F7EDC4-472B-4ECA-B815-8CD83AFF21B5}\InProcServer32\ = "C:\\Program Files (x86)\\Dropbox\\Update\\1.3.241.1\\psmachine.dll"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync\CLSID\ = "{A496C5D9-84FE-4E84-9D20-7481589E1C23}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\VersionIndependentProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\Elevation\IconReference = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.241.1\\goopdate.dll,-1004"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13F7EDC4-472B-4ECA-B815-8CD83AFF21B5}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass\ = "Dropbox Update Core Class"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync\ = "CoCreateAsync"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DropboxUpdate.exe\AppID = "{76E258F0-DE86-4CEC-9D30-3F728A898741}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\AuthorizedLUAApp = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F448B4EA-A094-491A-BF61-9AF6CD450C7D}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine.1.0\CLSID\ = "{E54806CB-0046-4BCF-B389-3A6F732DC6E6}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass\ = "Dropbox Update Core Class"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback\CurVer	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5A812990327ACD34D85B163756A6E149	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\SourceList\Net\1 = "C:\\Program Files (x86)\\Dropbox\\Update\\1.3.241.1\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A89190B-400F-47DB-960A-7D5A1325A2C8}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEF2D6E-1CE5-4823-88D0-7F727719D0A2}\ProxyStubClsid32\ = "{13F7EDC4-472B-4ECA-B815-8CD83AFF21B5}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C416C376-AEC5-4443-9D90-BEBA9434763B}\ = "IGoogleUpdate3"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}\NumMethods\ = "24"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback.1.0\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine.1.0\CLSID\ = "{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F84F5221-63AA-431E-A57C-D7D03649E3E6}\ProxyStubClsid32	DropboxUpdate.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1448	DropboxUpdate.exe
1448	DropboxUpdate.exe
5036	msiexec.exe
5036	msiexec.exe
3032	DropboxUpdate.exe
3032	DropboxUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	DropboxUpdate.exe
Token: SeShutdownPrivilege	1448	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	1448	DropboxUpdate.exe
Token: SeSecurityPrivilege	5036	msiexec.exe
Token: SeCreateTokenPrivilege	1448	DropboxUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	1448	DropboxUpdate.exe
Token: SeLockMemoryPrivilege	1448	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	1448	DropboxUpdate.exe
Token: SeMachineAccountPrivilege	1448	DropboxUpdate.exe
Token: SeTcbPrivilege	1448	DropboxUpdate.exe
Token: SeSecurityPrivilege	1448	DropboxUpdate.exe
Token: SeTakeOwnershipPrivilege	1448	DropboxUpdate.exe
Token: SeLoadDriverPrivilege	1448	DropboxUpdate.exe
Token: SeSystemProfilePrivilege	1448	DropboxUpdate.exe
Token: SeSystemtimePrivilege	1448	DropboxUpdate.exe
Token: SeProfSingleProcessPrivilege	1448	DropboxUpdate.exe
Token: SeIncBasePriorityPrivilege	1448	DropboxUpdate.exe
Token: SeCreatePagefilePrivilege	1448	DropboxUpdate.exe
Token: SeCreatePermanentPrivilege	1448	DropboxUpdate.exe
Token: SeBackupPrivilege	1448	DropboxUpdate.exe
Token: SeRestorePrivilege	1448	DropboxUpdate.exe
Token: SeShutdownPrivilege	1448	DropboxUpdate.exe
Token: SeDebugPrivilege	1448	DropboxUpdate.exe
Token: SeAuditPrivilege	1448	DropboxUpdate.exe
Token: SeSystemEnvironmentPrivilege	1448	DropboxUpdate.exe
Token: SeChangeNotifyPrivilege	1448	DropboxUpdate.exe
Token: SeRemoteShutdownPrivilege	1448	DropboxUpdate.exe
Token: SeUndockPrivilege	1448	DropboxUpdate.exe
Token: SeSyncAgentPrivilege	1448	DropboxUpdate.exe
Token: SeEnableDelegationPrivilege	1448	DropboxUpdate.exe
Token: SeManageVolumePrivilege	1448	DropboxUpdate.exe
Token: SeImpersonatePrivilege	1448	DropboxUpdate.exe
Token: SeCreateGlobalPrivilege	1448	DropboxUpdate.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 1448	4880	b9a5a63980cef2dbb5135885592654d6539bf73b154c1ba037b0d2833f05e967.exe	83
PID 4880 wrote to memory of 1448	4880	b9a5a63980cef2dbb5135885592654d6539bf73b154c1ba037b0d2833f05e967.exe	83
PID 4880 wrote to memory of 1448	4880	b9a5a63980cef2dbb5135885592654d6539bf73b154c1ba037b0d2833f05e967.exe	83
PID 1448 wrote to memory of 4144	1448	DropboxUpdate.exe	85
PID 1448 wrote to memory of 4144	1448	DropboxUpdate.exe	85
PID 1448 wrote to memory of 4144	1448	DropboxUpdate.exe	85
PID 1448 wrote to memory of 5056	1448	DropboxUpdate.exe	89
PID 1448 wrote to memory of 5056	1448	DropboxUpdate.exe	89
PID 1448 wrote to memory of 5056	1448	DropboxUpdate.exe	89
PID 1448 wrote to memory of 4564	1448	DropboxUpdate.exe	91
PID 1448 wrote to memory of 4564	1448	DropboxUpdate.exe	91
PID 1448 wrote to memory of 4564	1448	DropboxUpdate.exe	91
PID 1448 wrote to memory of 2388	1448	DropboxUpdate.exe	92
PID 1448 wrote to memory of 2388	1448	DropboxUpdate.exe	92
PID 1448 wrote to memory of 2388	1448	DropboxUpdate.exe	92
PID 3260 wrote to memory of 3032	3260	DropboxUpdate.exe	99
PID 3260 wrote to memory of 3032	3260	DropboxUpdate.exe	99
PID 3260 wrote to memory of 3032	3260	DropboxUpdate.exe	99

C:\Users\Admin\AppData\Local\Temp\b9a5a63980cef2dbb5135885592654d6539bf73b154c1ba037b0d2833f05e967.exe
"C:\Users\Admin\AppData\Local\Temp\b9a5a63980cef2dbb5135885592654d6539bf73b154c1ba037b0d2833f05e967.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\DropboxUpdate.exe
  C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\DropboxUpdate.exe /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiZUp3RndiRU5nREFNQk1CVlVDYncyXzVIWmhrYUtOS0V3aVZpZC03ZTBYZjNmTlk1cjNGc01JYVFoS0NVVzlERnltQ1dLTzVXS3JoOVA2Z0REYmt-QE1FVEEifQ"
  2⤵
  - Executes dropped EXE
  - Sets file execution options in registry
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:4144
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:5056
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVpVcDNSbmRpUlU1blJFRk5RazFDVmxWRFluY3lYelZJV21ocllVdE9TMFYzYVZacFpDMDNaVEJZWmpObVRsazFjak5HYzAxSllWRm9TME5WVnpsRVJubHRRMWRMVHpWWFMzSm9PVkEyWjBSRVltdC1RRTFGVkVFaWZRIiBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMjQxLjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0VBRTRBMjEtOTMyQS00NjQyLTlBQ0UtODNDODQ5RDEzRDBGfSIgdXNlcmlkPSJ7OTE4MjFDRTEtNzdERi00QzFELTlDN0EtODgzMjc0NjFFMEU1fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0UyREVERjM3LTU1MjgtNEJFMS05Q0M4LUJBN0EwMEE1QjM1OX0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjIiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntEODk2OEZGMi1FMEIxLTRBMTMtQTNFMi1DOUYyOTk1RjNCQzZ9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMjQxLjEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4564
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiZUp3RndiRU5nREFNQk1CVlVDYncyXzVIWmhrYUtOS0V3aVZpZC03ZTBYZjNmTlk1cjNGc01JYVFoS0NVVzlERnltQ1dLTzVXS3JoOVA2Z0REYmt-QE1FVEEifQ&nolaunch=0" /installsource taggedmi /sessionid "{7EAE4A21-932A-4642-9ACE-83C849D13D0F}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2388

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
  "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVpVcDNSbmRpUlU1blJFRk5RazFDVmxWRFluY3lYelZJV21ocllVdE9TMFYzYVZacFpDMDNaVEJZWmpObVRsazFjak5HYzAxSllWRm9TME5WVnpsRVJubHRRMWRMVHpWWFMzSm9PVkEyWjBSRVltdC1RRTFGVkVFaUxDSnlaWEYxWlhOMFgzTmxjWFZsYm1ObElqb3dmUSIgcHJvdG9jb2w9IjMuMCIgdmVyc2lvbj0iMS4zLjI0MS4xIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezdFQUU0QTIxLTkzMkEtNDY0Mi05QUNFLTgzQzg0OUQxM0QwRn0iIHVzZXJpZD0iezkxODIxQ0UxLTc3REYtNEMxRC05QzdBLTg4MzI3NDYxRTBFNX0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9Ins0MTgzMUU3OS0wRjJBLTQyNTgtQjlENy1CMkQ5NkFBQ0I3MjZ9Ij48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4yIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7Q0M0NjA4MEUtNEMzMy00OTgxLTg1OUEtQkJBMkY3ODBGMzFFfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSItMSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI3MjEiIGV4dHJhY29kZTE9IjI2ODQzNTQ1OSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Dropbox\Update\1.3.241.1\DropboxUpdateHelper.msi

Filesize
30KB

MD5
1905b09343458611d425b878d952f244

SHA1
b233b692a0ea2316c373d5c07df3334d12401bb4

SHA256
3f12a7bc7294843ca776eb9e8a9e678e5090a3efe2562387c2b99319bc2f4d35

SHA512
2c25de3ae19d3dc6ffa917f2dc8546ea826870a6ee8c3c0ae344d3bba6890d89704c5173973c2eadb84051310272d786600ba4efd30243b33b3ac6e4d3fa4d40

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdate.dll

Filesize
1.1MB

MD5
66c0ee54571bd2db6477a7833bdac1f3

SHA1
895ac7a9eb101d790855e8b011d34d7a1460b76e

SHA256
b51746d27840ab5d0c21f1bba79f521adb2206a309e47b2ab424fda10fcff2dc

SHA512
a20b93ef404e55426151b5a7072b3d7c0b56d050d1b9b6a578285ce56dc4c184d9aa0205c9a4eafd873b2bf010977c26d7e5a3df9ec2535dd846231404724639

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdate.dll

Filesize
1.1MB

MD5
66c0ee54571bd2db6477a7833bdac1f3

SHA1
895ac7a9eb101d790855e8b011d34d7a1460b76e

SHA256
b51746d27840ab5d0c21f1bba79f521adb2206a309e47b2ab424fda10fcff2dc

SHA512
a20b93ef404e55426151b5a7072b3d7c0b56d050d1b9b6a578285ce56dc4c184d9aa0205c9a4eafd873b2bf010977c26d7e5a3df9ec2535dd846231404724639

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdate.dll

Filesize
1.1MB

MD5
66c0ee54571bd2db6477a7833bdac1f3

SHA1
895ac7a9eb101d790855e8b011d34d7a1460b76e

SHA256
b51746d27840ab5d0c21f1bba79f521adb2206a309e47b2ab424fda10fcff2dc

SHA512
a20b93ef404e55426151b5a7072b3d7c0b56d050d1b9b6a578285ce56dc4c184d9aa0205c9a4eafd873b2bf010977c26d7e5a3df9ec2535dd846231404724639

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdate.dll

Filesize
1.1MB

MD5
66c0ee54571bd2db6477a7833bdac1f3

SHA1
895ac7a9eb101d790855e8b011d34d7a1460b76e

SHA256
b51746d27840ab5d0c21f1bba79f521adb2206a309e47b2ab424fda10fcff2dc

SHA512
a20b93ef404e55426151b5a7072b3d7c0b56d050d1b9b6a578285ce56dc4c184d9aa0205c9a4eafd873b2bf010977c26d7e5a3df9ec2535dd846231404724639

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdate.dll

Filesize
1.1MB

MD5
66c0ee54571bd2db6477a7833bdac1f3

SHA1
895ac7a9eb101d790855e8b011d34d7a1460b76e

SHA256
b51746d27840ab5d0c21f1bba79f521adb2206a309e47b2ab424fda10fcff2dc

SHA512
a20b93ef404e55426151b5a7072b3d7c0b56d050d1b9b6a578285ce56dc4c184d9aa0205c9a4eafd873b2bf010977c26d7e5a3df9ec2535dd846231404724639

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdate.dll

Filesize
1.1MB

MD5
66c0ee54571bd2db6477a7833bdac1f3

SHA1
895ac7a9eb101d790855e8b011d34d7a1460b76e

SHA256
b51746d27840ab5d0c21f1bba79f521adb2206a309e47b2ab424fda10fcff2dc

SHA512
a20b93ef404e55426151b5a7072b3d7c0b56d050d1b9b6a578285ce56dc4c184d9aa0205c9a4eafd873b2bf010977c26d7e5a3df9ec2535dd846231404724639

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdate.dll

Filesize
1.1MB

MD5
66c0ee54571bd2db6477a7833bdac1f3

SHA1
895ac7a9eb101d790855e8b011d34d7a1460b76e

SHA256
b51746d27840ab5d0c21f1bba79f521adb2206a309e47b2ab424fda10fcff2dc

SHA512
a20b93ef404e55426151b5a7072b3d7c0b56d050d1b9b6a578285ce56dc4c184d9aa0205c9a4eafd873b2bf010977c26d7e5a3df9ec2535dd846231404724639

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\goopdateres_en.dll

Filesize
34KB

MD5
d41af73c522e5ab7ccc8f85cb5bcaac3

SHA1
090c9fc507f4a8841e68855e4a22942c8e2119c4

SHA256
a122b4149707eb2cdc89153b3d36b2576eb4642f540dbe6f0777b469aafe6e35

SHA512
bf5b159e9c607f73dace9f0d05f47ab14344408990887b3687be1df3f2394ca9bbc55a955ed95a71aeaeaf9c24a944327a631e1b14e0b53e1434be2d83d90380

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\npDropboxUpdate3.dll

Filesize
277KB

MD5
5da098c1e36418ebb95dab692da32666

SHA1
016f1d79dd6b44e6643fef2ae495d9761d7f3c9b

SHA256
e11fbf43ee8486b62e6428d380df5eddd3b89d3bf9179f9e565ee90bc3fb8e88

SHA512
82ad979d20350d7e50ee201e8c4c1d959e0a76f2fb026303abca0fb5bb37a38ec4447a5530fd3f3497f7975f05c1b3a79ca98e0b2b206245c7fc40063bd06ddb

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\psmachine.dll

Filesize
214KB

MD5
8518ce155cb3ee768561e81ae18e34ce

SHA1
bb858713ff0f4778a0bc1f68312c102a0e9792e3

SHA256
6ceb0dd4b716a4cf4ff83446c728055a502d5f538e0202669effa669ec62414b

SHA512
f0164f1fca642f53059d67f026e05ca2afcd054cc1779fcaaf8b158c31a290af1f6d05a0b6f3742aa53aaac557252784e3676854f0de6ec4e854e44f315a5555

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\psmachine.dll

Filesize
214KB

MD5
8518ce155cb3ee768561e81ae18e34ce

SHA1
bb858713ff0f4778a0bc1f68312c102a0e9792e3

SHA256
6ceb0dd4b716a4cf4ff83446c728055a502d5f538e0202669effa669ec62414b

SHA512
f0164f1fca642f53059d67f026e05ca2afcd054cc1779fcaaf8b158c31a290af1f6d05a0b6f3742aa53aaac557252784e3676854f0de6ec4e854e44f315a5555

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\psmachine.dll

Filesize
214KB

MD5
8518ce155cb3ee768561e81ae18e34ce

SHA1
bb858713ff0f4778a0bc1f68312c102a0e9792e3

SHA256
6ceb0dd4b716a4cf4ff83446c728055a502d5f538e0202669effa669ec62414b

SHA512
f0164f1fca642f53059d67f026e05ca2afcd054cc1779fcaaf8b158c31a290af1f6d05a0b6f3742aa53aaac557252784e3676854f0de6ec4e854e44f315a5555

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\psmachine.dll

Filesize
214KB

MD5
8518ce155cb3ee768561e81ae18e34ce

SHA1
bb858713ff0f4778a0bc1f68312c102a0e9792e3

SHA256
6ceb0dd4b716a4cf4ff83446c728055a502d5f538e0202669effa669ec62414b

SHA512
f0164f1fca642f53059d67f026e05ca2afcd054cc1779fcaaf8b158c31a290af1f6d05a0b6f3742aa53aaac557252784e3676854f0de6ec4e854e44f315a5555

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\psmachine.dll

Filesize
214KB

MD5
8518ce155cb3ee768561e81ae18e34ce

SHA1
bb858713ff0f4778a0bc1f68312c102a0e9792e3

SHA256
6ceb0dd4b716a4cf4ff83446c728055a502d5f538e0202669effa669ec62414b

SHA512
f0164f1fca642f53059d67f026e05ca2afcd054cc1779fcaaf8b158c31a290af1f6d05a0b6f3742aa53aaac557252784e3676854f0de6ec4e854e44f315a5555

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.241.1\psmachine.dll

Filesize
214KB

MD5
8518ce155cb3ee768561e81ae18e34ce

SHA1
bb858713ff0f4778a0bc1f68312c102a0e9792e3

SHA256
6ceb0dd4b716a4cf4ff83446c728055a502d5f538e0202669effa669ec62414b

SHA512
f0164f1fca642f53059d67f026e05ca2afcd054cc1779fcaaf8b158c31a290af1f6d05a0b6f3742aa53aaac557252784e3676854f0de6ec4e854e44f315a5555

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\DropboxCrashHandler.exe

Filesize
134KB

MD5
ba0f8b063f4aecfa7f51400d7c4968b3

SHA1
326ef5c884738ab7955b9ec0292818e2bcc15582

SHA256
25103c1340a308890a110fe1ae39c800792e8ac1a49ab1b2a792a8c1aa824bc7

SHA512
d6d486b7045f103efe61bfe3da965f28b1b389f4e4a5db79370ef589bca030a0b466afde9102ccdaecaf77dfc1317bda28b30aaa09cb97e0b3d50eece1e61883

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\DropboxUpdateBroker.exe

Filesize
80KB

MD5
3cab937d6da0cd8db2618176d5a80325

SHA1
8902b08d8f2dfa620dac3b7f5adeaa804e928e94

SHA256
4707e2947d52c5f59bffbbb7bfd05ad774460778c4471abf51f9b88600c249c8

SHA512
0ad58a8dc51f8f9dbd243bfb530aad38a9253beb0d0e3b4fadf60bd01dfdf7994acd45a4aa976f8111429d0a1dc9db813988ed00f6391b05a58ca17da156d1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\DropboxUpdateHelper.msi

Filesize
30KB

MD5
1905b09343458611d425b878d952f244

SHA1
b233b692a0ea2316c373d5c07df3334d12401bb4

SHA256
3f12a7bc7294843ca776eb9e8a9e678e5090a3efe2562387c2b99319bc2f4d35

SHA512
2c25de3ae19d3dc6ffa917f2dc8546ea826870a6ee8c3c0ae344d3bba6890d89704c5173973c2eadb84051310272d786600ba4efd30243b33b3ac6e4d3fa4d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\DropboxUpdateOnDemand.exe

Filesize
81KB

MD5
37b4c6062d2dc5a38b005e56d46b5067

SHA1
95fa7625de7f7065674b505011ffdd2ae218dec4

SHA256
3e148e43fc8ee3606a8076a41f6c4e6a3535778f9e039c85d67f3dac48a57448

SHA512
8050e48757913b6e4f80ebfbcf27ea739c1e1005fee17f6b7768eba05b295eb29a0b61b19da9fd72145e6f954136939f5f2d87a25a2367d3b50b9e129666b63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdate.dll

Filesize
1.1MB

MD5
66c0ee54571bd2db6477a7833bdac1f3

SHA1
895ac7a9eb101d790855e8b011d34d7a1460b76e

SHA256
b51746d27840ab5d0c21f1bba79f521adb2206a309e47b2ab424fda10fcff2dc

SHA512
a20b93ef404e55426151b5a7072b3d7c0b56d050d1b9b6a578285ce56dc4c184d9aa0205c9a4eafd873b2bf010977c26d7e5a3df9ec2535dd846231404724639

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdate.dll

Filesize
1.1MB

MD5
66c0ee54571bd2db6477a7833bdac1f3

SHA1
895ac7a9eb101d790855e8b011d34d7a1460b76e

SHA256
b51746d27840ab5d0c21f1bba79f521adb2206a309e47b2ab424fda10fcff2dc

SHA512
a20b93ef404e55426151b5a7072b3d7c0b56d050d1b9b6a578285ce56dc4c184d9aa0205c9a4eafd873b2bf010977c26d7e5a3df9ec2535dd846231404724639

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_da.dll

Filesize
36KB

MD5
51d5820851d221b80a9ce0324c22e265

SHA1
ad772334ce4b61bba64dca1805d720f25d86bdad

SHA256
e1ab4891123fd2f5b655791b4ec22147cb104d41553f97021535bf96bdc391f9

SHA512
4ca78ca0d19af8c2551bb80594ca8fd745a38f3fae8175cfbde0019e59079d6c245bde59a9ee2d098334184b649090efcc372881c98e91418bdff12041be2f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_de.dll

Filesize
38KB

MD5
a271166824c35066f322ddac77b2f547

SHA1
4dbebbe5603d2a2d2312d69f23e9c8c5bc217865

SHA256
0a5cd91f676c6b88c7faf7e8e7ddd6da9fa3b146764f44214c858f703fbccb3b

SHA512
880f3bfdad0e6ebc4587ada503748c248533d9b305f9cd9fe7a4e8b17e92fb7e1adbe6194f0aabac4f814bcc0e75e4428ddfc593fa7740fdee41a5bd2ee6d769

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_en.dll

Filesize
34KB

MD5
d41af73c522e5ab7ccc8f85cb5bcaac3

SHA1
090c9fc507f4a8841e68855e4a22942c8e2119c4

SHA256
a122b4149707eb2cdc89153b3d36b2576eb4642f540dbe6f0777b469aafe6e35

SHA512
bf5b159e9c607f73dace9f0d05f47ab14344408990887b3687be1df3f2394ca9bbc55a955ed95a71aeaeaf9c24a944327a631e1b14e0b53e1434be2d83d90380

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_es-419.dll

Filesize
36KB

MD5
0b43993a65b96c65807a979facf16fcb

SHA1
feec7ee3a38b70abdace9061bb7e296571bafb11

SHA256
0f8a789b71d6ee2f77652d1e9324f7c1a19b9642ee691c5e9047da5b233ce213

SHA512
1b198288ff6037ef00f498c535aaab248b13730bf81f25a3467b6f8b431fe76d80565c42ec9e3c3dd4f843c2b0d71d8137b2cb8599c498ac1d8456ac6cb9a525

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_es.dll

Filesize
36KB

MD5
9f59ba8c6dea62e623c1d5e9d5343d8e

SHA1
eada721b72961779b8a0a3addd507f9ab3d4117b

SHA256
c8783230f9719f7632e0a531c0a2273eeab2afebc0f2d88ddfbec51eebbffe24

SHA512
481e66723e81ca88f649a8185179f34fe6b555e0134c8b473ce534e9182147732b11b5329897947d2e895931ffe368a5c3a8a1dde7b0aea52e2c34b21566c13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_fr.dll

Filesize
38KB

MD5
143cb86e959e93420d518545811dae6d

SHA1
8ec9302704ced0d5c297ef399f9ceee92f2c7892

SHA256
46dc0993418ee3cd990510d3728706ad494f07dcc6de89dde95a1103b9349a89

SHA512
7ce5c9c7cec55e1e71b4b6b6595bd96b12cf39ca9dfdb8e2f5fe347e0170971aeae5d68ac51c67af833c1419c950f6c7ae0715b31e27c37449d10135416747ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_id.dll

Filesize
34KB

MD5
ff90b272baf02ebbf54673c397deb61b

SHA1
5258925572148811d1eb0d2f6ecb1fd190a553a7

SHA256
fc57ea85d8a50e8d0785d22bbadf48b9471dbba9a572adf64ebbaf49e3b71b27

SHA512
49928f12a7751ca92c1a4f1f29e5b5e64f51e35051b7f6e7f83b0b1820fe49f754ba913a04e25d722a0d16a7ed25a98d1dfedabcac63484b4c968933902a09f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_it.dll

Filesize
36KB

MD5
ec718439199f9e3d1b40c8dd7de90a89

SHA1
085f5719d4d84002db704a55ce07803248ca0c9c

SHA256
12b4dfc3e6587b7cd7a6335fe166f27c943a7a4a01130df12a907807df7fea36

SHA512
ee287e450abb706dd3df0e46cb4090de11b3b5276dddc52366739dff963b49d18166c3abd3c244991967e0652d189160e825ba8d5284dfe2051165f6b48313b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_ja.dll

Filesize
31KB

MD5
c65d3029576fb7a735b52d698b06d847

SHA1
80cf43ff68a410dcd3ac42122dd1f71fdddba486

SHA256
a1d73b420f70cfaf64761c7d1343cdfbd274bd8e18afe7161ea4f35ee26a9843

SHA512
d6f2a03538a53f761603d0744bb5b2d74e4e4c276dccd96de78b9cf59ef5204ca02d1f51d78cc7abe1f97114ff4e7c16290cc8f3e6c638e8ae76033a1bab9d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_ko.dll

Filesize
31KB

MD5
a81814fc1115cc4036ba606bdee8d153

SHA1
9124166b1972f64d110378647d7de846d0b4d373

SHA256
4ce2f12a3bbc39deaa1ee2db39f08e2431d5c12042b763f62ac81c5f65916423

SHA512
1a1fa2747966316de9012f9350f35c6e1073d7a99fa3de28e6d33e1e4cfa9fa3ebf1872f2818698dac5e199fa01532bb1a1648c9ddb6ee5512c07e4bbcf3b317

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_ms.dll

Filesize
35KB

MD5
cc32421cc1c2470bd4afc1e78ab6e57c

SHA1
3339aaa2ca05c21f80db2a14e060dc8f72e0fafe

SHA256
34e7ae5c926af92f97e1d260ff4272b234669985a84c757e878517ab45a20e34

SHA512
2e7f04a9c48021164c0d42e69d21bcba862137510ba1129057b2957cd9b4f0f92f31364a485ddf696545212740c5e1337c4c6e3ab1ce4d9695fec55129c0b93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_nl.dll

Filesize
37KB

MD5
928ef7a39c2761064426874c818d789d

SHA1
91033c5e6c2854d91ae9ea75631e58fc8ed8f706

SHA256
4e844446b24f01c870d4e93e6425ff80722a1d52ac0c53ccad0a880e4e33cc9c

SHA512
222c437f1d44d5f8a5a316e2cbfa936045e18dfccc0aafe8228c09008703083a6de2fe7c5a4a3ec69de71878bb0a88b7e4a604ccfca176781ad3fe5d02d52db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_no.dll

Filesize
35KB

MD5
3c915fc293abf68102601d715bc4e5a1

SHA1
4af2ef9be06da8013c1bc4f4149cc1b7dc3a4c84

SHA256
e4552ea57ef9a3ed150fb14ddde54c18fcd4211cc022a7d94cc9a8b1c9e07a81

SHA512
d0c59eb3b8d10313dc08819bb07e40042f9739d6d1f23026db83b0c9c0fd4c40c063e15007cfcc190a290eab812cc65d8ca75099043f3e2821cd297f312217a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_pl.dll

Filesize
36KB

MD5
a7d7a5d0b873689d769e17834f93ac8d

SHA1
a4fa28a4057aa2afc5654ccc7feaa0538654862a

SHA256
d5665c51e6bde63904e4b3c8b4a602547632b3b2c447a9ee957d1d5171479ce4

SHA512
9acc7d803d42a856eed1ffa36613eeb8cc1915ce76ce10cfbbb32b0f238b218fb6f9887f611b7acfa1f8fc12016da5305f9cdc82c8219940377d40bf09e9f5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_pt-BR.dll

Filesize
36KB

MD5
b7a62c4673d9bb139c58db6bfb57a222

SHA1
5f8e711ab556ab568fe589f157e5159c2aa8eacc

SHA256
3fff7b6c61b7f359bfb5137ee3d0e2af903761d09a72caadcf56699f5e561f7d

SHA512
db66593531dd233dfc5e12ce2c36cbdb5e8522255e97abfbcf94988c96737edbb6863c9e3880376bf5ff60e4211bf1f529455b7c407ec7ae4d9ee5975c35cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_ru.dll

Filesize
36KB

MD5
b280545afcf3b1fc84619b9da4a78eae

SHA1
67c5f584fb3caafdb47a034fb752fd843fa911d6

SHA256
c3fb61ec5d27f51277917cd19aa56c1c8993fd183bdaeabd5a8ad27c33d9d13a

SHA512
2fc0e09b7e4d4f3a44ff6a8071289f9a2bdd9c01fb9781bfc027ee4417e3f45480bbd95bcb3b78a905a6861d9ed98056f070e35a89f5a8c6680b09435efe244f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_sv.dll

Filesize
36KB

MD5
7b20cdc4a0a777f63ac3686d8d75161b

SHA1
3357195ac8a6a1183abbe4eb0db106952c0898d8

SHA256
178995dc570d35f4fd9acfd284b6cb0ee55ab09d33ceb4c249bee76193354372

SHA512
f7d71835653766bccababe543c1183b6641c55b9c60c46af6a13a213d45b4be2f2e0ce39ee5e9addc10292f0300a3db728bcb4f8e3fdf0aa6dcd82baad9a7d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_th.dll

Filesize
34KB

MD5
766bb87dc0d25de4abc6a0db7906963a

SHA1
ded65bf8410a73e9965e00a56c842229c4f5a746

SHA256
c7a25e6eacc29e55120d0b3e32671b0d645da38fb688a733a9ad1dac6cf6a5cc

SHA512
9f2cffd96cb41aa9d0d7cacbf2fbea4502180e4708b0b5a675f27731da49465a3a7cb5e6082aa0220b7f6ded92c8014d39c19112b870726852055a4df1c3b5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_uk.dll

Filesize
35KB

MD5
ef6a2543d20b03aeeed87925c5b7f531

SHA1
19a7c93ab2215180339ffabe22aea0bc3b0e0255

SHA256
0d45d32e17467417bdc7170b15441589d4490fa8fc7362d7766fe5cdf04f775a

SHA512
9b6ab57deddaf1e7a78b5c04f132be73b183c04b16f208a2efbcd70ac7f60294786de7900bdf3884c4a040cd39a35fd734684ad8d70ca913b2b2643d4dd23560

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_zh-CN.dll

Filesize
28KB

MD5
270aaf5fe93a74018e711ba19cd6d067

SHA1
e0faf9dee68f509f419d78d0c397e603eb39279a

SHA256
48a127a8d7df55b1d8b2f96658f9837e7f21da286a3f386122cab4e4924addfd

SHA512
462624ab9e8f76459ae62b5504c9f771bc9a4f70995a8920d6c5ab6a9eeaa9756c9413c44af6470477aa2d1225547704191db73ad81a2dd5d2a0272c2941ab6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\goopdateres_zh-TW.dll

Filesize
28KB

MD5
ec7f8cedf37fc991fbadb577f23a34a6

SHA1
3fdc8b2e27f4855b2753834a6e38ceccffe604ee

SHA256
e53d1caedb9da7672d03f0fc03d52c75d2bd9cf3ef7460aadc50f8d05f1b141d

SHA512
c925a1fcb983477854ab12c9623d147df39dbef611a9fa606f39b4bb51a61797b6e896345aebe820bbe12dc5e5a1fd1fea964adb3345c8ed3d3c168828e56e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\npDropboxUpdate3.dll

Filesize
277KB

MD5
5da098c1e36418ebb95dab692da32666

SHA1
016f1d79dd6b44e6643fef2ae495d9761d7f3c9b

SHA256
e11fbf43ee8486b62e6428d380df5eddd3b89d3bf9179f9e565ee90bc3fb8e88

SHA512
82ad979d20350d7e50ee201e8c4c1d959e0a76f2fb026303abca0fb5bb37a38ec4447a5530fd3f3497f7975f05c1b3a79ca98e0b2b206245c7fc40063bd06ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\psmachine.dll

Filesize
214KB

MD5
8518ce155cb3ee768561e81ae18e34ce

SHA1
bb858713ff0f4778a0bc1f68312c102a0e9792e3

SHA256
6ceb0dd4b716a4cf4ff83446c728055a502d5f538e0202669effa669ec62414b

SHA512
f0164f1fca642f53059d67f026e05ca2afcd054cc1779fcaaf8b158c31a290af1f6d05a0b6f3742aa53aaac557252784e3676854f0de6ec4e854e44f315a5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC44F.tmp\psuser.dll

Filesize
214KB

MD5
eb338f236a61fc62042059efa1a767c4

SHA1
358910a59832255c79252b58e533f37c4ce4c589

SHA256
2ab71ebbd9b8c80e15e034c7f9aa5a77dd375e8b95c5bee6fd2a2a276221c5e1

SHA512
3d172257a2edb6f807784255361ccedc9c47abb4f2e7c138f6e672678e75094aa958129fb3ba5c13d0f7e824bf12cf30f00c839d42746eb827963a68a972db59

Download Submit