dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c

Analysis

max time kernel
73s
max time network
76s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/10/2022, 01:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c.exe
Size

677KB
MD5

241371760584b2567e714761621ef643
SHA1

79dface7886b376731a85d591d0d0a66e6380e92
SHA256

dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c
SHA512

e653c8b5537c63364aa48c6a0051a79d42db7ad4f5f490c5b96ad1fea158478ff59030cc5598009e50df0fbd6c28db3ec5d9a46a28663fccb89eb7f4a24adedd
SSDEEP

12288:T/iSue6Y9aby+NOGdGPJX8wEnDdClQDgByPOxHRn9zojy5D2X73928dGS8fFTK:T/ii6Y9NNGdGhXAolKOTxHBJtk70IGS3

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	604	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
1672	DropboxUpdate.exe
1708	DropboxUpdate.exe
584	DropboxUpdate.exe
980	DropboxUpdate.exe
1612	DropboxUpdate.exe
368	DropboxUpdate.exe
1744	DropboxUpdate.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe\DisableExceptionChainValidation = "0"	DropboxUpdate.exe

Loads dropped DLL 29 IoCs

pid	Process
1736	dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c.exe
1672	DropboxUpdate.exe
1672	DropboxUpdate.exe
1672	DropboxUpdate.exe
1672	DropboxUpdate.exe
1708	DropboxUpdate.exe
1708	DropboxUpdate.exe
1708	DropboxUpdate.exe
1672	DropboxUpdate.exe
584	DropboxUpdate.exe
584	DropboxUpdate.exe
584	DropboxUpdate.exe
584	DropboxUpdate.exe
1672	DropboxUpdate.exe
1672	DropboxUpdate.exe
1672	DropboxUpdate.exe
1672	DropboxUpdate.exe
980	DropboxUpdate.exe
1612	DropboxUpdate.exe
1612	DropboxUpdate.exe
1612	DropboxUpdate.exe
368	DropboxUpdate.exe
368	DropboxUpdate.exe
368	DropboxUpdate.exe
368	DropboxUpdate.exe
1612	DropboxUpdate.exe
368	DropboxUpdate.exe
368	DropboxUpdate.exe
1744	DropboxUpdate.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_it.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_de.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\npDropboxUpdate3.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_uk.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_zh-CN.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\DropboxUpdateBroker.exe	DropboxUpdate.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_ms.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_no.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_pl.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\DropboxUpdateHelper.msi	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\psuser.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\psmachine.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_en.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_es.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_fr.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdate.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_nl.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_sv.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_zh-TW.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\DropboxCrashHandler.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_ko.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_ru.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_th.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_es-419.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_ja.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_pt-BR.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_da.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_id.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.189.1\DropboxUpdateOnDemand.exe	DropboxUpdate.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6c0c9f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18D1.tmp	msiexec.exe
File created	C:\Windows\Installer\6c0ca3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c0ca1.ipi	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job	DropboxUpdate.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job	DropboxUpdate.exe
File created	C:\Windows\Installer\6c0c9f.msi	msiexec.exe
File created	C:\Windows\Installer\6c0ca1.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\Policy = "3"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\CLSID = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\Elevation\IconReference = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.189.1\\goopdate.dll,-1004"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5A812990327ACD34D85B163756A6E149\Complete	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\Elevation\IconReference = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.189.1\\goopdate.dll,-1004"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\VersionIndependentProgID\ = "DropboxUpdate.Update3WebMachineFallback"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A337332-37E4-4063-B4F3-6416846C8A33}\ = "Dropbox Update Core Class"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A337332-37E4-4063-B4F3-6416846C8A33}\ProgID\ = "DropboxUpdate.CoreClass.1"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\SourceList\Net\1 = "C:\\Program Files (x86)\\Dropbox\\Update\\1.3.189.1\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF028154-CA20-4F73-ACBB-82451B78F1E6}\NumMethods\ = "6"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90AC42F5-B136-4079-B7A1-0A61FC86685D}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine.1.0\ = "Dropbox Update Broker Class Factory"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync\ = "CoCreateAsync"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3363994D-A786-4A32-A745-48B9B6EA709A}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass.1	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\VersionIndependentProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}\LocalServer32\ = "\"C:\\Program Files (x86)\\Dropbox\\Update\\1.3.189.1\\DropboxUpdateOnDemand.exe\""	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\ProductName = "Dropbox Update Helper"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C52C4100-E8C6-438B-AEAC-43C99F7CCC26}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF028154-CA20-4F73-ACBB-82451B78F1E6}\ProxyStubClsid32	DropboxUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78F1393A-63FD-494A-BA89-2C3ECA4E8EC8}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\AppID = "{76E258F0-DE86-4CEC-9D30-3F728A898741}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E38012B-D35D-4278-BBFD-E5AC871D3E60}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8474489-B2C1-4CE8-852D-FF8A916C91F0}\ = "ICoCreateAsync"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B35122D2-0036-4536-AEEA-EEA68E54A460}\NumMethods	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\LocalizedString = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.189.1\\goopdate.dll,-3000"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5973594C-004D-4C7A-B354-EC1924884807}\ = "PSFactoryBuffer"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E6CC2A7CB440C2A4DBE17EE5DAC2110B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine\CurVer\ = "DropboxUpdate.Update3WebMachine.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\VersionIndependentProgID\ = "Dropbox.OneClickProcessLauncherMachine"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\LocalServer32\ = "\"C:\\Program Files (x86)\\Dropbox\\Update\\1.3.189.1\\DropboxUpdateOnDemand.exe\""	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass.1\ = "Dropbox Update Core Class"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C52C4100-E8C6-438B-AEAC-43C99F7CCC26}\ProxyStubClsid32\ = "{5973594C-004D-4C7A-B354-EC1924884807}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass\CurVer	DropboxUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DropboxUpdate.exe	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\ = "Dropbox Update Legacy On Demand"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\LocalServer32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassSvc\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5973594C-004D-4C7A-B354-EC1924884807}\InProcServer32\ThreadingModel = "Both"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FC2E189E-C306-4710-BBCC-A8968ACAEB2E}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\LocalServer32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync.1.0\CLSID\ = "{A496C5D9-84FE-4E84-9D20-7481589E1C23}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine.1.0\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DropboxUpdate.exe\AppID = "{76E258F0-DE86-4CEC-9D30-3F728A898741}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A89190B-400F-47DB-960A-7D5A1325A2C8}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass\ = "Dropbox Update Core Class"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\LocalService = "dbupdatem"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58237066-0A7A-4C18-B132-D7BE280A6327}\ = "ICoCreateAsyncStatus"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDA8FC46-0F9A-4A8C-8764-3B80880A9AEB}\NumMethods	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}\ProgID\ = "DropboxUpdate.CoCreateAsync.1.0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\VersionIndependentProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher.1.0\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassSvc	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc.1.0\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\Elevation	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\ = "Dropbox Update Broker Class Factory"	DropboxUpdate.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1672	DropboxUpdate.exe
604	msiexec.exe
604	msiexec.exe
1744	DropboxUpdate.exe
1744	DropboxUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	DropboxUpdate.exe
Token: SeShutdownPrivilege	1672	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	1672	DropboxUpdate.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeSecurityPrivilege	604	msiexec.exe
Token: SeCreateTokenPrivilege	1672	DropboxUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	1672	DropboxUpdate.exe
Token: SeLockMemoryPrivilege	1672	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	1672	DropboxUpdate.exe
Token: SeMachineAccountPrivilege	1672	DropboxUpdate.exe
Token: SeTcbPrivilege	1672	DropboxUpdate.exe
Token: SeSecurityPrivilege	1672	DropboxUpdate.exe
Token: SeTakeOwnershipPrivilege	1672	DropboxUpdate.exe
Token: SeLoadDriverPrivilege	1672	DropboxUpdate.exe
Token: SeSystemProfilePrivilege	1672	DropboxUpdate.exe
Token: SeSystemtimePrivilege	1672	DropboxUpdate.exe
Token: SeProfSingleProcessPrivilege	1672	DropboxUpdate.exe
Token: SeIncBasePriorityPrivilege	1672	DropboxUpdate.exe
Token: SeCreatePagefilePrivilege	1672	DropboxUpdate.exe
Token: SeCreatePermanentPrivilege	1672	DropboxUpdate.exe
Token: SeBackupPrivilege	1672	DropboxUpdate.exe
Token: SeRestorePrivilege	1672	DropboxUpdate.exe
Token: SeShutdownPrivilege	1672	DropboxUpdate.exe
Token: SeDebugPrivilege	1672	DropboxUpdate.exe
Token: SeAuditPrivilege	1672	DropboxUpdate.exe
Token: SeSystemEnvironmentPrivilege	1672	DropboxUpdate.exe
Token: SeChangeNotifyPrivilege	1672	DropboxUpdate.exe
Token: SeRemoteShutdownPrivilege	1672	DropboxUpdate.exe
Token: SeUndockPrivilege	1672	DropboxUpdate.exe
Token: SeSyncAgentPrivilege	1672	DropboxUpdate.exe
Token: SeEnableDelegationPrivilege	1672	DropboxUpdate.exe
Token: SeManageVolumePrivilege	1672	DropboxUpdate.exe
Token: SeImpersonatePrivilege	1672	DropboxUpdate.exe
Token: SeCreateGlobalPrivilege	1672	DropboxUpdate.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe
Token: SeTakeOwnershipPrivilege	604	msiexec.exe
Token: SeRestorePrivilege	604	msiexec.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1672	1736	dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c.exe	28
PID 1736 wrote to memory of 1672	1736	dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c.exe	28
PID 1736 wrote to memory of 1672	1736	dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c.exe	28
PID 1736 wrote to memory of 1672	1736	dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c.exe	28
PID 1736 wrote to memory of 1672	1736	dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c.exe	28
PID 1736 wrote to memory of 1672	1736	dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c.exe	28
PID 1736 wrote to memory of 1672	1736	dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c.exe	28
PID 1672 wrote to memory of 1708	1672	DropboxUpdate.exe	29
PID 1672 wrote to memory of 1708	1672	DropboxUpdate.exe	29
PID 1672 wrote to memory of 1708	1672	DropboxUpdate.exe	29
PID 1672 wrote to memory of 1708	1672	DropboxUpdate.exe	29
PID 1672 wrote to memory of 1708	1672	DropboxUpdate.exe	29
PID 1672 wrote to memory of 1708	1672	DropboxUpdate.exe	29
PID 1672 wrote to memory of 1708	1672	DropboxUpdate.exe	29
PID 1672 wrote to memory of 584	1672	DropboxUpdate.exe	31
PID 1672 wrote to memory of 584	1672	DropboxUpdate.exe	31
PID 1672 wrote to memory of 584	1672	DropboxUpdate.exe	31
PID 1672 wrote to memory of 584	1672	DropboxUpdate.exe	31
PID 1672 wrote to memory of 584	1672	DropboxUpdate.exe	31
PID 1672 wrote to memory of 584	1672	DropboxUpdate.exe	31
PID 1672 wrote to memory of 584	1672	DropboxUpdate.exe	31
PID 1672 wrote to memory of 980	1672	DropboxUpdate.exe	32
PID 1672 wrote to memory of 980	1672	DropboxUpdate.exe	32
PID 1672 wrote to memory of 980	1672	DropboxUpdate.exe	32
PID 1672 wrote to memory of 980	1672	DropboxUpdate.exe	32
PID 1672 wrote to memory of 980	1672	DropboxUpdate.exe	32
PID 1672 wrote to memory of 980	1672	DropboxUpdate.exe	32
PID 1672 wrote to memory of 980	1672	DropboxUpdate.exe	32
PID 1672 wrote to memory of 1612	1672	DropboxUpdate.exe	33
PID 1672 wrote to memory of 1612	1672	DropboxUpdate.exe	33
PID 1672 wrote to memory of 1612	1672	DropboxUpdate.exe	33
PID 1672 wrote to memory of 1612	1672	DropboxUpdate.exe	33
PID 1672 wrote to memory of 1612	1672	DropboxUpdate.exe	33
PID 1672 wrote to memory of 1612	1672	DropboxUpdate.exe	33
PID 1672 wrote to memory of 1612	1672	DropboxUpdate.exe	33
PID 368 wrote to memory of 1744	368	DropboxUpdate.exe	35
PID 368 wrote to memory of 1744	368	DropboxUpdate.exe	35
PID 368 wrote to memory of 1744	368	DropboxUpdate.exe	35
PID 368 wrote to memory of 1744	368	DropboxUpdate.exe	35
PID 368 wrote to memory of 1744	368	DropboxUpdate.exe	35
PID 368 wrote to memory of 1744	368	DropboxUpdate.exe	35
PID 368 wrote to memory of 1744	368	DropboxUpdate.exe	35

C:\Users\Admin\AppData\Local\Temp\dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c.exe
"C:\Users\Admin\AppData\Local\Temp\dcf1c9062c99e7d0b1a3d9e31e2f1fe36942b875bb809e64bf8b3d4f7e44582c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\DropboxUpdate.exe
  C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\DropboxUpdate.exe /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3TmpRek56R3lORFkyTXJjME1qRXhOVEUyTWJNME1ESXdNakl6TkRRM3RyUTBNakl5TkRLdEJRQ284dzJ3QE1FVEEifQ"
  2⤵
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:1708
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:584
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVpVcDVjbFpwY0U5TVV6ZFBlazB0VEhvd2VGSnpiRWwzVG1wUmVrNTZSM2xPUkZreVRYSmpNRTFxUlhoT1ZFVXlUV0pOTUUxRVNYZE5ha2w2VGtSUk0zUnlVVEJOYWtsNVRrUkxkRUpSUTI4NGR6SjNRRTFGVkVFaWZRIiBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMTg5LjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkUyNjU5QkUtODYxQy00RTIzLTg5NEMtMUExMDkwMzk3NTU1fSIgdXNlcmlkPSJ7NjYxOTY5QUItNzM2RC00NDlFLUJGNkItQTBFQTZGRDc1OUVFfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezNFOUFBQTQxLUZCRTgtNDZCNS1BOEIyLTZGRTQ4QUIzNTdFRH0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0ie0Q4OTY4RkYyLUUwQjEtNEExMy1BM0UyLUM5RjI5OTVGM0JDNn0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4xODkuMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:980
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3TmpRek56R3lORFkyTXJjME1qRXhOVEUyTWJNME1ESXdNakl6TkRRM3RyUTBNakl5TkRLdEJRQ284dzJ3QE1FVEEifQ&nolaunch=0" /installsource taggedmi /sessionid "{2E2659BE-861C-4E23-894C-1A1090397555}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:368
- C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
  "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVpVcDVjbFpwY0U5TVV6ZFBlazB0VEhvd2VGSnpiRWwzVG1wUmVrNTZSM2xPUkZreVRYSmpNRTFxUlhoT1ZFVXlUV0pOTUUxRVNYZE5ha2w2VGtSUk0zUnlVVEJOYWtsNVRrUkxkRUpSUTI4NGR6SjNRRTFGVkVFaUxDSnlaWEYxWlhOMFgzTmxjWFZsYm1ObElqb3dmUSIgcHJvdG9jb2w9IjMuMCIgdmVyc2lvbj0iMS4zLjE4OS4xIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezJFMjY1OUJFLTg2MUMtNEUyMy04OTRDLTFBMTA5MDM5NzU1NX0iIHVzZXJpZD0iezY2MTk2OUFCLTczNkQtNDQ5RS1CRjZCLUEwRUE2RkQ3NTlFRX0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9IntFNTc3NUU0OC02NUNELTRERDMtODA1OC05MzVBQUJCQkYyRkN9Ij48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntDQzQ2MDgwRS00QzMzLTQ5ODEtODU5QS1CQkEyRjc4MEYzMUV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGluc3RhbGxhZ2U9Ii0xIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjcyMSIgZXh0cmFjb2RlMT0iMjY4NDM1NDU5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Dropbox\Update\1.3.189.1\DropboxUpdateHelper.msi

Filesize
30KB

MD5
a4cd8d299f04b14b1657be9b09bd6d3b

SHA1
9f109d41c1b20270c8f673467e8f3bc7347983cd

SHA256
9d570af2916d93f2517394393ff89de90f468bbbdec609e5dd63c32227079c16

SHA512
41ba1d1b96d3f6bb66d7f672cfb52066d087c953a668edbac371ea25050e316febeb658d023fa887869eee858d9dea43595d564702fd2f2d2ec2bda660035d8d

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdate.dll

Filesize
1.1MB

MD5
85b44b13bf87df85d8f25bdd9b0b7b9e

SHA1
505dc172e9cf212420f285f550692774ca16fcb7

SHA256
c59f4b4b7cc5875836e04e120815741db1977040893ca9baa34c33e72b6f75c1

SHA512
aad3ffbd140f79f846f657baa7905bf3d040232b9c58e41b1cbeae66e83214b3e6fb9162f647d5e90e082b146d460badb2812ab226c7ae7c9348862ca6fb8157

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_en.dll

Filesize
34KB

MD5
65e19549205d04e1424c7b435ccae257

SHA1
78bf8fae0f3388e24df7080d2a19bed0ee89c2f0

SHA256
8ea7a09c6682c31799b795165c1b7840f54a26f5ba35db1c7261ced2c863fd27

SHA512
71e8a5fbdcebc31b5f8cc718eb0d8fef965d667b8832f316d7325e6a766ed0fc2089806e2b2c162097e304f41298ea9f4b9080681df4a2d9c6e458094a08502a

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.189.1\psmachine.dll

Filesize
214KB

MD5
3efe497dd5303b717b744055fe5f7df1

SHA1
6ed1dd1894629df335b5f76b3d24f39128d82101

SHA256
5e2e970e51731cfe4d228a58ae5d223c95df24008ab0bf923a57c84f26aed0e6

SHA512
8947ef9ce26905bb9dc3eb037a98520f13ababaf0441c006bd195bd57e5af88892263223dec45119a7f46f05756d3ade73850b426486475ad306c711a767bff3

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\DropboxCrashHandler.exe

Filesize
134KB

MD5
a1a6886b71fc8056b10a8637efd2fb44

SHA1
a8d4f7c6ea1c4d9e3cc23843ca4aac830aa972cb

SHA256
f61337a4bae80fe1ab3ab6975a58ad628afad6a82973d7673555615e071e1c77

SHA512
b2dd17f2f302d3d14244a2dcc798b4f11dadf47e51cec09e4dffed928c0e4cd544b90b811156777ab81b52836f9337859ecf816d30e0ff3e194e78b5e07b3cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\DropboxUpdateBroker.exe

Filesize
80KB

MD5
e20695c6a3f1752bdbaf56fea4575947

SHA1
86aecf30af74eeaa29e0b4b39cc9267dff8a19b1

SHA256
06ca42226dea548ed2985367f19fc7398f52d5c3d8a73cec5f29e5044fcc6826

SHA512
7011a3a8a7878cfb5afd843d0b2c5a660bcdc15c29674734cd02d73a972df9f6b4296f21df47c7583d72dd08f72b9c9c4a6361b78c3d16d2a8d276d6dd7be3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\DropboxUpdateHelper.msi

Filesize
30KB

MD5
a4cd8d299f04b14b1657be9b09bd6d3b

SHA1
9f109d41c1b20270c8f673467e8f3bc7347983cd

SHA256
9d570af2916d93f2517394393ff89de90f468bbbdec609e5dd63c32227079c16

SHA512
41ba1d1b96d3f6bb66d7f672cfb52066d087c953a668edbac371ea25050e316febeb658d023fa887869eee858d9dea43595d564702fd2f2d2ec2bda660035d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\DropboxUpdateOnDemand.exe

Filesize
81KB

MD5
5348f4d2371ec36b68e58dc455f8ac24

SHA1
d5826a8853b67f9301cc646fe497a850045fdf78

SHA256
96be463f434b6e3c0c66960ae14bb61c2a99cf3d42c4f5989b220dcf1e7b085a

SHA512
31efc39c03c8d86984c72a47b6bae364f1bb52f250e4779c2d63ebfa01074fd0d88b1de29988d8346d8fbc3b9de4a803e929e9b0c773cdd9150591aec9771371

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdate.dll

Filesize
1.1MB

MD5
85b44b13bf87df85d8f25bdd9b0b7b9e

SHA1
505dc172e9cf212420f285f550692774ca16fcb7

SHA256
c59f4b4b7cc5875836e04e120815741db1977040893ca9baa34c33e72b6f75c1

SHA512
aad3ffbd140f79f846f657baa7905bf3d040232b9c58e41b1cbeae66e83214b3e6fb9162f647d5e90e082b146d460badb2812ab226c7ae7c9348862ca6fb8157

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_da.dll

Filesize
36KB

MD5
1c1d06d0c0623f2161403434e4aa11b7

SHA1
59119ff8d970a51cd875c1b16048fe6f702bfe60

SHA256
2ad622e7cccb5cabc5b5a9735cb8c7ca99abc010d3ed685fd4b613943b544b88

SHA512
8c0580139b3687689c31b74547f6c89f25b36a34b23e187c8ccae5336f294af0793eae2dbe86373e3882e68219a53eb8a21d6d081a320ba1e0d197fd0d2ae3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_de.dll

Filesize
38KB

MD5
4d05d46307a7e2dd520f345509822b4e

SHA1
b064e7d7ea51bd93b996521c836024160ff52344

SHA256
b9aed8556cc5f60f47be2445a777c8f05d67b776d91f0671d9d4a4d6d87e518e

SHA512
fd00d98c9d0dc6388b90fa0d5de8d6bfad91334e59bbd0243262858e98267e3fbdf9ffd862abdb727a47f7b58f15c6706bd86270901962434722b796b6acfa99

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_en.dll

Filesize
34KB

MD5
65e19549205d04e1424c7b435ccae257

SHA1
78bf8fae0f3388e24df7080d2a19bed0ee89c2f0

SHA256
8ea7a09c6682c31799b795165c1b7840f54a26f5ba35db1c7261ced2c863fd27

SHA512
71e8a5fbdcebc31b5f8cc718eb0d8fef965d667b8832f316d7325e6a766ed0fc2089806e2b2c162097e304f41298ea9f4b9080681df4a2d9c6e458094a08502a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_es-419.dll

Filesize
36KB

MD5
4ddd9d2e8732bef6992eeac929d45c65

SHA1
ac04e4f6f81e5d2b281e1a25807dc09eb41e17b1

SHA256
c4e719abc4951af338599e19575f5e710abbe3a334848c159313c33a27af505f

SHA512
38c58a408d9739bcf74bd280df91b3026e60b26bf8624cd5f7bb70c776a90eee0fddce9b18b77273de31058fd51e4af3a9aa513461f5a015523e9f6180fbbcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_es.dll

Filesize
36KB

MD5
dc0056877b6d2aea99d2481b1eb5df37

SHA1
a55f3afc58c69337975422ed99f3a02f459869d5

SHA256
7e40f9ce94e29cd1c83180cd6ad8e185c748e78186774cceef8507c07986acf2

SHA512
807b35dd3cd0427e51c91cd76bff1468ab70cd64f18a841922e144df142a274a27e89fd3b1ada20e93b6a5d7d9edbf90393afc421c5f703003d5938afe80ee40

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_fr.dll

Filesize
38KB

MD5
ba96deaf6b86df4abcdc4650f09ea36d

SHA1
827cde99e09721e50a86639a4f3b71570f44e5f1

SHA256
0e594042c10092eca1adc3d6806281e001eca1aabdeca763e4669c6f006e3575

SHA512
ca29dfed99da60df788a6de7757611aedcb1e0a6f7adeeeed0388a5b917e46cd3d56db2f2f7324e7cf0c45045edc77494246a0d958fb5b58f2501e8655e54bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_id.dll

Filesize
34KB

MD5
921bc17cb7120bb60c65d3e732006fff

SHA1
0c7506c65acdff24557aecd501949710f9411bbe

SHA256
f8bfd81972b17f9de111fd5261f97c9a69f3361ff510c2bb764a9567f611f699

SHA512
96d63c07e5e260ad71b216c970bcaa818989497cf6c656b36c45d0abe1a752883d09ce69ed02ebc5a1fa775ae3112d8ba81657654134c5b330ab54f60184bdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_it.dll

Filesize
36KB

MD5
59e41c18252345ca8f30ff257556fb3c

SHA1
41e2b3d0dcf1ae0b0680eddae1f5956675d7d020

SHA256
865ffa5e0dcc5bbb8311d769c1a3af1c36b79f28b4e186efdf9b19ef5fd59023

SHA512
39b8525ff9c7eae457527681d3711b6351be24e3a6dd21c891d06c3c5f133ed21d268c6d0c96a3f8ff36927c1b12d11b56df1616abe8b919adce1c20e8699574

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_ja.dll

Filesize
31KB

MD5
240f9c462c0c9c3bdc6056f1123624b4

SHA1
4f4b538a021dcf79f890669ce1b285af3805d10b

SHA256
59d0d2a6e1d065f3006578f946f7ef321cb89a65008b3258bb846cbdb8d5c3aa

SHA512
299b3e1434ab442d575294aa589a74f04001ebcc446017163d10efad3a1bb01fe25e48ac810a3ac5f164f9478168bf8b215900e4126506b217389243e7152dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_ko.dll

Filesize
31KB

MD5
574100c5d602e239d6ad58bc4c955c91

SHA1
1f175187687bd9d5eda35b3d96932712c298dad6

SHA256
5af789a4897a93ef830e19536bcd7af7d255c2eced8048eaed9961b23197738a

SHA512
32a335138ce7fd78b73c0bc8f93e6bc123dd4672d638c58bcdfa5b8280f1558fffad9c61b2399516fb68183daf931b546e7c8024c22df9b705082863f810002b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_ms.dll

Filesize
35KB

MD5
2081ec2c66fcc5acbb30f6556f25b9e3

SHA1
686cba70e3ffc455ae07d0436f927a53e25cb909

SHA256
d640df4b8ff8f2f03e862a6509ff1de54736fb57903a2eda83e03b7e5b74c79c

SHA512
9eb09d999a24809f69ec7436823f55d7afb1d7b710ba9855681b694b2edb729dc894fa503a74e10f2518a8af966356163d32370eb59edbd678ff5e4b2a3846dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_nl.dll

Filesize
37KB

MD5
d18256843f9ed6c0886c9f6fea796840

SHA1
3f9d7b485a899b4ac21816a0de63055a8c0248c6

SHA256
d856ec37ae3958157fca4cacf6ab8282f92a9f198d2bf975dddfb6f1348d0a8b

SHA512
6072b4bfb15e9c04497c59b6ce0c3216eac9987d20070a02ae2bcafff0a63eda42fe2f3ba62d9eb2d9d8dde2f4cf3188a252464a3ed0d65bc6cea41d711c5958

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_no.dll

Filesize
35KB

MD5
a27dfd9cc95b5edd4c2119180319c6df

SHA1
6492ea40638cb0ff0740171f115f3aadebf06f79

SHA256
2d9338040444e8c6385454006bbf2921ad001bff2ad54b29239b754dad33fcb2

SHA512
fa7b8153eb5243bebf0b738f391496d61a3c9e5abcb79097c0c90d945136fb3435ae2c730f2c58e17cb683eaa0c44257e548572b50c3deb6a1f6ed1aeff4c229

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_pl.dll

Filesize
36KB

MD5
7bdfdb00cb05792c61015948f13597e4

SHA1
4963ea35eef06540fd5158dd460274410d761cb8

SHA256
289f468e8df820260e1d3a5d46f0a18f54678154bda55224bfe9a90046d86752

SHA512
a747f6044bd9a94d5b62802f24c444a8beaf717e9740aa93ba7afba185cf93c987eccb9f4e4fba29af5eb2d52f8417d2a293fa547fb741b8e5e34e167cb52d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_pt-BR.dll

Filesize
36KB

MD5
7c248687522485f5287a1de3ebbf04c4

SHA1
be035799d215d4edc5c44894595fa1971dce2285

SHA256
6bfec1506010e05953d032dbad6f9f0c8c679b03bbfd1cd259ca826def9b4515

SHA512
0a6478322dcd699cd1306c4ec1569b4b3db40830320f89ccde9fd66c06e20fecfc67b239351e2d1247e2834e1303b0d337a5d8bbaacfd3ed7cfa5294067a0604

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_ru.dll

Filesize
36KB

MD5
70751f935f2e3bf859faa9c8f2801103

SHA1
2316aed62d4ed8147d92e85efa0949759bbe9613

SHA256
a2ed965d874f1c30c9f2ec60c46aafdd169dfcb3260228161600c9d6508bffc7

SHA512
1e8f1f11f1d7767d11ee6371be6dcc2f1333b16b77d813a21130ca9f7b48e8f7f302283302caa06163d08fde6c5b1a2aaf162b4003d6c5f24b9d0216b282b4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_sv.dll

Filesize
36KB

MD5
df0da1bf1be53c8b3108103dc02ddb25

SHA1
67ea3020ade222c30bdd955496d1f52ed06ba845

SHA256
c46c85230fbbad8de0ecb6314c5738383ff860b6a5bf5bf3be2a6086f67bb938

SHA512
631c796e63633ed8ad70199b5d4fa5383e4df106d0dba3ff3bcd7409fbb780244667b3bfc191be6f4921388467058c2daecea92a3fd45e8f240173bec21e720a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_th.dll

Filesize
34KB

MD5
9fb6a38fd05cb256dc47fab4d3784c6b

SHA1
47edbd6957bd108c65a733d5d6d9df97d13a7dc7

SHA256
6e119d0c23769e0fffe8e898f56362330ba9938acea7d679a1d8d558052459d0

SHA512
95a4b39b6b2d4fd52188ef3f2b8a8132a0f49ee031db7c937233c1112dda5d8394452bed8f48aadbddacc7ce6ff3cb3f450daa571ed8035c350f601a9ee5d284

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_uk.dll

Filesize
35KB

MD5
4ef911ecaa845a29c273aa3657b62d29

SHA1
9a263877e14645089655620e7e3c4fcf49544639

SHA256
233c1d7595c40693dfc9c43bfd81e07b0e9eb874b6ae320703a543ecd698cf15

SHA512
bbf6dce36fc533e7c3922fe452f0cc19c9d383c01ee772a13eedf7de1a8cbdcb3ceeb2b3d35f1b5701b4f7a681ef0dda11659c0b3489aa2e0a34b8bfa75db532

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_zh-CN.dll

Filesize
28KB

MD5
a2c04bb0d8017a36ab4b57b3e4152512

SHA1
5fc31eb32ac1b375be4e22cc48a9fa25115037f2

SHA256
1832004348ea390302742d362131295197696ca5ffe533f099ae0eeb1a494693

SHA512
c11cd62ef931b8ed2eb4b2e3d001d2c9ae2439a3839fdd54b049995841b088b8127461cb31ebb1799d6a29f40dbf4970c91cde6c9f1feffdad4d39ccc6885530

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_zh-TW.dll

Filesize
28KB

MD5
efefd4b9418989027d88bed64a76badd

SHA1
389251576b1b540896838e4c967d065cf3b405f0

SHA256
9c4a6863847fad9f67b106024c56ac3db1ce6ae08489906d3c3e4fa93eea0221

SHA512
a7b712b0f095e039897b09fd8301d3aaef6ed76d1c4bc40cfe7c72b69648f23978804944335d6ac9afa96b6dcba1846ba5d8c4bdbecbac1b512da70373d05aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\npDropboxUpdate3.dll

Filesize
277KB

MD5
7861cff31261d459a1fc48d80d0da58e

SHA1
4d27a09d41dd7c9170926143334c39c10fadd4a1

SHA256
b8b94e5030d79de1f97a160969c15a45fd9900a998c6b20e9c58053d5c2878a4

SHA512
ea8cc52fb1919fce35e0b1747236ae38ce35f194260b273837fb5bc42a822132b135261ba86d681caa9dbaf3334ea9c0a027068495ee3beb0eb5826d9fa93ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\psmachine.dll

Filesize
214KB

MD5
3efe497dd5303b717b744055fe5f7df1

SHA1
6ed1dd1894629df335b5f76b3d24f39128d82101

SHA256
5e2e970e51731cfe4d228a58ae5d223c95df24008ab0bf923a57c84f26aed0e6

SHA512
8947ef9ce26905bb9dc3eb037a98520f13ababaf0441c006bd195bd57e5af88892263223dec45119a7f46f05756d3ade73850b426486475ad306c711a767bff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\psuser.dll

Filesize
214KB

MD5
f2fdf45980391493615673a2efc41ef9

SHA1
6209a96e6423d6eea880f500c7bfc1a24be1b775

SHA256
87e4ab3a6e6b69d25a7867054f5ff77647ef31c58d3f59549ef0b43f0a4b3e12

SHA512
a152e3f3f7d95cd5c4976e1637d70430651bbf7c8194ca6998e7dc9d2074cb5b4f16b4dfea03b725024d8cecff71aa99bef75e10e090a04074b2ff23e1787809

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdate.dll

Filesize
1.1MB

MD5
85b44b13bf87df85d8f25bdd9b0b7b9e

SHA1
505dc172e9cf212420f285f550692774ca16fcb7

SHA256
c59f4b4b7cc5875836e04e120815741db1977040893ca9baa34c33e72b6f75c1

SHA512
aad3ffbd140f79f846f657baa7905bf3d040232b9c58e41b1cbeae66e83214b3e6fb9162f647d5e90e082b146d460badb2812ab226c7ae7c9348862ca6fb8157

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdate.dll

Filesize
1.1MB

MD5
85b44b13bf87df85d8f25bdd9b0b7b9e

SHA1
505dc172e9cf212420f285f550692774ca16fcb7

SHA256
c59f4b4b7cc5875836e04e120815741db1977040893ca9baa34c33e72b6f75c1

SHA512
aad3ffbd140f79f846f657baa7905bf3d040232b9c58e41b1cbeae66e83214b3e6fb9162f647d5e90e082b146d460badb2812ab226c7ae7c9348862ca6fb8157

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdate.dll

Filesize
1.1MB

MD5
85b44b13bf87df85d8f25bdd9b0b7b9e

SHA1
505dc172e9cf212420f285f550692774ca16fcb7

SHA256
c59f4b4b7cc5875836e04e120815741db1977040893ca9baa34c33e72b6f75c1

SHA512
aad3ffbd140f79f846f657baa7905bf3d040232b9c58e41b1cbeae66e83214b3e6fb9162f647d5e90e082b146d460badb2812ab226c7ae7c9348862ca6fb8157

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdate.dll

Filesize
1.1MB

MD5
85b44b13bf87df85d8f25bdd9b0b7b9e

SHA1
505dc172e9cf212420f285f550692774ca16fcb7

SHA256
c59f4b4b7cc5875836e04e120815741db1977040893ca9baa34c33e72b6f75c1

SHA512
aad3ffbd140f79f846f657baa7905bf3d040232b9c58e41b1cbeae66e83214b3e6fb9162f647d5e90e082b146d460badb2812ab226c7ae7c9348862ca6fb8157

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdate.dll

Filesize
1.1MB

MD5
85b44b13bf87df85d8f25bdd9b0b7b9e

SHA1
505dc172e9cf212420f285f550692774ca16fcb7

SHA256
c59f4b4b7cc5875836e04e120815741db1977040893ca9baa34c33e72b6f75c1

SHA512
aad3ffbd140f79f846f657baa7905bf3d040232b9c58e41b1cbeae66e83214b3e6fb9162f647d5e90e082b146d460badb2812ab226c7ae7c9348862ca6fb8157

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_en.dll

Filesize
34KB

MD5
65e19549205d04e1424c7b435ccae257

SHA1
78bf8fae0f3388e24df7080d2a19bed0ee89c2f0

SHA256
8ea7a09c6682c31799b795165c1b7840f54a26f5ba35db1c7261ced2c863fd27

SHA512
71e8a5fbdcebc31b5f8cc718eb0d8fef965d667b8832f316d7325e6a766ed0fc2089806e2b2c162097e304f41298ea9f4b9080681df4a2d9c6e458094a08502a

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_en.dll

Filesize
34KB

MD5
65e19549205d04e1424c7b435ccae257

SHA1
78bf8fae0f3388e24df7080d2a19bed0ee89c2f0

SHA256
8ea7a09c6682c31799b795165c1b7840f54a26f5ba35db1c7261ced2c863fd27

SHA512
71e8a5fbdcebc31b5f8cc718eb0d8fef965d667b8832f316d7325e6a766ed0fc2089806e2b2c162097e304f41298ea9f4b9080681df4a2d9c6e458094a08502a

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_en.dll

Filesize
34KB

MD5
65e19549205d04e1424c7b435ccae257

SHA1
78bf8fae0f3388e24df7080d2a19bed0ee89c2f0

SHA256
8ea7a09c6682c31799b795165c1b7840f54a26f5ba35db1c7261ced2c863fd27

SHA512
71e8a5fbdcebc31b5f8cc718eb0d8fef965d667b8832f316d7325e6a766ed0fc2089806e2b2c162097e304f41298ea9f4b9080681df4a2d9c6e458094a08502a

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\goopdateres_en.dll

Filesize
34KB

MD5
65e19549205d04e1424c7b435ccae257

SHA1
78bf8fae0f3388e24df7080d2a19bed0ee89c2f0

SHA256
8ea7a09c6682c31799b795165c1b7840f54a26f5ba35db1c7261ced2c863fd27

SHA512
71e8a5fbdcebc31b5f8cc718eb0d8fef965d667b8832f316d7325e6a766ed0fc2089806e2b2c162097e304f41298ea9f4b9080681df4a2d9c6e458094a08502a

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\npDropboxUpdate3.dll

Filesize
277KB

MD5
7861cff31261d459a1fc48d80d0da58e

SHA1
4d27a09d41dd7c9170926143334c39c10fadd4a1

SHA256
b8b94e5030d79de1f97a160969c15a45fd9900a998c6b20e9c58053d5c2878a4

SHA512
ea8cc52fb1919fce35e0b1747236ae38ce35f194260b273837fb5bc42a822132b135261ba86d681caa9dbaf3334ea9c0a027068495ee3beb0eb5826d9fa93ad1

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\psmachine.dll

Filesize
214KB

MD5
3efe497dd5303b717b744055fe5f7df1

SHA1
6ed1dd1894629df335b5f76b3d24f39128d82101

SHA256
5e2e970e51731cfe4d228a58ae5d223c95df24008ab0bf923a57c84f26aed0e6

SHA512
8947ef9ce26905bb9dc3eb037a98520f13ababaf0441c006bd195bd57e5af88892263223dec45119a7f46f05756d3ade73850b426486475ad306c711a767bff3

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\psmachine.dll

Filesize
214KB

MD5
3efe497dd5303b717b744055fe5f7df1

SHA1
6ed1dd1894629df335b5f76b3d24f39128d82101

SHA256
5e2e970e51731cfe4d228a58ae5d223c95df24008ab0bf923a57c84f26aed0e6

SHA512
8947ef9ce26905bb9dc3eb037a98520f13ababaf0441c006bd195bd57e5af88892263223dec45119a7f46f05756d3ade73850b426486475ad306c711a767bff3

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.189.1\psmachine.dll

Filesize
214KB

MD5
3efe497dd5303b717b744055fe5f7df1

SHA1
6ed1dd1894629df335b5f76b3d24f39128d82101

SHA256
5e2e970e51731cfe4d228a58ae5d223c95df24008ab0bf923a57c84f26aed0e6

SHA512
8947ef9ce26905bb9dc3eb037a98520f13ababaf0441c006bd195bd57e5af88892263223dec45119a7f46f05756d3ade73850b426486475ad306c711a767bff3

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdate.dll

Filesize
1.1MB

MD5
85b44b13bf87df85d8f25bdd9b0b7b9e

SHA1
505dc172e9cf212420f285f550692774ca16fcb7

SHA256
c59f4b4b7cc5875836e04e120815741db1977040893ca9baa34c33e72b6f75c1

SHA512
aad3ffbd140f79f846f657baa7905bf3d040232b9c58e41b1cbeae66e83214b3e6fb9162f647d5e90e082b146d460badb2812ab226c7ae7c9348862ca6fb8157

Download Submit
\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_en.dll

Filesize
34KB

MD5
65e19549205d04e1424c7b435ccae257

SHA1
78bf8fae0f3388e24df7080d2a19bed0ee89c2f0

SHA256
8ea7a09c6682c31799b795165c1b7840f54a26f5ba35db1c7261ced2c863fd27

SHA512
71e8a5fbdcebc31b5f8cc718eb0d8fef965d667b8832f316d7325e6a766ed0fc2089806e2b2c162097e304f41298ea9f4b9080681df4a2d9c6e458094a08502a

Download Submit
\Users\Admin\AppData\Local\Temp\GUMF24C.tmp\goopdateres_en.dll

Filesize
34KB

MD5
65e19549205d04e1424c7b435ccae257

SHA1
78bf8fae0f3388e24df7080d2a19bed0ee89c2f0

SHA256
8ea7a09c6682c31799b795165c1b7840f54a26f5ba35db1c7261ced2c863fd27

SHA512
71e8a5fbdcebc31b5f8cc718eb0d8fef965d667b8832f316d7325e6a766ed0fc2089806e2b2c162097e304f41298ea9f4b9080681df4a2d9c6e458094a08502a

Download Submit
memory/604-100-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1672-57-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download