ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421

Analysis

max time kernel
107s
max time network
134s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421.exe
Size

653KB
MD5

6331ae44e712d0a156c5ee01adef0a35
SHA1

b5f258ee307da1ca477fd59a23a5a316f6d7cf48
SHA256

ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421
SHA512

c3442eb60459823fdf41f3215866bbc2c8edbec87134f7cad0886d0ced51c9bee7eeb967dc7487d69a7bf3bfe37f19ea9b6ffc69a9d95500bce511aff1c5978f
SSDEEP

12288:2/iSuer0/XxA997pgueg1gDR22x881frsd6qzMTMNU+Ynj:2/i6I/XxA99lWV2E88m8quzj

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1544	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
684	DropboxUpdate.exe
856	DropboxUpdate.exe
1060	DropboxUpdate.exe
324	DropboxUpdate.exe
1792	DropboxUpdate.exe
1176	DropboxUpdate.exe
1548	DropboxUpdate.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe\DisableExceptionChainValidation = "0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe	DropboxUpdate.exe

Loads dropped DLL 29 IoCs

pid	Process
1384	ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421.exe
684	DropboxUpdate.exe
684	DropboxUpdate.exe
684	DropboxUpdate.exe
684	DropboxUpdate.exe
856	DropboxUpdate.exe
856	DropboxUpdate.exe
856	DropboxUpdate.exe
684	DropboxUpdate.exe
1060	DropboxUpdate.exe
1060	DropboxUpdate.exe
1060	DropboxUpdate.exe
1060	DropboxUpdate.exe
684	DropboxUpdate.exe
684	DropboxUpdate.exe
684	DropboxUpdate.exe
324	DropboxUpdate.exe
684	DropboxUpdate.exe
1792	DropboxUpdate.exe
1792	DropboxUpdate.exe
1792	DropboxUpdate.exe
1176	DropboxUpdate.exe
1176	DropboxUpdate.exe
1176	DropboxUpdate.exe
1176	DropboxUpdate.exe
1792	DropboxUpdate.exe
1176	DropboxUpdate.exe
1176	DropboxUpdate.exe
1548	DropboxUpdate.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdate.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_de.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_en.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_da.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_no.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_zh-TW.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_ko.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_sv.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\DropboxUpdateOnDemand.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_fr.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_id.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\psmachine.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\npDropboxUpdate3.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\DropboxUpdateBroker.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_ja.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_nl.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_zh-CN.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_it.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_pl.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_pt-BR.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_th.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\DropboxCrashHandler.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_es.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_es-419.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_uk.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\psuser.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe	DropboxUpdate.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_ru.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\DropboxUpdateHelper.msi	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_ms.dll	DropboxUpdate.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6cc0e4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cc0e2.ipi	msiexec.exe
File created	C:\Windows\Installer\6cc0e0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cc0e0.msi	msiexec.exe
File created	C:\Windows\Installer\6cc0e2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECD2.tmp	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job	DropboxUpdate.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job	DropboxUpdate.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\CLSID = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\Policy = "3"	DropboxUpdate.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\VersionIndependentProgID\ = "DropboxUpdate.Update3WebMachineFallback"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\LocalizedString = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.295.1\\goopdate.dll,-3000"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF028154-CA20-4F73-ACBB-82451B78F1E6}\ProxyStubClsid32\ = "{C2A3623F-5A23-428B-BA4E-FC06F769AA1F}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{831F99E1-2250-4065-8975-7408E726825F}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine.1.0\CLSID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachineFallback.1.0	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\Elevation\IconReference = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.295.1\\goopdate.dll,-1004"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassSvc\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D8A9A6-624B-4D62-A6D3-4121D876EC42}\InprocHandler32\ = "C:\\Program Files (x86)\\Dropbox\\Update\\1.3.295.1\\psmachine.dll"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D412914-1C4F-447D-80D2-E7F9BB302B05}\NumMethods\ = "4"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B35122D2-0036-4536-AEEA-EEA68E54A460}\ProxyStubClsid32\ = "{C2A3623F-5A23-428B-BA4E-FC06F769AA1F}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3363994D-A786-4A32-A745-48B9B6EA709A}\ProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90AC42F5-B136-4079-B7A1-0A61FC86685D}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FDA8FC46-0F9A-4A8C-8764-3B80880A9AEB}\ = "IAppWeb"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}\ = "Dropbox Update Broker Class Factory"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\ProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback.1.0\CLSID\ = "{49423331-2B41-4EDE-838E-F8C8F3F6BF62}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassSvc\CurVer	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A89190B-400F-47DB-960A-7D5A1325A2C8}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}\ = "CoCreateAsync"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\VersionIndependentProgID\ = "DropboxUpdate.CoreMachineClass"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\Elevation	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\Elevation\IconReference = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.295.1\\goopdate.dll,-1004"	DropboxUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78F1393A-63FD-494A-BA89-2C3ECA4E8EC8}\InprocServer32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\LocalizedString = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.295.1\\goopdate.dll,-3000"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\Elevation\Enabled = "1"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E38012B-D35D-4278-BBFD-E5AC871D3E60}\ = "ICredentialDialog"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{76E258F0-DE86-4CEC-9D30-3F728A898741}\ServiceParameters = "/comsvc"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A337332-37E4-4063-B4F3-6416846C8A33}\VersionIndependentProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F84F5221-63AA-431E-A57C-D7D03649E3E6}\NumMethods\ = "8"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60ACA18E-54E6-43F8-A1A4-C4176B6C994E}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine.1.0\CLSID\ = "{E54806CB-0046-4BCF-B389-3A6F732DC6E6}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DropboxUpdate.exe\AppID = "{96D1EED3-701E-4FE5-B996-A543A8465897}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A337332-37E4-4063-B4F3-6416846C8A33}\VersionIndependentProgID\ = "DropboxUpdate.CoreClass"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\VersionIndependentProgID\ = "DropboxUpdate.OnDemandCOMClassMachineFallback"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60ACA18E-54E6-43F8-A1A4-C4176B6C994E}\ = "IOneClickProcessLauncher"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\Elevation\Enabled = "1"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{831F99E1-2250-4065-8975-7408E726825F}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachine.1.0	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\Version = "16974119"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEF2D6E-1CE5-4823-88D0-7F727719D0A2}\ProxyStubClsid32\ = "{C2A3623F-5A23-428B-BA4E-FC06F769AA1F}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\AppID = "{76E258F0-DE86-4CEC-9D30-3F728A898741}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass.1\ = "Dropbox Update Core Class"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8474489-B2C1-4CE8-852D-FF8A916C91F0}\NumMethods\ = "4"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{831F99E1-2250-4065-8975-7408E726825F}\NumMethods\ = "14"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine.1.0\ = "Dropbox.OneClickProcessLauncher"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService.1.0\ = "Update3COMClass"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B35122D2-0036-4536-AEEA-EEA68E54A460}\ = "IGoogleUpdate3WebSecurity"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync\ = "CoCreateAsync"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\LocalServer32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}\ProgID\ = "DropboxUpdate.Update3WebSvc.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67D8A9A6-624B-4D62-A6D3-4121D876EC42}\InprocHandler32\ThreadingModel = "Both"	DropboxUpdate.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
684	DropboxUpdate.exe
1544	msiexec.exe
1544	msiexec.exe
1548	DropboxUpdate.exe
1548	DropboxUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	DropboxUpdate.exe
Token: SeShutdownPrivilege	684	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	684	DropboxUpdate.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeSecurityPrivilege	1544	msiexec.exe
Token: SeCreateTokenPrivilege	684	DropboxUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	684	DropboxUpdate.exe
Token: SeLockMemoryPrivilege	684	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	684	DropboxUpdate.exe
Token: SeMachineAccountPrivilege	684	DropboxUpdate.exe
Token: SeTcbPrivilege	684	DropboxUpdate.exe
Token: SeSecurityPrivilege	684	DropboxUpdate.exe
Token: SeTakeOwnershipPrivilege	684	DropboxUpdate.exe
Token: SeLoadDriverPrivilege	684	DropboxUpdate.exe
Token: SeSystemProfilePrivilege	684	DropboxUpdate.exe
Token: SeSystemtimePrivilege	684	DropboxUpdate.exe
Token: SeProfSingleProcessPrivilege	684	DropboxUpdate.exe
Token: SeIncBasePriorityPrivilege	684	DropboxUpdate.exe
Token: SeCreatePagefilePrivilege	684	DropboxUpdate.exe
Token: SeCreatePermanentPrivilege	684	DropboxUpdate.exe
Token: SeBackupPrivilege	684	DropboxUpdate.exe
Token: SeRestorePrivilege	684	DropboxUpdate.exe
Token: SeShutdownPrivilege	684	DropboxUpdate.exe
Token: SeDebugPrivilege	684	DropboxUpdate.exe
Token: SeAuditPrivilege	684	DropboxUpdate.exe
Token: SeSystemEnvironmentPrivilege	684	DropboxUpdate.exe
Token: SeChangeNotifyPrivilege	684	DropboxUpdate.exe
Token: SeRemoteShutdownPrivilege	684	DropboxUpdate.exe
Token: SeUndockPrivilege	684	DropboxUpdate.exe
Token: SeSyncAgentPrivilege	684	DropboxUpdate.exe
Token: SeEnableDelegationPrivilege	684	DropboxUpdate.exe
Token: SeManageVolumePrivilege	684	DropboxUpdate.exe
Token: SeImpersonatePrivilege	684	DropboxUpdate.exe
Token: SeCreateGlobalPrivilege	684	DropboxUpdate.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 684	1384	ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421.exe	27
PID 1384 wrote to memory of 684	1384	ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421.exe	27
PID 1384 wrote to memory of 684	1384	ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421.exe	27
PID 1384 wrote to memory of 684	1384	ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421.exe	27
PID 1384 wrote to memory of 684	1384	ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421.exe	27
PID 1384 wrote to memory of 684	1384	ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421.exe	27
PID 1384 wrote to memory of 684	1384	ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421.exe	27
PID 684 wrote to memory of 856	684	DropboxUpdate.exe	28
PID 684 wrote to memory of 856	684	DropboxUpdate.exe	28
PID 684 wrote to memory of 856	684	DropboxUpdate.exe	28
PID 684 wrote to memory of 856	684	DropboxUpdate.exe	28
PID 684 wrote to memory of 856	684	DropboxUpdate.exe	28
PID 684 wrote to memory of 856	684	DropboxUpdate.exe	28
PID 684 wrote to memory of 856	684	DropboxUpdate.exe	28
PID 684 wrote to memory of 1060	684	DropboxUpdate.exe	30
PID 684 wrote to memory of 1060	684	DropboxUpdate.exe	30
PID 684 wrote to memory of 1060	684	DropboxUpdate.exe	30
PID 684 wrote to memory of 1060	684	DropboxUpdate.exe	30
PID 684 wrote to memory of 1060	684	DropboxUpdate.exe	30
PID 684 wrote to memory of 1060	684	DropboxUpdate.exe	30
PID 684 wrote to memory of 1060	684	DropboxUpdate.exe	30
PID 684 wrote to memory of 324	684	DropboxUpdate.exe	31
PID 684 wrote to memory of 324	684	DropboxUpdate.exe	31
PID 684 wrote to memory of 324	684	DropboxUpdate.exe	31
PID 684 wrote to memory of 324	684	DropboxUpdate.exe	31
PID 684 wrote to memory of 324	684	DropboxUpdate.exe	31
PID 684 wrote to memory of 324	684	DropboxUpdate.exe	31
PID 684 wrote to memory of 324	684	DropboxUpdate.exe	31
PID 684 wrote to memory of 1792	684	DropboxUpdate.exe	32
PID 684 wrote to memory of 1792	684	DropboxUpdate.exe	32
PID 684 wrote to memory of 1792	684	DropboxUpdate.exe	32
PID 684 wrote to memory of 1792	684	DropboxUpdate.exe	32
PID 684 wrote to memory of 1792	684	DropboxUpdate.exe	32
PID 684 wrote to memory of 1792	684	DropboxUpdate.exe	32
PID 684 wrote to memory of 1792	684	DropboxUpdate.exe	32
PID 1176 wrote to memory of 1548	1176	DropboxUpdate.exe	34
PID 1176 wrote to memory of 1548	1176	DropboxUpdate.exe	34
PID 1176 wrote to memory of 1548	1176	DropboxUpdate.exe	34
PID 1176 wrote to memory of 1548	1176	DropboxUpdate.exe	34
PID 1176 wrote to memory of 1548	1176	DropboxUpdate.exe	34
PID 1176 wrote to memory of 1548	1176	DropboxUpdate.exe	34
PID 1176 wrote to memory of 1548	1176	DropboxUpdate.exe	34

C:\Users\Admin\AppData\Local\Temp\ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421.exe
"C:\Users\Admin\AppData\Local\Temp\ecd6a6b52965bfee9ff7a5b566b452362022ba20b2fab207e099471949d53421.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\DropboxUpdate.exe
  C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\DropboxUpdate.exe /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3TkRFMHN6QzBzRFEwTnpFME56QXhNVEUwTlRJd05qQTNORE15TXpFek16SzBORFl5TURLdUJRQ243ZzJrQE1FVEEifQ"
  2⤵
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:856
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1060
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVpVcDVjbFpwY0U5TVV6ZFBlazB0VEhvd2VGSnpiRWwzVGtSRk1ITjZRekJ6UkZFd1RucEZNRTU2UVhoTlZFVXdUbFJKZDA1cVFUTk9SRTE1VFhwRmVrMTZTekJPUkZsNVRVUkxkVUpSUTI0M1p6SnJRRTFGVkVFaWZRIiBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMjk1LjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzJFMjU3M0ItQTM2Qi00NEVCLUE4MjMtRUM1MDczRkEyRjMyfSIgdXNlcmlkPSJ7NTUxNDkzMkQtOTJDNC00Nzg1LTgwNkEtMzBFODRGMEREQkJGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezMzQjUyQTBCLUEzM0MtNDA3OC1COTZFLTMyNEU5NzM1MDc0Mn0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0ie0Q4OTY4RkYyLUUwQjEtNEExMy1BM0UyLUM5RjI5OTVGM0JDNn0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4yOTUuMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:324
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3TkRFMHN6QzBzRFEwTnpFME56QXhNVEUwTlRJd05qQTNORE15TXpFek16SzBORFl5TURLdUJRQ243ZzJrQE1FVEEifQ&nolaunch=0" /installsource taggedmi /sessionid "{32E2573B-A36B-44EB-A823-EC5073FA2F32}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1792

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
  "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVpVcDVjbFpwY0U5TVV6ZFBlazB0VEhvd2VGSnpiRWwzVGtSRk1ITjZRekJ6UkZFd1RucEZNRTU2UVhoTlZFVXdUbFJKZDA1cVFUTk9SRTE1VFhwRmVrMTZTekJPUkZsNVRVUkxkVUpSUTI0M1p6SnJRRTFGVkVFaUxDSnlaWEYxWlhOMFgzTmxjWFZsYm1ObElqb3dmUSIgcHJvdG9jb2w9IjMuMCIgdmVyc2lvbj0iMS4zLjI5NS4xIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezMyRTI1NzNCLUEzNkItNDRFQi1BODIzLUVDNTA3M0ZBMkYzMn0iIHVzZXJpZD0iezU1MTQ5MzJELTkyQzQtNDc4NS04MDZBLTMwRTg0RjBEREJCRn0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9IntGMDMzMzlGRS1CMEMwLTRGRTUtOTM5Ni1FNzkzNzBDMjdBNDJ9Ij48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntDQzQ2MDgwRS00QzMzLTQ5ODEtODU5QS1CQkEyRjc4MEYzMUV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGluc3RhbGxhZ2U9Ii0xIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjcyMSIgZXh0cmFjb2RlMT0iMjY4NDM1NDU5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Dropbox\Update\1.3.295.1\DropboxUpdateHelper.msi

Filesize
24KB

MD5
e07700021f5ebe857b9541eb74769b7a

SHA1
9ffdc2ca6a7c7d057519d6def465f7df95f82472

SHA256
842f707c0fd51ddb29f93701520d947dee6b78d1a6b9d6babdd61615b99c5e28

SHA512
6a24cb16bba0ac51b943c3760451a0388718c7ef1e6bfee9e5495ba8f71698de522f0833c6f59d1bf16e746ce1ea3bc6d5e312c29989c58277fc3922981a07ed

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdate.dll

Filesize
1.1MB

MD5
1594a23464b4c2ee59a172227826901c

SHA1
5bacfdd4566cbeeb30ced424d342a036c3c4f19d

SHA256
42aa0a87730e10cb402ff4a4ee4542712235d7cd52859e0018b9825c2e8cccb7

SHA512
0c5d9ad7428ab917b3c7a7d4c07c0c2231cc203369cd281ae3d348cebb4d1f0e2be03016aa9280c1177a832f9e0a0751d05d795cb60268ae0f3147e173af9852

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_en.dll

Filesize
28KB

MD5
f37663265df727aed8210241347f1e64

SHA1
cf8e8579f501edda0d769dcad4673dd8a5ccab67

SHA256
8a52c263087a104d4d054111cf77eb7518dfc661ee32d4fe8cdaba0f5e470043

SHA512
33c9aa87517524564ff8a76583bb2b4f8b9d4ef572315bf98e703aa489928c93488d4fb4c217a6dece3093513718ff92859b3e3ab4b13725273d52dc918b8491

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.295.1\psmachine.dll

Filesize
208KB

MD5
114ede96aa9a6f39f8c821419d1cef06

SHA1
a4b7273c4980db0dbb9c13fac0640751a192fa30

SHA256
4a44421e45939be963163c13673dff7ed6bbc924568306617126090e96e3617a

SHA512
0f811f09eab7f293feccf47d528d56b5ff922c0db0d77c083b974baffa9b421bdb785e06637b2611ca6bfd234897ca728f6bc22a85b5452261a7bac3f0010869

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\DropboxCrashHandler.exe

Filesize
128KB

MD5
a4b4391196cde83e9e0357e166e16a79

SHA1
54fb769839afc8d02c958cd78a9bfeff8c57ae8e

SHA256
947c53b349795f0d5d02f977d3ce7cb047c51824b7137ea860295dc275ae1220

SHA512
61b91d08efe051d73a853c5572c41b108e46323427a2983c5b0824df1bc6f6f4183f25422f9e49985f7767e670884b40d03a83a5b36b0808cd4cda7345ace81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\DropboxUpdateBroker.exe

Filesize
74KB

MD5
8ce297c6761fc36052b685c6f79185f0

SHA1
acdd8ef955f33f9cc07e673e381055fb2985f5ea

SHA256
0ada14d53c1ce3857f59028cf750489d900ab1c404e6c32913f7aeaaaced006e

SHA512
8ac5fca366eed4359614efb72a21b0b9027fdc9e742b4d216aa2b179ba2e028a55b184d87ea820e4c68166838fecd2ec694de6f4dcd40193c122fe618268ed2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\DropboxUpdateHelper.msi

Filesize
24KB

MD5
e07700021f5ebe857b9541eb74769b7a

SHA1
9ffdc2ca6a7c7d057519d6def465f7df95f82472

SHA256
842f707c0fd51ddb29f93701520d947dee6b78d1a6b9d6babdd61615b99c5e28

SHA512
6a24cb16bba0ac51b943c3760451a0388718c7ef1e6bfee9e5495ba8f71698de522f0833c6f59d1bf16e746ce1ea3bc6d5e312c29989c58277fc3922981a07ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\DropboxUpdateOnDemand.exe

Filesize
74KB

MD5
b2a76437d2d92039dff0fca059d13005

SHA1
2d3ef89466ffb11c66d2c3c53cd0b3528fde5d9e

SHA256
e7e43b2d32dd39a40bf3a85e6a24cd8c11fa6b48c0c58717aa6b0ae587b6ecef

SHA512
458307808155acdf3492c7b805729a803b66daba02ac7e7a48f2d4ed6dda0163a9450a704905ab109c42b939a1074369a0b6d7c70b6a7d6c13ec55d4ffa10f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdate.dll

Filesize
1.1MB

MD5
1594a23464b4c2ee59a172227826901c

SHA1
5bacfdd4566cbeeb30ced424d342a036c3c4f19d

SHA256
42aa0a87730e10cb402ff4a4ee4542712235d7cd52859e0018b9825c2e8cccb7

SHA512
0c5d9ad7428ab917b3c7a7d4c07c0c2231cc203369cd281ae3d348cebb4d1f0e2be03016aa9280c1177a832f9e0a0751d05d795cb60268ae0f3147e173af9852

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_da.dll

Filesize
29KB

MD5
858e075275d7f204065b5902aa8eb560

SHA1
f5d5ea6b938c331369e781902ba23131490f0a91

SHA256
ffccff94afa3e356600cae838e37d79911c5616f281915d43d3cffd8c7aad797

SHA512
73f15b935fa0aeb066d3980e11751660232501ca0aaf4d4ff765cc5d6ee21bf6c24e057181adb32faa23ac5732a220615588f0a24718e4edee1f0f7ff2a7e1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_de.dll

Filesize
32KB

MD5
ed1e2c5e66e3e0dee8155cab951f05ae

SHA1
dd82d3343f7b0ed7fcf755a8bd8be6ca269383d6

SHA256
0012aee3b4903a92f5f1061096ac1545e3375008a0b7606e91ab30721753ed88

SHA512
8d7e833204f79fc83e24d0668ffb6243fe96c5cd2d3c07867d23e4bcd5479d40ca5a6eefd17f5ba251b511708b52a85a2d4f7d95b5255442b87e9f809ebf26ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_en.dll

Filesize
28KB

MD5
f37663265df727aed8210241347f1e64

SHA1
cf8e8579f501edda0d769dcad4673dd8a5ccab67

SHA256
8a52c263087a104d4d054111cf77eb7518dfc661ee32d4fe8cdaba0f5e470043

SHA512
33c9aa87517524564ff8a76583bb2b4f8b9d4ef572315bf98e703aa489928c93488d4fb4c217a6dece3093513718ff92859b3e3ab4b13725273d52dc918b8491

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_es-419.dll

Filesize
30KB

MD5
ac348870889cc7e97a5fae76f44e3a95

SHA1
d17f3774f172354e156c1039057df3c5f2d1e2ec

SHA256
0214b00d0de0584eaa8db2b201c24b8f7296e51efaa6cc878d05523d9113583e

SHA512
e691e357f49e8445abd31d9d6cbbd09e3439691b9abdd4c1d5e917f0f4343cc6fcb93fc68798d5582b76ff2f6ff290973e13c5f8880755acc9fb19685ff651a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_es.dll

Filesize
29KB

MD5
93a98435fb8c021b32468029e90ec3d2

SHA1
4446c83d5f35ff1428c2a9fd1438d6a41da45654

SHA256
4a73e1f11597ba72932712cc802066c3d45fccb09c6bf178ec5672688fd071a5

SHA512
f6415d103b94675861e39a91d475bd29a354e4d664583c64708539281e0e9a1525ea6aaec594c317f0d8ceb1689e4b6df35fd6269fea606ef962e3167e9feed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_fr.dll

Filesize
31KB

MD5
ba01eead2b926ae70ecc944f17b07473

SHA1
6c02b04689a46b26557e9a3ba05c799f09a60e8c

SHA256
862fb93ccb437898af18dae66b3c95e09741130d38df1a856f1da943f9802361

SHA512
18e4b67fc2ae202986629d2f21df2ab4317a9876bcf8125ad0759a5c33db98912b07ab70c9b22aeaba4395878dd7c8071b91c699fad71100f52d7bc356f7148f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_id.dll

Filesize
28KB

MD5
bf76f1fe693b7257fa1f350cdb13e661

SHA1
0024a7342cc204b37ccf54394efc3884b75560c8

SHA256
84fe488635fd3e9ec124ead6d7e239674af0b5753140dff13601d2fe85ed7776

SHA512
6228170468e853a81309c57b194ba53f1ceabbec9af0b7671a2b70cfed6258e2b95e05da964a21606f0d44334bfddcb454aa8dceef9421ac72cb4dfc33e0b7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_it.dll

Filesize
30KB

MD5
7d5d5a10c64aa7d957bf0c91e43b62c2

SHA1
9e0f5b30e2e531a68187b5287e4baea2d89d4162

SHA256
9c09348946ca00b7315ce0b8bb65e4f5e68407d4b696eb390c21a56dd5f0406f

SHA512
41e3bb629e3c91613f6140068449bf721bce0b8346f151d68d79f7c7886349d5ca1e1942beefb5ed22a784a99ce6a2e1d6b4f16920c953cf9f4cbaefab8aa3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_ja.dll

Filesize
24KB

MD5
1058f29c2ac5b2135eb16e105e653200

SHA1
fbe9f71ea0b458a77543c5cd9208aa52a66acb09

SHA256
6c3d31842691d7554127657223c07954c3b8da50dff53af8e842962c99d4bb49

SHA512
07ccf3a5b5be296b6f4aba315408724f86aed93e205e36c237c897c2eebc29d6962f074192bd5b842bdebec5d2269b583d404e07da2cf330a54d8c8ed6a717e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_ko.dll

Filesize
24KB

MD5
beb74dfc02292b65b295ad266bb82039

SHA1
7fb390f45b79cac6e95e56cde013d98a83d5d6ab

SHA256
b811083ab52de3c97a50f62cab43e9b2e398cb24411f087b5c88819a77a6499a

SHA512
1e81fe5f62763a0a5f90b624acfb1f1a9b966e55148e0811b8b27cfbe4670287cdc51c2d4869472bd8b5fc8d3fcd41c45f2e8ff525cf36ca61fe0df43ae3abd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_ms.dll

Filesize
28KB

MD5
41023e0b00008ea1d8bc949838e501aa

SHA1
e7c50b3c5f0ce1e1213ac3242b0dd4b363aac96f

SHA256
20bca143be68c3ad63378e27e6e6b4de251b59199312bfcd094d545463962d38

SHA512
87fe14c5518fe58f2510565b4ce2a06187abb0c22ab4cb2929663fcd87057a36c44defb6faf325768793091959dbb56628d827227cd9f3be2220d5b558e33152

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_nl.dll

Filesize
30KB

MD5
dc208fd3a34063907f258e25a36bfc28

SHA1
7f17275f9983bed5aa1b8186b5efa3e4af140f1d

SHA256
4843e62c8870f6ef182fb3f96ee06c527f73424fa42f509132f0067f63f6cf14

SHA512
3e3baf47929db9f9698211e8c81e1b3631f83eb788216e21486cec69485d9e2474566f04c1c4bc21919d8d7ec02c6b35a8940b280502677b974e8efa0efe66c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_no.dll

Filesize
29KB

MD5
61f01599fedc94ec15194a878c3ce561

SHA1
9e52f4ed74422851523b55e7285a9afd610ee72e

SHA256
de04afd540f4dd1518035e48a410c7ba622f3c76bd7e64361a219df51fc7924b

SHA512
9a56fd8619ed66364d1e632451e56786423804ee5861be0ec29b097cef88a4efec649654848a69e0bd595b8b1dbc4b75e4480a6c68141b49d8ab39609d2eaaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_pl.dll

Filesize
30KB

MD5
a32cd7fd637692c8a944b6192566c185

SHA1
ef97c860083ddc60e5561472a5aa16d5a7e715da

SHA256
c32a2922129f62af1653a0250ed14aea8ff4c5c01ba6e4f81f51de5fa173f847

SHA512
33b41e7a723ed89eebd302d495cf0aef84646e0d375823ee27ef68a0921df2b83dc1363a24e4b0cc456567042768d900ef02fac07d608a9c0cc7daa2ad52f1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_pt-BR.dll

Filesize
29KB

MD5
184bea735aea54268f5a91f936bf5130

SHA1
7a446ad5b5a04ec5dc83373394f69e6111f0d8de

SHA256
2235ebed3c6c502bf2193223ae5f4ad6bbf31d6e4990a153ede358484fd3bd18

SHA512
52e5d24bb2ed045bc092002bebdf87dbcf8d60e5f4ad097371da6c10d6d31b977e330c3f61861001cc1e348ffb94d6b6e6247148037a6a101a8e709a56caef51

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_ru.dll

Filesize
29KB

MD5
27a4ffc1e97e7a8523b2f5dc8414efbe

SHA1
c299dbd46c1b98d4f709cd6893218a4b2efe2c2f

SHA256
0d0ca506d6f46daf40b6518501675cf454de47fcb4200d1597fbb62db269725e

SHA512
8ff2ba4d607c5851265755a9f014fdbbc0114660bc1206ee810367fcc24ca6213bb11e00408217e48c847562273c273cff69f99082d9c56c6209cffa22ca95eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_sv.dll

Filesize
29KB

MD5
fdaaf47df563ff5cc7ef83efba1fd718

SHA1
5dc1ab8d83178dd4c3812f57486d11efe0b37e85

SHA256
8ce4ae9f3c0612b7b1be68412544c55b46d7120ac068dff39cffae3d3a5e2a9d

SHA512
4babc633ddce9863af010f9fa3649c0f220ec2dd4cc82e8d24d4593ba4012e4e722e0696281c08b23734ed75876d9a6b124a181ec1f659446c58162cbd13eabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_th.dll

Filesize
28KB

MD5
4681da2e3b849b6a80025adfd0614ad2

SHA1
6718ae6a6b555cc161583ab50b11697b4b0dcd0e

SHA256
cea26e8310751e9efd705a1a49dd48408c4091124062073e452acbb763bdbff6

SHA512
c9093c9e9055050e493af8df3f903b0b515ea84aaac6a3a767956e86250a634f6331500c9883ce74af2976b7736b686c06d4fe66998c118cf203042af5895fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_uk.dll

Filesize
28KB

MD5
ba4ccfb894f5b3a9d01e66d93f891512

SHA1
71241421df4cfb27025b5b85926dbc0cd269ccdc

SHA256
ddfabdc9001bfc47f4c2f2265df96b317ae680812d2fa0c160910e54aad40537

SHA512
ab274378705cb57f1ca5e998205bdde7f5939f6dae8c1ebf9e10f44572066bba0387c739aaee6d8e51dd7af1b512be22c75d266de629f8a806174e5132fd372e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_zh-CN.dll

Filesize
22KB

MD5
c18e71151c5a153343c738e644abed6a

SHA1
f0b5ee4d13fe9a987e15f711f9477e152918ee4e

SHA256
f82faaaffae52b061aefd024393756b876a730996c244157051ee24e6cbaa991

SHA512
9040365817fdef4885a6a0e0547d96acef46185fdcd0451c753ba125571ba91b490515cdd21e70d95326419de8abe3911c1d9a4bc271bdfee561139bb6d994a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_zh-TW.dll

Filesize
22KB

MD5
7ac066e4f60bc7f6c4ed419078d76515

SHA1
6a7dc5ab268d0c7dc189e5d77f5d3fbbd63abf5f

SHA256
5ae59f8c657d311dc74b411785ed6bb2d390c153b200a8b965cf938314df8c43

SHA512
be109c54a8e85193e9597277db9bde16400a192496b9ecc700959d8dbace2fbfedd0762a3d9a898b3cd56215cf3368b5bd7a08a0ebd9e6425d6699cce4e20ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\npDropboxUpdate3.dll

Filesize
270KB

MD5
bbf12fc50029d8e7e0c3d5613eb59a68

SHA1
bb6e06d52d510253155e910b4a0745a16b488a3a

SHA256
8f183b8f590cf31fdde97d4204c6f5a21a6e7a9c02e9d23d761f1449472749cc

SHA512
2f45b638bafea10a66f67e5a6f0176f1ea390349210eee78a86b4a14d8f5d050b2e3c86bb57036d29b5cf4339d626fc73ea27e3af26c614a4109eeddd43a87e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\psmachine.dll

Filesize
208KB

MD5
114ede96aa9a6f39f8c821419d1cef06

SHA1
a4b7273c4980db0dbb9c13fac0640751a192fa30

SHA256
4a44421e45939be963163c13673dff7ed6bbc924568306617126090e96e3617a

SHA512
0f811f09eab7f293feccf47d528d56b5ff922c0db0d77c083b974baffa9b421bdb785e06637b2611ca6bfd234897ca728f6bc22a85b5452261a7bac3f0010869

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\psuser.dll

Filesize
208KB

MD5
ac9bb31ad465326610c7751bb6c9715b

SHA1
2dd800e7247784af6a5ed3dd57cd06f1dd41bf83

SHA256
58f4106975ee96919c841e61f85c5a777ad6f6d9b529491ea21d8b211109353f

SHA512
75ff3fdb1c234d72a5286daf19238167e3bb64206237f4230f607a37fd9cf08189b58b0293ad202ea81f1cb965cc1a91ac674d849a2b38094047e92c44489eb7

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdate.dll

Filesize
1.1MB

MD5
1594a23464b4c2ee59a172227826901c

SHA1
5bacfdd4566cbeeb30ced424d342a036c3c4f19d

SHA256
42aa0a87730e10cb402ff4a4ee4542712235d7cd52859e0018b9825c2e8cccb7

SHA512
0c5d9ad7428ab917b3c7a7d4c07c0c2231cc203369cd281ae3d348cebb4d1f0e2be03016aa9280c1177a832f9e0a0751d05d795cb60268ae0f3147e173af9852

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdate.dll

Filesize
1.1MB

MD5
1594a23464b4c2ee59a172227826901c

SHA1
5bacfdd4566cbeeb30ced424d342a036c3c4f19d

SHA256
42aa0a87730e10cb402ff4a4ee4542712235d7cd52859e0018b9825c2e8cccb7

SHA512
0c5d9ad7428ab917b3c7a7d4c07c0c2231cc203369cd281ae3d348cebb4d1f0e2be03016aa9280c1177a832f9e0a0751d05d795cb60268ae0f3147e173af9852

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdate.dll

Filesize
1.1MB

MD5
1594a23464b4c2ee59a172227826901c

SHA1
5bacfdd4566cbeeb30ced424d342a036c3c4f19d

SHA256
42aa0a87730e10cb402ff4a4ee4542712235d7cd52859e0018b9825c2e8cccb7

SHA512
0c5d9ad7428ab917b3c7a7d4c07c0c2231cc203369cd281ae3d348cebb4d1f0e2be03016aa9280c1177a832f9e0a0751d05d795cb60268ae0f3147e173af9852

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdate.dll

Filesize
1.1MB

MD5
1594a23464b4c2ee59a172227826901c

SHA1
5bacfdd4566cbeeb30ced424d342a036c3c4f19d

SHA256
42aa0a87730e10cb402ff4a4ee4542712235d7cd52859e0018b9825c2e8cccb7

SHA512
0c5d9ad7428ab917b3c7a7d4c07c0c2231cc203369cd281ae3d348cebb4d1f0e2be03016aa9280c1177a832f9e0a0751d05d795cb60268ae0f3147e173af9852

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdate.dll

Filesize
1.1MB

MD5
1594a23464b4c2ee59a172227826901c

SHA1
5bacfdd4566cbeeb30ced424d342a036c3c4f19d

SHA256
42aa0a87730e10cb402ff4a4ee4542712235d7cd52859e0018b9825c2e8cccb7

SHA512
0c5d9ad7428ab917b3c7a7d4c07c0c2231cc203369cd281ae3d348cebb4d1f0e2be03016aa9280c1177a832f9e0a0751d05d795cb60268ae0f3147e173af9852

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_en.dll

Filesize
28KB

MD5
f37663265df727aed8210241347f1e64

SHA1
cf8e8579f501edda0d769dcad4673dd8a5ccab67

SHA256
8a52c263087a104d4d054111cf77eb7518dfc661ee32d4fe8cdaba0f5e470043

SHA512
33c9aa87517524564ff8a76583bb2b4f8b9d4ef572315bf98e703aa489928c93488d4fb4c217a6dece3093513718ff92859b3e3ab4b13725273d52dc918b8491

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_en.dll

Filesize
28KB

MD5
f37663265df727aed8210241347f1e64

SHA1
cf8e8579f501edda0d769dcad4673dd8a5ccab67

SHA256
8a52c263087a104d4d054111cf77eb7518dfc661ee32d4fe8cdaba0f5e470043

SHA512
33c9aa87517524564ff8a76583bb2b4f8b9d4ef572315bf98e703aa489928c93488d4fb4c217a6dece3093513718ff92859b3e3ab4b13725273d52dc918b8491

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_en.dll

Filesize
28KB

MD5
f37663265df727aed8210241347f1e64

SHA1
cf8e8579f501edda0d769dcad4673dd8a5ccab67

SHA256
8a52c263087a104d4d054111cf77eb7518dfc661ee32d4fe8cdaba0f5e470043

SHA512
33c9aa87517524564ff8a76583bb2b4f8b9d4ef572315bf98e703aa489928c93488d4fb4c217a6dece3093513718ff92859b3e3ab4b13725273d52dc918b8491

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\goopdateres_en.dll

Filesize
28KB

MD5
f37663265df727aed8210241347f1e64

SHA1
cf8e8579f501edda0d769dcad4673dd8a5ccab67

SHA256
8a52c263087a104d4d054111cf77eb7518dfc661ee32d4fe8cdaba0f5e470043

SHA512
33c9aa87517524564ff8a76583bb2b4f8b9d4ef572315bf98e703aa489928c93488d4fb4c217a6dece3093513718ff92859b3e3ab4b13725273d52dc918b8491

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\npDropboxUpdate3.dll

Filesize
270KB

MD5
bbf12fc50029d8e7e0c3d5613eb59a68

SHA1
bb6e06d52d510253155e910b4a0745a16b488a3a

SHA256
8f183b8f590cf31fdde97d4204c6f5a21a6e7a9c02e9d23d761f1449472749cc

SHA512
2f45b638bafea10a66f67e5a6f0176f1ea390349210eee78a86b4a14d8f5d050b2e3c86bb57036d29b5cf4339d626fc73ea27e3af26c614a4109eeddd43a87e8

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\psmachine.dll

Filesize
208KB

MD5
114ede96aa9a6f39f8c821419d1cef06

SHA1
a4b7273c4980db0dbb9c13fac0640751a192fa30

SHA256
4a44421e45939be963163c13673dff7ed6bbc924568306617126090e96e3617a

SHA512
0f811f09eab7f293feccf47d528d56b5ff922c0db0d77c083b974baffa9b421bdb785e06637b2611ca6bfd234897ca728f6bc22a85b5452261a7bac3f0010869

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\psmachine.dll

Filesize
208KB

MD5
114ede96aa9a6f39f8c821419d1cef06

SHA1
a4b7273c4980db0dbb9c13fac0640751a192fa30

SHA256
4a44421e45939be963163c13673dff7ed6bbc924568306617126090e96e3617a

SHA512
0f811f09eab7f293feccf47d528d56b5ff922c0db0d77c083b974baffa9b421bdb785e06637b2611ca6bfd234897ca728f6bc22a85b5452261a7bac3f0010869

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.295.1\psmachine.dll

Filesize
208KB

MD5
114ede96aa9a6f39f8c821419d1cef06

SHA1
a4b7273c4980db0dbb9c13fac0640751a192fa30

SHA256
4a44421e45939be963163c13673dff7ed6bbc924568306617126090e96e3617a

SHA512
0f811f09eab7f293feccf47d528d56b5ff922c0db0d77c083b974baffa9b421bdb785e06637b2611ca6bfd234897ca728f6bc22a85b5452261a7bac3f0010869

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdate.dll

Filesize
1.1MB

MD5
1594a23464b4c2ee59a172227826901c

SHA1
5bacfdd4566cbeeb30ced424d342a036c3c4f19d

SHA256
42aa0a87730e10cb402ff4a4ee4542712235d7cd52859e0018b9825c2e8cccb7

SHA512
0c5d9ad7428ab917b3c7a7d4c07c0c2231cc203369cd281ae3d348cebb4d1f0e2be03016aa9280c1177a832f9e0a0751d05d795cb60268ae0f3147e173af9852

Download Submit
\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_en.dll

Filesize
28KB

MD5
f37663265df727aed8210241347f1e64

SHA1
cf8e8579f501edda0d769dcad4673dd8a5ccab67

SHA256
8a52c263087a104d4d054111cf77eb7518dfc661ee32d4fe8cdaba0f5e470043

SHA512
33c9aa87517524564ff8a76583bb2b4f8b9d4ef572315bf98e703aa489928c93488d4fb4c217a6dece3093513718ff92859b3e3ab4b13725273d52dc918b8491

Download Submit
\Users\Admin\AppData\Local\Temp\GUM43A6.tmp\goopdateres_en.dll

Filesize
28KB

MD5
f37663265df727aed8210241347f1e64

SHA1
cf8e8579f501edda0d769dcad4673dd8a5ccab67

SHA256
8a52c263087a104d4d054111cf77eb7518dfc661ee32d4fe8cdaba0f5e470043

SHA512
33c9aa87517524564ff8a76583bb2b4f8b9d4ef572315bf98e703aa489928c93488d4fb4c217a6dece3093513718ff92859b3e3ab4b13725273d52dc918b8491

Download Submit
memory/324-114-0x0000000000000000-mapping.dmp

Download
memory/684-57-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/684-55-0x0000000000000000-mapping.dmp

Download
memory/856-92-0x0000000000000000-mapping.dmp

Download
memory/1060-103-0x0000000000000000-mapping.dmp

Download
memory/1544-100-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1548-128-0x0000000000000000-mapping.dmp

Download
memory/1792-119-0x0000000000000000-mapping.dmp

Download