649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40

Analysis

max time kernel
73s
max time network
103s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/11/2022, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40.exe
Size

654KB
MD5

3638b78963ce30dc1faffaec1595cb86
SHA1

a5c64d95d974f834ac04ae996bab8aa2058b1cf9
SHA256

649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40
SHA512

90997bfd9c1a4d76c3e40031048f0dee3da6751e8eaa735e33369f887ffe1d2b268f795ee3cadaae89fb0a8560daaa2817e4f0d01224d08457592bf37963efaa
SSDEEP

12288:Z/iSuOs4HEI4rcS9UA5WxsD+c66j/Spx+Mx3yhTy6iai62UF4kaytvmOA0T:Z/iKsVIoceUA50sD+clAyhTYaT2Uqkay

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1036	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
1072	DropboxUpdate.exe
1712	DropboxUpdate.exe
1964	DropboxUpdate.exe
876	DropboxUpdate.exe
604	DropboxUpdate.exe
924	DropboxUpdate.exe
2040	DropboxUpdate.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe\DisableExceptionChainValidation = "0"	DropboxUpdate.exe

Loads dropped DLL 29 IoCs

pid	Process
1652	649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40.exe
1072	DropboxUpdate.exe
1072	DropboxUpdate.exe
1072	DropboxUpdate.exe
1072	DropboxUpdate.exe
1712	DropboxUpdate.exe
1712	DropboxUpdate.exe
1712	DropboxUpdate.exe
1072	DropboxUpdate.exe
1964	DropboxUpdate.exe
1964	DropboxUpdate.exe
1964	DropboxUpdate.exe
1964	DropboxUpdate.exe
1072	DropboxUpdate.exe
1072	DropboxUpdate.exe
1072	DropboxUpdate.exe
1072	DropboxUpdate.exe
876	DropboxUpdate.exe
604	DropboxUpdate.exe
604	DropboxUpdate.exe
604	DropboxUpdate.exe
924	DropboxUpdate.exe
924	DropboxUpdate.exe
924	DropboxUpdate.exe
924	DropboxUpdate.exe
604	DropboxUpdate.exe
924	DropboxUpdate.exe
924	DropboxUpdate.exe
2040	DropboxUpdate.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_ru.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_sv.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_zh-CN.dll	DropboxUpdate.exe
File opened for modification	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_da.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_ja.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_ms.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_no.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\DropboxUpdateOnDemand.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_fr.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_it.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\npDropboxUpdate3.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\psmachine.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_de.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_id.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_th.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_uk.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_zh-TW.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_pt-BR.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\DropboxUpdateHelper.msi	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\psuser.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_es.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\DropboxUpdateBroker.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdate.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\DropboxCrashHandler.exe	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_es-419.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_nl.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_pl.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_en.dll	DropboxUpdate.exe
File created	C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_ko.dll	DropboxUpdate.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c2699.msi	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job	DropboxUpdate.exe
File created	C:\Windows\Installer\6c2697.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6c2697.ipi	msiexec.exe
File created	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job	DropboxUpdate.exe
File created	C:\Windows\Installer\6c2695.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c2695.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\CLSID = "{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\Policy = "3"	DropboxUpdate.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService\CLSID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassSvc\CLSID\ = "{76E258F0-DE86-4CEC-9D30-3F728A898741}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D412914-1C4F-447D-80D2-E7F9BB302B05}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}\ProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8474489-B2C1-4CE8-852D-FF8A916C91F0}\ = "ICoCreateAsync"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58237066-0A7A-4C18-B132-D7BE280A6327}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A496C5D9-84FE-4E84-9D20-7481589E1C23}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dropbox.OneClickProcessLauncherMachine\CurVer\ = "Dropbox.OneClickProcessLauncherMachine.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90AC42F5-B136-4079-B7A1-0A61FC86685D}\NumMethods\ = "42"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E54806CB-0046-4BCF-B389-3A6F732DC6E6}\ = "Dropbox Update Broker Class Factory"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3363994D-A786-4A32-A745-48B9B6EA709A}\VersionIndependentProgID	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\Elevation\IconReference = "@C:\\Program Files (x86)\\Dropbox\\Update\\1.3.335.1\\goopdate.dll,-1004"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E6CC2A7CB440C2A4DBE17EE5DAC2110B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E6A6F19-65F3-4CF2-A561-79B046D91D35}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E396485-96EB-4906-B2C5-3E0F1E7748C3}\ = "Dropbox Update Core Class"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine\CLSID\ = "{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E6CC2A7CB440C2A4DBE17EE5DAC2110B\5A812990327ACD34D85B163756A6E149	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback\ = "DropboxUpdate Update3Web"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3363994D-A786-4A32-A745-48B9B6EA709A}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3363994D-A786-4A32-A745-48B9B6EA709A}\VersionIndependentProgID\ = "DropboxUpdate.ProcessLauncher"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreClass\CurVer	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachineFallback\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E6A6F19-65F3-4CF2-A561-79B046D91D35}\ = "PSFactoryBuffer"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebMachine\CLSID\ = "{04F3B937-6C9D-4DAC-9477-8C35E24B25D1}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\VersionIndependentProgID	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\Elevation	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoreMachineClass\CLSID\ = "{9E396485-96EB-4906-B2C5-3E0F1E7748C3}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28F751F5-74E3-4C46-8174-D8D8A6BAF83F}\LocalServer32\ = "\"C:\\Program Files (x86)\\Dropbox\\Update\\1.3.335.1\\DropboxUpdateOnDemand.exe\""	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\LocalServer32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc\CurVer\ = "DropboxUpdate.Update3WebSvc.1.0"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DE7C611-9E6D-468F-8AA2-26C08DB4A687}\NumMethods	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60ACA18E-54E6-43F8-A1A4-C4176B6C994E}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CoCreateAsync\ = "CoCreateAsync"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49423331-2B41-4EDE-838E-F8C8F3F6BF62}\Elevation\Enabled = "1"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.CredentialDialogMachine	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3COMClassService.1.0\ = "Update3COMClass"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\SourceList\Net\1 = "C:\\Program Files (x86)\\Dropbox\\Update\\1.3.335.1\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DE7C611-9E6D-468F-8AA2-26C08DB4A687}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4AF89161-A408-4DFD-9DE2-3C3B7BDB14E2}\VersionIndependentProgID\ = "DropboxUpdate.CredentialDialogMachine"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58237066-0A7A-4C18-B132-D7BE280A6327}\ProxyStubClsid32\ = "{7E6A6F19-65F3-4CF2-A561-79B046D91D35}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F448B4EA-A094-491A-BF61-9AF6CD450C7D}\NumMethods	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEF2D6E-1CE5-4823-88D0-7F727719D0A2}\NumMethods\ = "4"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8158CAB-1B7C-4A15-860E-AAA364E77334}	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher\CurVer	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DE7C611-9E6D-468F-8AA2-26C08DB4A687}\ = "IAppVersion"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EF028154-CA20-4F73-ACBB-82451B78F1E6}	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc.1.0\CLSID\ = "{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}"	DropboxUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A812990327ACD34D85B163756A6E149\AuthorizedLUAApp = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.ProcessLauncher	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E38012B-D35D-4278-BBFD-E5AC871D3E60}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F448B4EA-A094-491A-BF61-9AF6CD450C7D}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A89190B-400F-47DB-960A-7D5A1325A2C8}\ProxyStubClsid32\ = "{7E6A6F19-65F3-4CF2-A561-79B046D91D35}"	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8474489-B2C1-4CE8-852D-FF8A916C91F0}\ProxyStubClsid32	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60ACA18E-54E6-43F8-A1A4-C4176B6C994E}\ProxyStubClsid32	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}\LocalService = "dbupdate"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}\ProgID\ = "DropboxUpdate.Update3COMClassService.1.0"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DropboxUpdate.Update3WebSvc\CLSID\ = "{E58F67C2-BC84-4C7C-AC35-4FFBB25A47E6}"	DropboxUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82821E4E-4B46-430D-8BB8-8B480FC9D8A5}\VersionIndependentProgID\ = "Dropbox.OneClickProcessLauncherMachine"	DropboxUpdate.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	DropboxUpdate.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1072	DropboxUpdate.exe
1036	msiexec.exe
1036	msiexec.exe
2040	DropboxUpdate.exe
2040	DropboxUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	DropboxUpdate.exe
Token: SeShutdownPrivilege	1072	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	1072	DropboxUpdate.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeSecurityPrivilege	1036	msiexec.exe
Token: SeCreateTokenPrivilege	1072	DropboxUpdate.exe
Token: SeAssignPrimaryTokenPrivilege	1072	DropboxUpdate.exe
Token: SeLockMemoryPrivilege	1072	DropboxUpdate.exe
Token: SeIncreaseQuotaPrivilege	1072	DropboxUpdate.exe
Token: SeMachineAccountPrivilege	1072	DropboxUpdate.exe
Token: SeTcbPrivilege	1072	DropboxUpdate.exe
Token: SeSecurityPrivilege	1072	DropboxUpdate.exe
Token: SeTakeOwnershipPrivilege	1072	DropboxUpdate.exe
Token: SeLoadDriverPrivilege	1072	DropboxUpdate.exe
Token: SeSystemProfilePrivilege	1072	DropboxUpdate.exe
Token: SeSystemtimePrivilege	1072	DropboxUpdate.exe
Token: SeProfSingleProcessPrivilege	1072	DropboxUpdate.exe
Token: SeIncBasePriorityPrivilege	1072	DropboxUpdate.exe
Token: SeCreatePagefilePrivilege	1072	DropboxUpdate.exe
Token: SeCreatePermanentPrivilege	1072	DropboxUpdate.exe
Token: SeBackupPrivilege	1072	DropboxUpdate.exe
Token: SeRestorePrivilege	1072	DropboxUpdate.exe
Token: SeShutdownPrivilege	1072	DropboxUpdate.exe
Token: SeDebugPrivilege	1072	DropboxUpdate.exe
Token: SeAuditPrivilege	1072	DropboxUpdate.exe
Token: SeSystemEnvironmentPrivilege	1072	DropboxUpdate.exe
Token: SeChangeNotifyPrivilege	1072	DropboxUpdate.exe
Token: SeRemoteShutdownPrivilege	1072	DropboxUpdate.exe
Token: SeUndockPrivilege	1072	DropboxUpdate.exe
Token: SeSyncAgentPrivilege	1072	DropboxUpdate.exe
Token: SeEnableDelegationPrivilege	1072	DropboxUpdate.exe
Token: SeManageVolumePrivilege	1072	DropboxUpdate.exe
Token: SeImpersonatePrivilege	1072	DropboxUpdate.exe
Token: SeCreateGlobalPrivilege	1072	DropboxUpdate.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe
Token: SeTakeOwnershipPrivilege	1036	msiexec.exe
Token: SeRestorePrivilege	1036	msiexec.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1072	1652	649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40.exe	27
PID 1652 wrote to memory of 1072	1652	649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40.exe	27
PID 1652 wrote to memory of 1072	1652	649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40.exe	27
PID 1652 wrote to memory of 1072	1652	649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40.exe	27
PID 1652 wrote to memory of 1072	1652	649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40.exe	27
PID 1652 wrote to memory of 1072	1652	649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40.exe	27
PID 1652 wrote to memory of 1072	1652	649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40.exe	27
PID 1072 wrote to memory of 1712	1072	DropboxUpdate.exe	28
PID 1072 wrote to memory of 1712	1072	DropboxUpdate.exe	28
PID 1072 wrote to memory of 1712	1072	DropboxUpdate.exe	28
PID 1072 wrote to memory of 1712	1072	DropboxUpdate.exe	28
PID 1072 wrote to memory of 1712	1072	DropboxUpdate.exe	28
PID 1072 wrote to memory of 1712	1072	DropboxUpdate.exe	28
PID 1072 wrote to memory of 1712	1072	DropboxUpdate.exe	28
PID 1072 wrote to memory of 1964	1072	DropboxUpdate.exe	30
PID 1072 wrote to memory of 1964	1072	DropboxUpdate.exe	30
PID 1072 wrote to memory of 1964	1072	DropboxUpdate.exe	30
PID 1072 wrote to memory of 1964	1072	DropboxUpdate.exe	30
PID 1072 wrote to memory of 1964	1072	DropboxUpdate.exe	30
PID 1072 wrote to memory of 1964	1072	DropboxUpdate.exe	30
PID 1072 wrote to memory of 1964	1072	DropboxUpdate.exe	30
PID 1072 wrote to memory of 876	1072	DropboxUpdate.exe	31
PID 1072 wrote to memory of 876	1072	DropboxUpdate.exe	31
PID 1072 wrote to memory of 876	1072	DropboxUpdate.exe	31
PID 1072 wrote to memory of 876	1072	DropboxUpdate.exe	31
PID 1072 wrote to memory of 876	1072	DropboxUpdate.exe	31
PID 1072 wrote to memory of 876	1072	DropboxUpdate.exe	31
PID 1072 wrote to memory of 876	1072	DropboxUpdate.exe	31
PID 1072 wrote to memory of 604	1072	DropboxUpdate.exe	32
PID 1072 wrote to memory of 604	1072	DropboxUpdate.exe	32
PID 1072 wrote to memory of 604	1072	DropboxUpdate.exe	32
PID 1072 wrote to memory of 604	1072	DropboxUpdate.exe	32
PID 1072 wrote to memory of 604	1072	DropboxUpdate.exe	32
PID 1072 wrote to memory of 604	1072	DropboxUpdate.exe	32
PID 1072 wrote to memory of 604	1072	DropboxUpdate.exe	32
PID 924 wrote to memory of 2040	924	DropboxUpdate.exe	34
PID 924 wrote to memory of 2040	924	DropboxUpdate.exe	34
PID 924 wrote to memory of 2040	924	DropboxUpdate.exe	34
PID 924 wrote to memory of 2040	924	DropboxUpdate.exe	34
PID 924 wrote to memory of 2040	924	DropboxUpdate.exe	34
PID 924 wrote to memory of 2040	924	DropboxUpdate.exe	34
PID 924 wrote to memory of 2040	924	DropboxUpdate.exe	34

C:\Users\Admin\AppData\Local\Temp\649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40.exe
"C:\Users\Admin\AppData\Local\Temp\649f0f4b37f7601dee6c739b5df1338c3d07e545b7d84e1011b3339c3f1e2c40.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\DropboxUpdate.exe
  C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\DropboxUpdate.exe /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd055OEVLd2pBTUFOQmZHVG1MTkUzU05KN1ZnNmdnSHZRMmhCV2NrdzdXeWhEeDNfWGQzd2R1cjNwdjZ6aWtES3NHcHZlODFUS2Q1bnhFNHN2bVVOZTJ2LWJkT1EyaGV6empFc1hNbzBSbFdEUlFVaW45bU51LS0yZnZ4SEV3RlUta2ppSlRGR01qMGFqQkVSb0daZlRmSHlONUlFa35ATUVUQSJ9"
  2⤵
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:1712
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1964
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVJFSlFVa1ZCVlZSSU9qcGphSEp2YldVNk9tVktkMDU1T0VWTGQycEJUVUZPUW1aSFZHMU1Ua1V6VTA1S04xWm5ObWRuU0haUk1taENWMk5yZHpkWGVXaEVlRE5mV0dRemQyUjFjak53ZGpaNmFXdEVTM05IY0habE9ERlVTMlExYm5oRk5ITjJiVlZPWlRKMkxXSmtUMUV5YUdWNmVtcEZjMWhOYnpCU2JGZEVVbEZWYVc0NWJVNTFMUzB5Wm5aNFNFVjNSbFV0YTJwcFNsUkdSMDFxTUdGcVFrVlNiMGRhWmxSbVNIbE9OVWxGYTM1QVRVVlVRU0o5IiBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMzM1LjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTE0NDdEOTktNTRFQy00NTEwLUJGOTMtRTA4NkIyOEU0RjExfSIgdXNlcmlkPSJ7RDQ5N0Y3MzEtRTA2RS00NkQ5LUJBRDAtQTM1Qjk3NEZEOUI4fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0QxOTkxRERELTc4Q0ItNEUwQS1BNTcxLUIyMUEzRkVCRDJDMX0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0ie0Q4OTY4RkYyLUUwQjEtNEExMy1BM0UyLUM5RjI5OTVGM0JDNn0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4zMzUuMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:876
- - C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd055OEVLd2pBTUFOQmZHVG1MTkUzU05KN1ZnNmdnSHZRMmhCV2NrdzdXeWhEeDNfWGQzd2R1cjNwdjZ6aWtES3NHcHZlODFUS2Q1bnhFNHN2bVVOZTJ2LWJkT1EyaGV6empFc1hNbzBSbFdEUlFVaW45bU51LS0yZnZ4SEV3RlUta2ppSlRGR01qMGFqQkVSb0daZlRmSHlONUlFa35ATUVUQSJ9&nolaunch=0" /installsource taggedmi /sessionid "{91447D99-54EC-4510-BF93-E086B28E4F11}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924
- C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
  "C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBkcm9wYm94X2RhdGE9ImV5SlVRVWRUSWpvaVJFSlFVa1ZCVlZSSU9qcGphSEp2YldVNk9tVktkMDU1T0VWTGQycEJUVUZPUW1aSFZHMU1Ua1V6VTA1S04xWm5ObWRuU0haUk1taENWMk5yZHpkWGVXaEVlRE5mV0dRemQyUjFjak53ZGpaNmFXdEVTM05IY0habE9ERlVTMlExYm5oRk5ITjJiVlZPWlRKMkxXSmtUMUV5YUdWNmVtcEZjMWhOYnpCU2JGZEVVbEZWYVc0NWJVNTFMUzB5Wm5aNFNFVjNSbFV0YTJwcFNsUkdSMDFxTUdGcVFrVlNiMGRhWmxSbVNIbE9OVWxGYTM1QVRVVlVRU0lzSW5KbGNYVmxjM1JmYzJWeGRXVnVZMlVpT2pCOSIgcHJvdG9jb2w9IjMuMCIgdmVyc2lvbj0iMS4zLjMzNS4xIiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezkxNDQ3RDk5LTU0RUMtNDUxMC1CRjkzLUUwODZCMjhFNEYxMX0iIHVzZXJpZD0ie0Q0OTdGNzMxLUUwNkUtNDZEOS1CQUQwLUEzNUI5NzRGRDlCOH0iIGluc3RhbGxzb3VyY2U9InRhZ2dlZG1pIiByZXF1ZXN0aWQ9InsxMTdDRkM4My1BNTIxLTQ2RDUtQTg5Mi02OTc0MzQ2OTM2MUF9Ij48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9IntDQzQ2MDgwRS00QzMzLTQ5ODEtODU5QS1CQkEyRjc4MEYzMUV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGluc3RhbGxhZ2U9Ii0xIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjcyMSIgZXh0cmFjb2RlMT0iMjY4NDM1NDU5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Dropbox\Update\1.3.335.1\DropboxUpdateHelper.msi

Filesize
24KB

MD5
8d2a3dd90a921cc34164c04aca1ded00

SHA1
667f95f37f076468c4b8b990b71cf3122b0abb65

SHA256
4c9b7ebc6ac41df08c2d25aed2443bcbd6017d3b1bb7522e3d21438f6b2570d7

SHA512
ac1e5761d41fcb8884f9c9815057dd63973a8bd4b63c21044d7b4390d84295adf37614e2618260f205e2150b577dcd153f713cf285124197f5d5305f6b986e91

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdate.dll

Filesize
1.1MB

MD5
ae33d56b1c555b9a710eaf801e66058d

SHA1
d2615520b0122b5f340b2824f69a54261153b645

SHA256
4cb98daabdd0a36af070c75dc3e6484f52729ca8ae26c9f3dd02079a6f92313d

SHA512
796ac33d39245e9727662080f9d5e19fa4bfaa7fa681da7bf100da1e480e91e555a7873f809490a5e0ef3eaefa566ba79b4cf36f1f264a4f056530f4be86baa6

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_en.dll

Filesize
28KB

MD5
5b71914ff8b5dad6abb181b83f8688d3

SHA1
769490b06e7f0f01972dd060500a839ba3bedb00

SHA256
64d51ba594d2f04ebad0fa55899440fd4d4a8692c9ae3e4430d3f19faeaeb4a4

SHA512
1d45810c9aa13ceafd115da9afa46162b65bdf45cc78ffbf69e1d164bce0d34c72d52ad206c89b4399d646d91453f6a929a2bce0d3f5ae39f57b66b89807c318

Download Submit
C:\Program Files (x86)\Dropbox\Update\1.3.335.1\psmachine.dll

Filesize
208KB

MD5
8b2600a15af93c8de7d602da943b3724

SHA1
459577f5feb897a48f3eeca5297721b49be9a633

SHA256
04342355272f97ae11db0cb9928c137ca24f0772b735a37f27e217beb6da7d81

SHA512
331fdf9af1eaf0d76971a3f752287220a331f6aef5bef680c04e592c03a76f59a3297507c7eae3eff8f0b676a8efd8b2ed89dad924e662c586a64ddc9506193f

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\DropboxCrashHandler.exe

Filesize
128KB

MD5
49be1d23c13eb51afcaf47b08d64ec4b

SHA1
7766ee7e27eb175c961daa8b9b3bba668754a27e

SHA256
f586d495a64f082433eb5885ebff934b3e544b0ec0b8796435329a6c0ce3650b

SHA512
c6169d697d0f160e697f918a4b7a2079427ad04a1451dc5151d9139fbc71c691c4f77d5ba6624a24763d49e99314a888b7fb4775559aad64b4f536c265bae019

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\DropboxUpdateBroker.exe

Filesize
74KB

MD5
810a204d934a4708ebc950a0477869f9

SHA1
46e2729ed407e501c101a757741e5ee70cea005c

SHA256
ba7e733b9c810aaeb8ef10ac008014f467bba67d7274cdc72f5a45cd6c579f69

SHA512
de2459be945bd225b16239f2418d444eeebe9b0b59b087706e8f675db92e8b736ef830f57ff2fbddf1e0a876d3510101448312dcc4eff0637992e2dd72be479d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\DropboxUpdateHelper.msi

Filesize
24KB

MD5
8d2a3dd90a921cc34164c04aca1ded00

SHA1
667f95f37f076468c4b8b990b71cf3122b0abb65

SHA256
4c9b7ebc6ac41df08c2d25aed2443bcbd6017d3b1bb7522e3d21438f6b2570d7

SHA512
ac1e5761d41fcb8884f9c9815057dd63973a8bd4b63c21044d7b4390d84295adf37614e2618260f205e2150b577dcd153f713cf285124197f5d5305f6b986e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\DropboxUpdateOnDemand.exe

Filesize
74KB

MD5
ae70a96d9ad364a39dcac6cbc019e801

SHA1
c1d454ec1adc4edcb726376b79998ea22a086f3c

SHA256
d9be9d36cde01b178aeb4f5847a302bf7b588966dd7baf017ef818a0650c3531

SHA512
a9911113c913f2caebed79cdc1af489bd5bdadd5e12d58e384c7282679bff8342241d7ab4688cb41e6e9d4160b5c3a6acee210f04851463a8f7ba622438f6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdate.dll

Filesize
1.1MB

MD5
ae33d56b1c555b9a710eaf801e66058d

SHA1
d2615520b0122b5f340b2824f69a54261153b645

SHA256
4cb98daabdd0a36af070c75dc3e6484f52729ca8ae26c9f3dd02079a6f92313d

SHA512
796ac33d39245e9727662080f9d5e19fa4bfaa7fa681da7bf100da1e480e91e555a7873f809490a5e0ef3eaefa566ba79b4cf36f1f264a4f056530f4be86baa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_da.dll

Filesize
29KB

MD5
77c6caa66a4c703aa7df0ff6d7092000

SHA1
37fcc0250a3f745081e8afcdc8b58750e0f3b5de

SHA256
d7df11d1475a9f5ad45cfa318e08d2b032c0595f1e941a8bf8925e9c3453ca3b

SHA512
7fda0dd065a3d4c7e9bfdcc45144c64790e48f864d1a4320b24298896d8d7a2c47c884ea3ddb575ad5c2d082c6c9a5e377f6b2ad9a231abe1719aee61d5c2ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_de.dll

Filesize
32KB

MD5
bfba3a1afcb24b7170e26a0aeb0bdc3b

SHA1
7ae9806b16c3aa63987dbde7901a9c883b55a927

SHA256
f4411a25d3ebfb7b7b81049257c5b06986a9b0255f074249231f1ecb390c4d88

SHA512
328d4ff7f50416d337e4f45a294c796e7511935cf124991404cada87f2072396011016b9ae167f60daaee5959e7161de76fd383e9f43984c47b7dd69396cd4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_en.dll

Filesize
28KB

MD5
5b71914ff8b5dad6abb181b83f8688d3

SHA1
769490b06e7f0f01972dd060500a839ba3bedb00

SHA256
64d51ba594d2f04ebad0fa55899440fd4d4a8692c9ae3e4430d3f19faeaeb4a4

SHA512
1d45810c9aa13ceafd115da9afa46162b65bdf45cc78ffbf69e1d164bce0d34c72d52ad206c89b4399d646d91453f6a929a2bce0d3f5ae39f57b66b89807c318

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_es-419.dll

Filesize
30KB

MD5
3dea46a9a669c75788f219460d1ae2b7

SHA1
9d3150d38a8dc0be22bea614658413d811cb01fa

SHA256
dd43049367d30563687ef1488125d7a00b718286f29d43e4dd20c8b4fd790898

SHA512
5247411c00413d7414e96b18e26970dc96f0e19293b0d09bedbde4cf976657caaaadd209656fef8841a10c4c174b8f83e3229924316be818b3cc1e4ee2a9b40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_es.dll

Filesize
29KB

MD5
02014838aab20f426b1c4defd610e712

SHA1
738cd239ed83a75556b185bda4b5173bfc2ce37c

SHA256
069c64216b88ffda30a542653ba5ca2e566de93ca54f9e8337b42c3301ec76ab

SHA512
45b2256ee02d842ee7865018b68111c13046c0069bf251e4c2e793d2183ccbec6cbb87aaa84b58afad33ff985a5a4152f97a1b2f46be373f0ddd5844e35740d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_fr.dll

Filesize
31KB

MD5
76aa89e3df9b7d1f64faee799f7bfa13

SHA1
33f5e22efe4b0bf7c11c540a2bac02faf7c9715c

SHA256
6bd83c538e21b4e3e020a7e3a56b12e2f054cd83ae8f7bc9076842b4a63175ff

SHA512
10e43bc30509fe3c24f0e0c6c9572a6ca05cb69f43a71e44ea4adb798be08b61c3ac7fcf57ff4ec39091744fda6d3fa6d0aca13c81012d03a70d4e5f2906c7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_id.dll

Filesize
28KB

MD5
fe304ca01a76afb91af046e506316da4

SHA1
9fec21dce8b23a934b03e37251d8ec2aefa9e397

SHA256
7fcb470bdeff7552b5e6acfdadf63ca483c6be071471eadd122c22bce2b2e2d5

SHA512
07878dfd97e69f732ec1a8f83acc1facffd16f54394e36d8d0bf8e406bf7065083a1ad3986c13b1646dae094b94b19e136a5e5fa49a0a646f9e308cd5c58be89

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_it.dll

Filesize
30KB

MD5
51a9f9cb45f43dc656c66c8f5496e666

SHA1
0c84f6c72e6e85d5f2e3561a917759c8900c6e0b

SHA256
69a27d3ee56015e592e1c08af409bee3426c77fb537f138882d944f271a1dec6

SHA512
ff156fa3f102dbeedc359a1a1edbec3c42d81f5fa00ada4fd55abd4f0fce5bdb373949e1ef6a15a72e169180556b90ced8e1910f2ef71a1da9a0b0545a97d6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_ja.dll

Filesize
24KB

MD5
7b53f8738d7214648ada3bf0f2a250f2

SHA1
a7c2ff3769ea0b24660de6dada90f9fdc3a92cd1

SHA256
87ca61f426eb474d7e784b07a4eb6d38925b34319d519c97615c3f5b2d356952

SHA512
e7fbabfe0ad49da1b8b55c657d0589f8d63209210b38adee125a24d38c366fadec95cf6ea14ff2923a5e551289171bf134935fca1a14a4e514b08f79124787b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_ko.dll

Filesize
24KB

MD5
8bb2c54e36d0600293ad1a7ba2907a32

SHA1
3935a05c2da12b8be8e6a581a357c5225c5867c1

SHA256
8c3681712ac694fc8440f1877044cb0ab1ea1667d35dad6bcfa93273258662a6

SHA512
f3424358972b3d68f1265b18d4a64d211b0f1556c7353d564c7b9df100e04dd7d11877ca186cdac49e8fb8a519364ccb4b46d6e449df19d1eabd6dc8f15e9a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_ms.dll

Filesize
28KB

MD5
25b9e91a180a2a6ab0e75777190f009d

SHA1
f9c201f8f0d1b2b2ac06c2f1816d1591102ae1dc

SHA256
c793bedd5a3247746e81c49f6712ce1d6c8fcac57eb36a086e44af6f97cea7e0

SHA512
726ee9c9a1798e457ef321e8c9c192e0139dbb5c9eeeeaea5db0eda734aba895e11a70a39ba4d923f0c306f06dbdbff0834618d813427e635fb42c398265e7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_nl.dll

Filesize
30KB

MD5
fc90ea8bc08b3444923654e8bf2dbfc9

SHA1
95ae86c59b78e8f93f75d13189e3c9cfac0f246b

SHA256
a44970b52e892f6bf74c69fdfb1fc6d252bc4d7988270189efd3cee741207a80

SHA512
28d91e1efbae910c174961b0c5975cb0fe8782c844504117acf840dfd1b99ffc53de3ead08e9d9dcdfb404ea819d607e263fa1d1666b1fb330e5c5b593e215eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_no.dll

Filesize
29KB

MD5
c48de6296fb92e482d810e013872d16a

SHA1
d7ed3e9721aac39b5d73ee77b6ce74ece32bde9f

SHA256
527ddda2527428abd28b45855ce289db488b92978873760a7bb67e61aaab5d00

SHA512
f58b36e7b9608b5dc073da175535ba2ca5e1637c89c35a7f8199e8dc44558246aa2ae2db9b3a70059b4a4c96485e7a162a88ac42858ee7abe9750140076552d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_pl.dll

Filesize
30KB

MD5
07ea1452f338add5de1e485606042ef6

SHA1
d683ae4e21561c6dcff56cdcdcfe25bc153d8903

SHA256
af1b17dda5127cf9b9fcb6909fd042fc8aef767bf8c7469fa16ffcbd08a5ecca

SHA512
3a135d599a1ee18a89b6c2fb695cada9369e395896ce7c51ddcfb210d971e7451f2fa809effd53d8cbd444cd3d7ef689da5c8b3be0fa3c0fa74cb978fcdd60a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_pt-BR.dll

Filesize
29KB

MD5
15438289a93d90f3cb77976b11988618

SHA1
724f05c5e4335f7f8f53106a26767332a080e2a0

SHA256
3ff02f876d1dbc3aa4280e41d7161e6f6973db0cfa19c16188d8555e449bc1ad

SHA512
28f3b1273637df9b37c9b1bc1c4450a34bbffac3580fa29006ae45fd4b3ecade9e6b6c03967f3bff2db96781db8deab397927429b24d8f29e3c70221a1d5b15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_ru.dll

Filesize
29KB

MD5
f431b8adc30cbe63e25feefe875c0715

SHA1
0e28856f0f5d8c63bb1963d5afa09605bfb7252c

SHA256
2c2b81a4f6d1ec16867e9fd808f42f11df2a7d4fea2478635d6b418846c5a389

SHA512
611f9911ee23cb776f90ba9b3c7fd26938cf9e2f72c6d35bdc00d7a7a8ed4f822989b80b5e44206021364f51df2e3d161b556329a029730cb268bbb6b442fae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_sv.dll

Filesize
29KB

MD5
77efad1a448acb29e501588a5763e852

SHA1
27707eaf53c2282c568a2468764dba9e45675881

SHA256
0e41b3c74cbe7b04c34d0bd06f16f16631d199e451b4015ef4bc7a819d7b8214

SHA512
900b0959b05ba7139e5f75639586ea4b58ec0376cd9cd73e1f0d55a1599e31e15179ae42a2a986afcab3dd6c5c714cfb3f32aabd12ba17c6d4245910a937ca6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_th.dll

Filesize
28KB

MD5
769521ffc16516879738d1db318f88cf

SHA1
272105e6fa75207011da6c417fcc299c345ff7cf

SHA256
524862033746d29198c3adfda42592b9286e54f86bc8bf19ff2be68728693bf1

SHA512
0f7351b08bf5e4aa718c281871e4aba44737978e6f40b15ab53abb3c0d407f10ad3a1b2a897def55c2c5dc2f4bff0fb67d4efb32248f57081e8f6b3770ebaaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_uk.dll

Filesize
28KB

MD5
9ec9ed7983dae25b6ca463c94f463e50

SHA1
1235b78353f93ca0222c8aa0c7112eb1c3027018

SHA256
4aa8047a87011a906763a8d84e464168d33974c0cdafb0729e4394d6aa6f7852

SHA512
185ba8bd2bb93d80c49d43870f52e0c4cbc6afe214144421e15851e84b8eef204acbab275efc61d89947eb3c4fee1a65436950b7d30a0f0195581692d2c5af4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_zh-CN.dll

Filesize
22KB

MD5
c91cb67db6b9052430c40fcb48fdcb84

SHA1
9bc4a3ce2dff587322bfac8bda8dbfe827b48dd2

SHA256
f1e791e2202412b515fbb15a974ff1aa3882fc11056af9a1e39240f7d483cbd6

SHA512
e2884c8fbe4cc8d8ea90497beb99af9652e9517e338eccb1cc925461dc813a93fbf924f2d6d063f9a94a5556e9d8d4d3602f7ddf3a43fc7a920bdd75f01360e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_zh-TW.dll

Filesize
22KB

MD5
e2943b119070b91dbcb854f0a741833d

SHA1
3267672dd089f7970621d3b3b961d725020bd83f

SHA256
05530cb4e37986052c893895d7f2c4e567517318afc44760e48c28ae02fbe496

SHA512
0fdb668345491cf1599366a7fc828ace467c08c2d1342f76e6da5b04e7e5c3855332a41ff68c179b938d4f006b414ee205a3815ff64b493ab6accce72508ec66

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\npDropboxUpdate3.dll

Filesize
271KB

MD5
8b69a7876b3d5332c587c717d929a8c6

SHA1
13e97d731a2b73cc594900b8597b1dd335f57b95

SHA256
aea6cb6f64d63abd020136b6fdfd3ba709895645b3d8c4a4857f6698d5fabc0e

SHA512
137effb448ce2ee5a2dd5ae987deebfeb8586619d3010d653ca1c7e3576664b7784c4dc15833291183cb77dae28066e89cf7882175a645d7eb2346bf90cd3bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\psmachine.dll

Filesize
208KB

MD5
8b2600a15af93c8de7d602da943b3724

SHA1
459577f5feb897a48f3eeca5297721b49be9a633

SHA256
04342355272f97ae11db0cb9928c137ca24f0772b735a37f27e217beb6da7d81

SHA512
331fdf9af1eaf0d76971a3f752287220a331f6aef5bef680c04e592c03a76f59a3297507c7eae3eff8f0b676a8efd8b2ed89dad924e662c586a64ddc9506193f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM926.tmp\psuser.dll

Filesize
208KB

MD5
fa26685a96179dbcdf5d9ee4653f3b87

SHA1
5abd1dd79fbc93cc561302ce290ea923526ca83d

SHA256
38be3407a81a6b479b8b6c1ca0c31f1d63ce28595b321c8006c85542b0566768

SHA512
660756f9e7f957add0a751cdde4c3312dd1dab5d715bfa6324d03f08fec7747f00e66e27d2e5585d8c509dee9ea69662f9e14ffaef448f0757ba83f9a1c181d0

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdate.dll

Filesize
1.1MB

MD5
ae33d56b1c555b9a710eaf801e66058d

SHA1
d2615520b0122b5f340b2824f69a54261153b645

SHA256
4cb98daabdd0a36af070c75dc3e6484f52729ca8ae26c9f3dd02079a6f92313d

SHA512
796ac33d39245e9727662080f9d5e19fa4bfaa7fa681da7bf100da1e480e91e555a7873f809490a5e0ef3eaefa566ba79b4cf36f1f264a4f056530f4be86baa6

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdate.dll

Filesize
1.1MB

MD5
ae33d56b1c555b9a710eaf801e66058d

SHA1
d2615520b0122b5f340b2824f69a54261153b645

SHA256
4cb98daabdd0a36af070c75dc3e6484f52729ca8ae26c9f3dd02079a6f92313d

SHA512
796ac33d39245e9727662080f9d5e19fa4bfaa7fa681da7bf100da1e480e91e555a7873f809490a5e0ef3eaefa566ba79b4cf36f1f264a4f056530f4be86baa6

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdate.dll

Filesize
1.1MB

MD5
ae33d56b1c555b9a710eaf801e66058d

SHA1
d2615520b0122b5f340b2824f69a54261153b645

SHA256
4cb98daabdd0a36af070c75dc3e6484f52729ca8ae26c9f3dd02079a6f92313d

SHA512
796ac33d39245e9727662080f9d5e19fa4bfaa7fa681da7bf100da1e480e91e555a7873f809490a5e0ef3eaefa566ba79b4cf36f1f264a4f056530f4be86baa6

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdate.dll

Filesize
1.1MB

MD5
ae33d56b1c555b9a710eaf801e66058d

SHA1
d2615520b0122b5f340b2824f69a54261153b645

SHA256
4cb98daabdd0a36af070c75dc3e6484f52729ca8ae26c9f3dd02079a6f92313d

SHA512
796ac33d39245e9727662080f9d5e19fa4bfaa7fa681da7bf100da1e480e91e555a7873f809490a5e0ef3eaefa566ba79b4cf36f1f264a4f056530f4be86baa6

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdate.dll

Filesize
1.1MB

MD5
ae33d56b1c555b9a710eaf801e66058d

SHA1
d2615520b0122b5f340b2824f69a54261153b645

SHA256
4cb98daabdd0a36af070c75dc3e6484f52729ca8ae26c9f3dd02079a6f92313d

SHA512
796ac33d39245e9727662080f9d5e19fa4bfaa7fa681da7bf100da1e480e91e555a7873f809490a5e0ef3eaefa566ba79b4cf36f1f264a4f056530f4be86baa6

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_en.dll

Filesize
28KB

MD5
5b71914ff8b5dad6abb181b83f8688d3

SHA1
769490b06e7f0f01972dd060500a839ba3bedb00

SHA256
64d51ba594d2f04ebad0fa55899440fd4d4a8692c9ae3e4430d3f19faeaeb4a4

SHA512
1d45810c9aa13ceafd115da9afa46162b65bdf45cc78ffbf69e1d164bce0d34c72d52ad206c89b4399d646d91453f6a929a2bce0d3f5ae39f57b66b89807c318

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_en.dll

Filesize
28KB

MD5
5b71914ff8b5dad6abb181b83f8688d3

SHA1
769490b06e7f0f01972dd060500a839ba3bedb00

SHA256
64d51ba594d2f04ebad0fa55899440fd4d4a8692c9ae3e4430d3f19faeaeb4a4

SHA512
1d45810c9aa13ceafd115da9afa46162b65bdf45cc78ffbf69e1d164bce0d34c72d52ad206c89b4399d646d91453f6a929a2bce0d3f5ae39f57b66b89807c318

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_en.dll

Filesize
28KB

MD5
5b71914ff8b5dad6abb181b83f8688d3

SHA1
769490b06e7f0f01972dd060500a839ba3bedb00

SHA256
64d51ba594d2f04ebad0fa55899440fd4d4a8692c9ae3e4430d3f19faeaeb4a4

SHA512
1d45810c9aa13ceafd115da9afa46162b65bdf45cc78ffbf69e1d164bce0d34c72d52ad206c89b4399d646d91453f6a929a2bce0d3f5ae39f57b66b89807c318

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\goopdateres_en.dll

Filesize
28KB

MD5
5b71914ff8b5dad6abb181b83f8688d3

SHA1
769490b06e7f0f01972dd060500a839ba3bedb00

SHA256
64d51ba594d2f04ebad0fa55899440fd4d4a8692c9ae3e4430d3f19faeaeb4a4

SHA512
1d45810c9aa13ceafd115da9afa46162b65bdf45cc78ffbf69e1d164bce0d34c72d52ad206c89b4399d646d91453f6a929a2bce0d3f5ae39f57b66b89807c318

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\npDropboxUpdate3.dll

Filesize
271KB

MD5
8b69a7876b3d5332c587c717d929a8c6

SHA1
13e97d731a2b73cc594900b8597b1dd335f57b95

SHA256
aea6cb6f64d63abd020136b6fdfd3ba709895645b3d8c4a4857f6698d5fabc0e

SHA512
137effb448ce2ee5a2dd5ae987deebfeb8586619d3010d653ca1c7e3576664b7784c4dc15833291183cb77dae28066e89cf7882175a645d7eb2346bf90cd3bb4

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\psmachine.dll

Filesize
208KB

MD5
8b2600a15af93c8de7d602da943b3724

SHA1
459577f5feb897a48f3eeca5297721b49be9a633

SHA256
04342355272f97ae11db0cb9928c137ca24f0772b735a37f27e217beb6da7d81

SHA512
331fdf9af1eaf0d76971a3f752287220a331f6aef5bef680c04e592c03a76f59a3297507c7eae3eff8f0b676a8efd8b2ed89dad924e662c586a64ddc9506193f

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\psmachine.dll

Filesize
208KB

MD5
8b2600a15af93c8de7d602da943b3724

SHA1
459577f5feb897a48f3eeca5297721b49be9a633

SHA256
04342355272f97ae11db0cb9928c137ca24f0772b735a37f27e217beb6da7d81

SHA512
331fdf9af1eaf0d76971a3f752287220a331f6aef5bef680c04e592c03a76f59a3297507c7eae3eff8f0b676a8efd8b2ed89dad924e662c586a64ddc9506193f

Download Submit
\Program Files (x86)\Dropbox\Update\1.3.335.1\psmachine.dll

Filesize
208KB

MD5
8b2600a15af93c8de7d602da943b3724

SHA1
459577f5feb897a48f3eeca5297721b49be9a633

SHA256
04342355272f97ae11db0cb9928c137ca24f0772b735a37f27e217beb6da7d81

SHA512
331fdf9af1eaf0d76971a3f752287220a331f6aef5bef680c04e592c03a76f59a3297507c7eae3eff8f0b676a8efd8b2ed89dad924e662c586a64ddc9506193f

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Users\Admin\AppData\Local\Temp\GUM926.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Users\Admin\AppData\Local\Temp\GUM926.tmp\DropboxUpdate.exe

Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdate.dll

Filesize
1.1MB

MD5
ae33d56b1c555b9a710eaf801e66058d

SHA1
d2615520b0122b5f340b2824f69a54261153b645

SHA256
4cb98daabdd0a36af070c75dc3e6484f52729ca8ae26c9f3dd02079a6f92313d

SHA512
796ac33d39245e9727662080f9d5e19fa4bfaa7fa681da7bf100da1e480e91e555a7873f809490a5e0ef3eaefa566ba79b4cf36f1f264a4f056530f4be86baa6

Download Submit
\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_en.dll

Filesize
28KB

MD5
5b71914ff8b5dad6abb181b83f8688d3

SHA1
769490b06e7f0f01972dd060500a839ba3bedb00

SHA256
64d51ba594d2f04ebad0fa55899440fd4d4a8692c9ae3e4430d3f19faeaeb4a4

SHA512
1d45810c9aa13ceafd115da9afa46162b65bdf45cc78ffbf69e1d164bce0d34c72d52ad206c89b4399d646d91453f6a929a2bce0d3f5ae39f57b66b89807c318

Download Submit
\Users\Admin\AppData\Local\Temp\GUM926.tmp\goopdateres_en.dll

Filesize
28KB

MD5
5b71914ff8b5dad6abb181b83f8688d3

SHA1
769490b06e7f0f01972dd060500a839ba3bedb00

SHA256
64d51ba594d2f04ebad0fa55899440fd4d4a8692c9ae3e4430d3f19faeaeb4a4

SHA512
1d45810c9aa13ceafd115da9afa46162b65bdf45cc78ffbf69e1d164bce0d34c72d52ad206c89b4399d646d91453f6a929a2bce0d3f5ae39f57b66b89807c318

Download Submit
memory/1036-100-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/1072-57-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download