File name:

DropboxInstaller.exe

Full analysis: https://app.any.run/tasks/01ba7c08-1631-416b-994e-7f0536235a25
Verdict: Malicious activity
Analysis date: September 04, 2024, 15:37:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6132BB81F3E5F932EA327A45E3BF0170

SHA1:

CBF905EF098F0B131C9F93EC0717673DAAACE386

SHA256:

085E254F69724CEE39E66F4DEF26F0AA68C9BD1172A9AACEFE363BB4D6D60D9A

SSDEEP:

24576:AlwVeu3O2SVG+NVCU3jatIzAmI2wmAxKR4FxCF6EAPkIwbqHSXJzyAvrDGar3Hah:AlwVeuHQjNVCU3jatIz5I2wmAxKR4Fxc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • Dropbox.exe (PID: 6708)

    • Changes the autorun value in the registry

      • Dropbox.exe (PID: 6708)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • DropboxInstaller.exe (PID: 5708)
      • DropboxUpdate.exe (PID: 3184)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)
      • powershell.exe (PID: 4708)

    • Reads security settings of Internet Explorer

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 3184)
      • Dropbox.exe (PID: 6708)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Application launched itself

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 6544)

    • Starts itself from another location

      • DropboxUpdate.exe (PID: 3184)

    • Disables SEHOP

      • DropboxUpdate.exe (PID: 3184)

    • Checks Windows Trust Settings

      • DropboxUpdate.exe (PID: 3184)
      • msiexec.exe (PID: 3492)
      • Dropbox.exe (PID: 6708)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3492)

    • Executes as Windows Service

      • DropboxUpdate.exe (PID: 936)
      • DbxSvc.exe (PID: 5772)

    • Creates/Modifies COM task schedule object

      • DropboxUpdate.exe (PID: 6488)
      • regsvr32.exe (PID: 4392)
      • regsvr32.exe (PID: 1356)
      • regsvr32.exe (PID: 6680)
      • regsvr32.exe (PID: 7160)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • The process creates files with name similar to system file names

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)
      • powershell.exe (PID: 4708)

    • Process drops legitimate windows executable

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)
      • powershell.exe (PID: 4708)

    • Process drops python dynamic module

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)

    • Drops a system driver (possible attempt to evade defenses)

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)

    • The process drops C-runtime libraries

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)

    • Loads Python modules

      • Dropbox.exe (PID: 6708)

    • Potential Corporate Privacy Violation

      • DropboxUpdate.exe (PID: 2032)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • Dropbox.exe (PID: 6708)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Dropbox.exe (PID: 6708)

    • Creates files in the driver directory

      • Dropbox.exe (PID: 6708)

    • Creates or modifies Windows services

      • Dropbox.exe (PID: 6708)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 884)
      • powershell.exe (PID: 4708)

    • Creates a software uninstall entry

      • Dropbox.exe (PID: 6708)

    • Searches for installed software

      • Dropbox.exe (PID: 6708)

    • Starts SC.EXE for service management

      • Dropbox.exe (PID: 6708)

    • Starts POWERSHELL.EXE for commands execution

      • Dropbox.exe (PID: 6708)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 3144)

    • The process executes via Task Scheduler

      • DropboxUpdate.exe (PID: 6544)
      • DropboxUpdate.exe (PID: 3672)

  • INFO

    • Checks supported languages

      • DropboxUpdate.exe (PID: 2324)
      • DropboxInstaller.exe (PID: 5708)
      • DropboxUpdate.exe (PID: 3184)
      • DropboxUpdate.exe (PID: 1404)
      • msiexec.exe (PID: 3492)
      • DropboxUpdate.exe (PID: 6488)
      • DropboxUpdate.exe (PID: 2032)
      • DropboxUpdate.exe (PID: 4824)
      • DropboxUpdate.exe (PID: 936)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)
      • DropboxUpdateClient.exe (PID: 376)
      • DbxSvc.exe (PID: 5772)
      • DismHost.exe (PID: 3144)
      • DropboxUpdate.exe (PID: 3672)
      • DropboxUpdate.exe (PID: 6544)
      • DropboxUpdate.exe (PID: 2720)
      • DropboxCrashHandler.exe (PID: 4164)

    • Creates files in the program directory

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 3184)
      • DropboxUpdate.exe (PID: 1404)
      • DropboxUpdate.exe (PID: 2032)
      • DropboxUpdate.exe (PID: 4824)
      • DropboxUpdate.exe (PID: 936)
      • DropboxUpdate.exe (PID: 6488)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)
      • DropboxUpdate.exe (PID: 3672)
      • DropboxUpdate.exe (PID: 6544)
      • DropboxCrashHandler.exe (PID: 4164)
      • DropboxUpdate.exe (PID: 2720)

    • Reads the computer name

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 3184)
      • DropboxUpdate.exe (PID: 1404)
      • msiexec.exe (PID: 3492)
      • DropboxUpdate.exe (PID: 6488)
      • DropboxUpdate.exe (PID: 2032)
      • DropboxUpdate.exe (PID: 936)
      • DropboxUpdate.exe (PID: 4824)
      • Dropbox.exe (PID: 6708)
      • DbxSvc.exe (PID: 5772)
      • DropboxUpdateClient.exe (PID: 376)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • DismHost.exe (PID: 3144)
      • DropboxUpdate.exe (PID: 6544)
      • DropboxUpdate.exe (PID: 3672)
      • DropboxUpdate.exe (PID: 2720)
      • DropboxCrashHandler.exe (PID: 4164)

    • Reads the machine GUID from the registry

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 3184)
      • DropboxUpdate.exe (PID: 1404)
      • DropboxUpdate.exe (PID: 6488)
      • msiexec.exe (PID: 3492)
      • DropboxUpdate.exe (PID: 4824)
      • DropboxUpdate.exe (PID: 936)
      • DropboxUpdate.exe (PID: 2032)
      • Dropbox.exe (PID: 6708)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • DropboxUpdate.exe (PID: 3672)
      • DropboxUpdate.exe (PID: 6544)
      • DropboxCrashHandler.exe (PID: 4164)
      • DropboxUpdate.exe (PID: 2720)

    • Create files in a temporary directory

      • DropboxInstaller.exe (PID: 5708)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Process checks computer location settings

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 3184)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3492)

    • Reads the software policy settings

      • msiexec.exe (PID: 3492)
      • DropboxUpdate.exe (PID: 2032)
      • DropboxUpdate.exe (PID: 936)
      • DropboxUpdate.exe (PID: 3184)
      • Dropbox.exe (PID: 6708)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3492)
      • DropboxUpdate.exe (PID: 2032)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3492)

    • Checks proxy server information

      • DropboxUpdate.exe (PID: 2032)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Reads the time zone

      • runonce.exe (PID: 6616)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 6616)

    • The process uses the downloaded file

      • runonce.exe (PID: 6616)
      • powershell.exe (PID: 4708)

    • Sends debugging messages

      • powershell.exe (PID: 4708)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • DismHost.exe (PID: 3144)

    • The executable file from the user directory is run by the Powershell process

      • DismHost.exe (PID: 3144)

    • Reads Environment values

      • DismHost.exe (PID: 3144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:06 09:18:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 48640
InitializedDataSize: 740864
UninitializedDataSize: -
EntryPoint: 0x4c96
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.3.911.1
ProductVersionNumber: 1.3.911.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Dropbox, Inc.
FileDescription: Dropbox Update Setup
FileVersion: 1.3.911.1
InternalName: Dropbox Update Setup
LegalCopyright: Copyright: Dropbox, Inc. 2015 (Omaha Copyright Google Inc.)
OriginalFileName: DropboxUpdateSetup.exe
ProductName: Dropbox Update
ProductVersion: 1.3.911.1
LanguageId: en
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
40
Malicious processes
9
Suspicious processes
4

Behavior graph

Click at the process to see the details
start dropboxinstaller.exe dropboxupdate.exe no specs dropboxupdate.exe dropboxupdate.exe no specs msiexec.exe dropboxupdate.exe no specs dropboxupdate.exe dropboxupdate.exe no specs dropboxupdate.exe dropboxclient_206.4.6506.x64.exe dropbox.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs dropboxupdateclient.exe no specs dbxsvc.exe no specs runonce.exe no specs grpconv.exe no specs sc.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs dismhost.exe dropboxupdate.exe no specs dropboxupdate.exe no specs dropboxupdate.exe no specs dropboxcrashhandler.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
376"C:\Program Files (x86)\Dropbox\Client\206.4.6506\DropboxUpdateClient.exe" --install-elevation-service --appid={CC46080E-4C33-4981-859A-BBA2F780F31E} --enable-logging --vmodule=*/dropbox/update_client/*=2C:\Program Files (x86)\Dropbox\Client\206.4.6506\DropboxUpdateClient.exeDropbox.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\dropbox\client\206.4.6506\dropboxupdateclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
420C:\WINDOWS\system32\regsvr32.exe /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt.76.0.dll"C:\Windows\System32\regsvr32.exeDropbox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
752\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
884C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell "Get-AppxPackage C27EB4BA.DropboxOEM | Remove-AppxPackage"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropbox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
936"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svcC:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
services.exe
User:
SYSTEM
Company:
Dropbox, Inc.
Integrity Level:
SYSTEM
Description:
Dropbox Update
Version:
1.3.537.5
Modules
Images
c:\program files (x86)\dropbox\update\dropboxupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1116C:\WINDOWS\system32\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any protocol=tcp localport=17500-17510C:\Windows\System32\netsh.exeDropbox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1356 /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt64.76.0.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1404"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvcC:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exeDropboxUpdate.exe
User:
admin
Company:
Dropbox, Inc.
Integrity Level:
HIGH
Description:
Dropbox Update
Exit code:
0
Version:
1.3.537.5
Modules
Images
c:\program files (x86)\dropbox\update\dropboxupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1636"C:\Windows\System32\grpconv.exe" -oC:\Windows\System32\grpconv.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
46 823
Read events
46 449
Write events
297
Delete events
77

Modification events

(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update
Operation:delete valueName:eulaaccepted
Value:
(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update
Operation:writeName:path
Value:
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update\Clients\{D8968FF2-E0B1-4A13-A3E2-C9F2995F3BC6}
Operation:writeName:pv
Value:
1.3.911.1
(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update\Clients\{D8968FF2-E0B1-4A13-A3E2-C9F2995F3BC6}
Operation:writeName:name
Value:
Dropbox Update
(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update\ClientState\{D8968FF2-E0B1-4A13-A3E2-C9F2995F3BC6}
Operation:writeName:pv
Value:
1.3.911.1
(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe
Operation:writeName:DisableExceptionChainValidation
Value:
0
(PID) Process:(1404) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\DropboxUpdate.exe
Operation:writeName:AppID
Value:
{96D1EED3-701E-4FE5-B996-A543A8465897}
(PID) Process:(1404) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}
Operation:writeName:LocalService
Value:
dbupdate
(PID) Process:(1404) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}
Operation:writeName:ServiceParameters
Value:
/comsvc
(PID) Process:(1404) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}
Operation:writeName:AppID
Value:
{96D1EED3-701E-4FE5-B996-A543A8465897}
Executable files
477
Suspicious files
181
Text files
1 788
Unknown types
11

Dropped files

PID
Process
Filename
Type
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\goopdate.dllexecutable
MD5:EEFC49F19DC8E732750B382E13CEE819
SHA256:B0A29239FE624ADB271A557409727EEA317702F65F34F1ED84C55DE6BC77CB25
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\DropboxUpdate.exeexecutable
MD5:8AD76E0B347BB690697535CE95B1C656
SHA256:7655221B493047C61285E1DE78807D0584920B0D14D150E2487DA9728B1926F3
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\@PaxHeadertext
MD5:332C1795C5132A05FBAA2B4084D134BC
SHA256:7ED3FB1ECDE2882DC1B818671BBEBA4385913706A515F8665D732BD03E8BB86F
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\goopdateres_id.dllexecutable
MD5:192D4311141487C6E5B8E9E53245907A
SHA256:A151BF2FFCA80ECBB38A8CFA3DB30002DCB42749E4FF3C768EE3AAE2CB9ECEDD
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\DropboxUpdateOnDemand.exeexecutable
MD5:2ECAB51764BC64FA9472EEA19CBA6ED0
SHA256:22729F1B9B966C1ADFA268A806856B22E1769A5FF6E56475B0D286B9BF507314
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\goopdateres_de.dllexecutable
MD5:E0991C448CD818500F6C8F7509A84A40
SHA256:C5212E357B3CBA3564F357DF0133735D9B5D482DC3E3AB70810BD72A62F3CA4D
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\goopdateres_da.dllexecutable
MD5:126CE0740C8EAE19471301F903C27108
SHA256:A315A0732A38934CDDEDDC8B403104DC10BD97F66D70AE1A60EF72FD4230BEEE
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\psuser.dllexecutable
MD5:0FA0151B62CF23391917784B5ADF0E1F
SHA256:BC519E9F04C84A2287E8F274743A23A425995156E9C882C09695F13D4095E196
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\psmachine.dllexecutable
MD5:57250AC3DA5CFE80EAC551F4231A73F5
SHA256:40B05834D9F30E8F07EE22C1D115A0A95D8D95489B4078AA0B640DEE7C6A111C
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\goopdateres_it.dllexecutable
MD5:7AA209B91E208C4157A947975F312416
SHA256:4C6FDCA461A0CAF39110DDDFAD734F0E1AD3656D8A11B8B1279DBE05594818B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
34
DNS requests
15
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3492
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
3492
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
3492
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAOKSkxNqmqtTGS8Y78ILE0%3D
unknown
whitelisted
3652
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2032
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
2032
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAHWlVhJ1rvbwVVZSZDShpE%3D
unknown
whitelisted
936
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
936
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAHWlVhJ1rvbwVVZSZDShpE%3D
unknown
whitelisted
5656
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
568
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3492
msiexec.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3652
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3652
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2032
DropboxUpdate.exe
162.125.66.13:443
client.dropbox.com
DROPBOX
DE
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.134
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.136
  • 20.190.160.20
  • 20.190.160.17
whitelisted
client.dropbox.com
  • 162.125.66.13
shared
edge.dropboxstatic.com
  • 162.125.66.22
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2032
DropboxUpdate.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
2128
DropboxClient_206.4.6506.x64.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
Process
Message
powershell.exe
PID=4708 TID=5084 DismApi.dll: - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 DismApi.dll: <----- Starting DismApi.dll session -----> - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 DismApi.dll: - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 DismApi.dll: Host machine information: OS Version=10.0.19045, Running architecture=amd64, Number of processors=4 - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 DismApi.dll: API Version 10.0.19041.3758 - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 DismApi.dll: Parent process command line: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell "Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In \"C27EB4BA.DropboxOEM\" | Remove-ProvisionedAppxPackage -Online" - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 Enter DismInitializeInternal - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 Input parameters: LogLevel: 2, LogFilePath: C:\WINDOWS\Logs\DISM\dism.log, ScratchDirectory: (null) - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 Initialized GlobalConfig - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 Initialized SessionTable - DismInitializeInternal
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DropboxInstaller.exe