File name:

DropboxInstaller.exe

Full analysis: https://app.any.run/tasks/01ba7c08-1631-416b-994e-7f0536235a25
Verdict: Malicious activity
Analysis date: September 04, 2024, 15:37:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6132BB81F3E5F932EA327A45E3BF0170

SHA1:

CBF905EF098F0B131C9F93EC0717673DAAACE386

SHA256:

085E254F69724CEE39E66F4DEF26F0AA68C9BD1172A9AACEFE363BB4D6D60D9A

SSDEEP:

24576:AlwVeu3O2SVG+NVCU3jatIzAmI2wmAxKR4FxCF6EAPkIwbqHSXJzyAvrDGar3Hah:AlwVeuHQjNVCU3jatIz5I2wmAxKR4Fxc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • Dropbox.exe (PID: 6708)

    • Changes the autorun value in the registry

      • Dropbox.exe (PID: 6708)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 3184)
      • Dropbox.exe (PID: 6708)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Application launched itself

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 6544)

    • Executable content was dropped or overwritten

      • DropboxInstaller.exe (PID: 5708)
      • DropboxUpdate.exe (PID: 3184)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)
      • powershell.exe (PID: 4708)

    • Starts itself from another location

      • DropboxUpdate.exe (PID: 3184)

    • Disables SEHOP

      • DropboxUpdate.exe (PID: 3184)

    • Checks Windows Trust Settings

      • DropboxUpdate.exe (PID: 3184)
      • msiexec.exe (PID: 3492)
      • Dropbox.exe (PID: 6708)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Creates/Modifies COM task schedule object

      • DropboxUpdate.exe (PID: 6488)
      • regsvr32.exe (PID: 4392)
      • regsvr32.exe (PID: 1356)
      • regsvr32.exe (PID: 6680)
      • regsvr32.exe (PID: 7160)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3492)

    • Executes as Windows Service

      • DropboxUpdate.exe (PID: 936)
      • DbxSvc.exe (PID: 5772)

    • Drops a system driver (possible attempt to evade defenses)

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)

    • Process drops legitimate windows executable

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)
      • powershell.exe (PID: 4708)

    • The process drops C-runtime libraries

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)

    • Loads Python modules

      • Dropbox.exe (PID: 6708)

    • Potential Corporate Privacy Violation

      • DropboxUpdate.exe (PID: 2032)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • The process creates files with name similar to system file names

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)
      • powershell.exe (PID: 4708)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Process drops python dynamic module

      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • Dropbox.exe (PID: 6708)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Dropbox.exe (PID: 6708)

    • Creates or modifies Windows services

      • Dropbox.exe (PID: 6708)

    • Creates files in the driver directory

      • Dropbox.exe (PID: 6708)

    • Searches for installed software

      • Dropbox.exe (PID: 6708)

    • Creates a software uninstall entry

      • Dropbox.exe (PID: 6708)

    • Starts POWERSHELL.EXE for commands execution

      • Dropbox.exe (PID: 6708)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 884)
      • powershell.exe (PID: 4708)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 3144)

    • The process executes via Task Scheduler

      • DropboxUpdate.exe (PID: 6544)
      • DropboxUpdate.exe (PID: 3672)

    • Starts SC.EXE for service management

      • Dropbox.exe (PID: 6708)

  • INFO

    • Checks supported languages

      • DropboxInstaller.exe (PID: 5708)
      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 1404)
      • DropboxUpdate.exe (PID: 3184)
      • DropboxUpdate.exe (PID: 6488)
      • DropboxUpdate.exe (PID: 2032)
      • msiexec.exe (PID: 3492)
      • DropboxUpdate.exe (PID: 4824)
      • DropboxUpdate.exe (PID: 936)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)
      • DropboxUpdateClient.exe (PID: 376)
      • DbxSvc.exe (PID: 5772)
      • DismHost.exe (PID: 3144)
      • DropboxUpdate.exe (PID: 6544)
      • DropboxUpdate.exe (PID: 3672)
      • DropboxCrashHandler.exe (PID: 4164)
      • DropboxUpdate.exe (PID: 2720)

    • Creates files in the program directory

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 1404)
      • DropboxUpdate.exe (PID: 3184)
      • DropboxUpdate.exe (PID: 6488)
      • DropboxUpdate.exe (PID: 2032)
      • DropboxUpdate.exe (PID: 4824)
      • DropboxUpdate.exe (PID: 936)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)
      • DropboxUpdate.exe (PID: 6544)
      • DropboxUpdate.exe (PID: 3672)
      • DropboxCrashHandler.exe (PID: 4164)
      • DropboxUpdate.exe (PID: 2720)

    • Reads the computer name

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 1404)
      • DropboxUpdate.exe (PID: 3184)
      • DropboxUpdate.exe (PID: 6488)
      • DropboxUpdate.exe (PID: 2032)
      • msiexec.exe (PID: 3492)
      • DropboxUpdate.exe (PID: 4824)
      • DropboxUpdate.exe (PID: 936)
      • DropboxUpdateClient.exe (PID: 376)
      • Dropbox.exe (PID: 6708)
      • DbxSvc.exe (PID: 5772)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • DismHost.exe (PID: 3144)
      • DropboxUpdate.exe (PID: 2720)
      • DropboxUpdate.exe (PID: 3672)
      • DropboxUpdate.exe (PID: 6544)
      • DropboxCrashHandler.exe (PID: 4164)

    • Process checks computer location settings

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 3184)

    • Reads the machine GUID from the registry

      • DropboxUpdate.exe (PID: 2324)
      • DropboxUpdate.exe (PID: 1404)
      • DropboxUpdate.exe (PID: 3184)
      • DropboxUpdate.exe (PID: 6488)
      • DropboxUpdate.exe (PID: 2032)
      • msiexec.exe (PID: 3492)
      • DropboxUpdate.exe (PID: 4824)
      • DropboxUpdate.exe (PID: 936)
      • Dropbox.exe (PID: 6708)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • DropboxUpdate.exe (PID: 6544)
      • DropboxUpdate.exe (PID: 3672)
      • DropboxCrashHandler.exe (PID: 4164)
      • DropboxUpdate.exe (PID: 2720)

    • Create files in a temporary directory

      • DropboxInstaller.exe (PID: 5708)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3492)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3492)
      • DropboxUpdate.exe (PID: 2032)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • Dropbox.exe (PID: 6708)

    • Reads the software policy settings

      • msiexec.exe (PID: 3492)
      • DropboxUpdate.exe (PID: 936)
      • DropboxUpdate.exe (PID: 3184)
      • DropboxUpdate.exe (PID: 2032)
      • Dropbox.exe (PID: 6708)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3492)

    • Checks proxy server information

      • DropboxUpdate.exe (PID: 2032)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)

    • Reads the time zone

      • runonce.exe (PID: 6616)

    • The process uses the downloaded file

      • runonce.exe (PID: 6616)
      • powershell.exe (PID: 4708)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 6616)

    • Reads Environment values

      • DismHost.exe (PID: 3144)

    • Sends debugging messages

      • DismHost.exe (PID: 3144)
      • DropboxClient_206.4.6506.x64.exe (PID: 2128)
      • powershell.exe (PID: 4708)

    • The executable file from the user directory is run by the Powershell process

      • DismHost.exe (PID: 3144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:06 09:18:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 48640
InitializedDataSize: 740864
UninitializedDataSize: -
EntryPoint: 0x4c96
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.3.911.1
ProductVersionNumber: 1.3.911.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Dropbox, Inc.
FileDescription: Dropbox Update Setup
FileVersion: 1.3.911.1
InternalName: Dropbox Update Setup
LegalCopyright: Copyright: Dropbox, Inc. 2015 (Omaha Copyright Google Inc.)
OriginalFileName: DropboxUpdateSetup.exe
ProductName: Dropbox Update
ProductVersion: 1.3.911.1
LanguageId: en
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
40
Malicious processes
9
Suspicious processes
4

Behavior graph

Click at the process to see the details
start dropboxinstaller.exe dropboxupdate.exe no specs dropboxupdate.exe dropboxupdate.exe no specs msiexec.exe dropboxupdate.exe no specs dropboxupdate.exe dropboxupdate.exe no specs dropboxupdate.exe dropboxclient_206.4.6506.x64.exe dropbox.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs dropboxupdateclient.exe no specs dbxsvc.exe no specs runonce.exe no specs grpconv.exe no specs sc.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs dismhost.exe dropboxupdate.exe no specs dropboxupdate.exe no specs dropboxupdate.exe no specs dropboxcrashhandler.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
376"C:\Program Files (x86)\Dropbox\Client\206.4.6506\DropboxUpdateClient.exe" --install-elevation-service --appid={CC46080E-4C33-4981-859A-BBA2F780F31E} --enable-logging --vmodule=*/dropbox/update_client/*=2C:\Program Files (x86)\Dropbox\Client\206.4.6506\DropboxUpdateClient.exeDropbox.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\dropbox\client\206.4.6506\dropboxupdateclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
420C:\WINDOWS\system32\regsvr32.exe /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt.76.0.dll"C:\Windows\System32\regsvr32.exeDropbox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
752\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
884C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell "Get-AppxPackage C27EB4BA.DropboxOEM | Remove-AppxPackage"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropbox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
936"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svcC:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
services.exe
User:
SYSTEM
Company:
Dropbox, Inc.
Integrity Level:
SYSTEM
Description:
Dropbox Update
Version:
1.3.537.5
Modules
Images
c:\program files (x86)\dropbox\update\dropboxupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1116C:\WINDOWS\system32\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any protocol=tcp localport=17500-17510C:\Windows\System32\netsh.exeDropbox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1356 /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt64.76.0.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1404"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /regsvcC:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exeDropboxUpdate.exe
User:
admin
Company:
Dropbox, Inc.
Integrity Level:
HIGH
Description:
Dropbox Update
Exit code:
0
Version:
1.3.537.5
Modules
Images
c:\program files (x86)\dropbox\update\dropboxupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1636"C:\Windows\System32\grpconv.exe" -oC:\Windows\System32\grpconv.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
46 823
Read events
46 449
Write events
297
Delete events
77

Modification events

(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update
Operation:delete valueName:eulaaccepted
Value:
(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update
Operation:writeName:path
Value:
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update\Clients\{D8968FF2-E0B1-4A13-A3E2-C9F2995F3BC6}
Operation:writeName:pv
Value:
1.3.911.1
(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update\Clients\{D8968FF2-E0B1-4A13-A3E2-C9F2995F3BC6}
Operation:writeName:name
Value:
Dropbox Update
(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update\ClientState\{D8968FF2-E0B1-4A13-A3E2-C9F2995F3BC6}
Operation:writeName:pv
Value:
1.3.911.1
(PID) Process:(3184) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe
Operation:writeName:DisableExceptionChainValidation
Value:
0
(PID) Process:(1404) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\DropboxUpdate.exe
Operation:writeName:AppID
Value:
{96D1EED3-701E-4FE5-B996-A543A8465897}
(PID) Process:(1404) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}
Operation:writeName:LocalService
Value:
dbupdate
(PID) Process:(1404) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}
Operation:writeName:ServiceParameters
Value:
/comsvc
(PID) Process:(1404) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}
Operation:writeName:AppID
Value:
{96D1EED3-701E-4FE5-B996-A543A8465897}
Executable files
477
Suspicious files
181
Text files
1 788
Unknown types
11

Dropped files

PID
Process
Filename
Type
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\DropboxCrashHandler.exeexecutable
MD5:3B607E9AE169797C5112736DD445DB25
SHA256:E7141AEB22EA3165A4F7FB8C4D210151575F1B95EF545E0978A2174598A08265
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\@PaxHeadertext
MD5:332C1795C5132A05FBAA2B4084D134BC
SHA256:7ED3FB1ECDE2882DC1B818671BBEBA4385913706A515F8665D732BD03E8BB86F
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\DropboxUpdateBroker.exeexecutable
MD5:0CD7FDDF34527FFBC563277CEA3F575B
SHA256:F4D066CE16CA47B19F5ACEC41155906BA08E0A6A565108EA77AE6C8F1136A55C
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\goopdate.dllexecutable
MD5:EEFC49F19DC8E732750B382E13CEE819
SHA256:B0A29239FE624ADB271A557409727EEA317702F65F34F1ED84C55DE6BC77CB25
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\DropboxUpdate.exeexecutable
MD5:8AD76E0B347BB690697535CE95B1C656
SHA256:7655221B493047C61285E1DE78807D0584920B0D14D150E2487DA9728B1926F3
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\npDropboxUpdate3.dllexecutable
MD5:BED3F629455188556D54E8868CC3705B
SHA256:AAF37E7BE50FB5EA738CCDD615C7985B9EFDAEA43290094C6696AE0F6348051F
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\DropboxUpdateOnDemand.exeexecutable
MD5:2ECAB51764BC64FA9472EEA19CBA6ED0
SHA256:22729F1B9B966C1ADFA268A806856B22E1769A5FF6E56475B0D286B9BF507314
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\DropboxUpdateHelper.msiexecutable
MD5:9AB89A05F39EF9F354DE6D4074BF105B
SHA256:DF7C8BCDBCF6247C25ABDC09D332858B01450225A4EBB29AC6DF4F713691B399
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\psuser.dllexecutable
MD5:0FA0151B62CF23391917784B5ADF0E1F
SHA256:BC519E9F04C84A2287E8F274743A23A425995156E9C882C09695F13D4095E196
5708DropboxInstaller.exeC:\Users\admin\AppData\Local\Temp\GUMAB1D.tmp\goopdateres_de.dllexecutable
MD5:E0991C448CD818500F6C8F7509A84A40
SHA256:C5212E357B3CBA3564F357DF0133735D9B5D482DC3E3AB70810BD72A62F3CA4D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
34
DNS requests
15
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3492
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
3652
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3492
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAOKSkxNqmqtTGS8Y78ILE0%3D
unknown
whitelisted
3492
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
2032
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
2032
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAHWlVhJ1rvbwVVZSZDShpE%3D
unknown
whitelisted
936
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
936
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAHWlVhJ1rvbwVVZSZDShpE%3D
unknown
whitelisted
5656
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
568
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3492
msiexec.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3652
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3652
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2032
DropboxUpdate.exe
162.125.66.13:443
client.dropbox.com
DROPBOX
DE
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.134
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.136
  • 20.190.160.20
  • 20.190.160.17
whitelisted
client.dropbox.com
  • 162.125.66.13
shared
edge.dropboxstatic.com
  • 162.125.66.22
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2032
DropboxUpdate.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
2128
DropboxClient_206.4.6506.x64.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
Process
Message
powershell.exe
PID=4708 TID=5084 DismApi.dll: - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 DismApi.dll: <----- Starting DismApi.dll session -----> - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 DismApi.dll: - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 DismApi.dll: Host machine information: OS Version=10.0.19045, Running architecture=amd64, Number of processors=4 - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 DismApi.dll: API Version 10.0.19041.3758 - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 DismApi.dll: Parent process command line: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell "Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In \"C27EB4BA.DropboxOEM\" | Remove-ProvisionedAppxPackage -Online" - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 Enter DismInitializeInternal - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 Input parameters: LogLevel: 2, LogFilePath: C:\WINDOWS\Logs\DISM\dism.log, ScratchDirectory: (null) - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 Initialized GlobalConfig - DismInitializeInternal
powershell.exe
PID=4708 TID=5084 Initialized SessionTable - DismInitializeInternal
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DropboxInstaller.exe