File name:

dropboxinstaller (1).exe

Full analysis: https://app.any.run/tasks/e3692140-997e-4c75-9d74-62c5f66e559a
Verdict: Malicious activity
Analysis date: September 26, 2024, 19:32:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9F52427A75C2B01BA503CE3DDE1B1D35

SHA1:

281A014BCD8BE5EA65328C55224F14E7C4CB6043

SHA256:

C11AF9653297597ECB8D790EBD0DFF1E515FE027D334404E68069E62F167A747

SSDEEP:

24576:AlwVeu3O2SVG+NVCU3jatIzAmI2wmAxKR4FxCF6EAPkIwbqHSXJzyAvrDGar3Hah:AlwVeuHQjNVCU3jatIz5I2wmAxKR4Fxc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • Dropbox.exe (PID: 5280)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • dropboxinstaller (1).exe (PID: 6308)
      • DropboxUpdate.exe (PID: 736)
      • DropboxClient_208.4.5824.x64.exe (PID: 1176)
      • Dropbox.exe (PID: 5280)
      • powershell.exe (PID: 4920)

    • Reads security settings of Internet Explorer

      • DropboxUpdate.exe (PID: 4408)
      • DropboxUpdate.exe (PID: 736)

    • Application launched itself

      • DropboxUpdate.exe (PID: 4408)
      • DropboxUpdate.exe (PID: 1432)
      • Dropbox.exe (PID: 4056)
      • DropboxUpdate.exe (PID: 8072)

    • Starts itself from another location

      • DropboxUpdate.exe (PID: 736)

    • Checks Windows Trust Settings

      • DropboxUpdate.exe (PID: 736)

    • Executes as Windows Service

      • DropboxUpdate.exe (PID: 1432)
      • DbxSvc.exe (PID: 6892)

    • Process drops python dynamic module

      • DropboxClient_208.4.5824.x64.exe (PID: 1176)
      • Dropbox.exe (PID: 5280)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DropboxClient_208.4.5824.x64.exe (PID: 1176)

    • Drops a system driver (possible attempt to evade defenses)

      • DropboxClient_208.4.5824.x64.exe (PID: 1176)
      • Dropbox.exe (PID: 5280)

    • Process drops legitimate windows executable

      • DropboxClient_208.4.5824.x64.exe (PID: 1176)
      • Dropbox.exe (PID: 5280)
      • powershell.exe (PID: 4920)

    • The process drops C-runtime libraries

      • DropboxClient_208.4.5824.x64.exe (PID: 1176)
      • Dropbox.exe (PID: 5280)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • Dropbox.exe (PID: 5280)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Dropbox.exe (PID: 5280)

    • Starts POWERSHELL.EXE for commands execution

      • Dropbox.exe (PID: 5280)

    • Starts SC.EXE for service management

      • Dropbox.exe (PID: 5280)

    • Potential Corporate Privacy Violation

      • DropboxUpdate.exe (PID: 6052)
      • DropboxClient_208.4.5824.x64.exe (PID: 1176)
      • DropboxUpdate.exe (PID: 7060)
      • Dropbox.exe (PID: 1524)
      • Dropbox.exe (PID: 4056)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 6692)

    • Starts CMD.EXE for commands execution

      • Dropbox.exe (PID: 4056)

    • The process executes via Task Scheduler

      • DropboxUpdate.exe (PID: 8072)
      • DropboxUpdate.exe (PID: 8064)

  • INFO

    • Create files in a temporary directory

      • dropboxinstaller (1).exe (PID: 6308)

    • Creates files in the program directory

      • DropboxUpdate.exe (PID: 4408)
      • DropboxUpdate.exe (PID: 736)

    • Checks supported languages

      • dropboxinstaller (1).exe (PID: 6308)
      • DropboxUpdate.exe (PID: 4408)
      • DropboxUpdate.exe (PID: 736)

    • Reads the machine GUID from the registry

      • DropboxUpdate.exe (PID: 4408)
      • DropboxUpdate.exe (PID: 736)

    • Reads the computer name

      • DropboxUpdate.exe (PID: 4408)
      • DropboxUpdate.exe (PID: 736)

    • Process checks computer location settings

      • DropboxUpdate.exe (PID: 4408)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6400)

    • Checks operating system version

      • Dropbox.exe (PID: 4056)

    • Reads the software policy settings

      • DropboxUpdate.exe (PID: 736)

    • The executable file from the user directory is run by the Powershell process

      • DismHost.exe (PID: 6692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:06 09:18:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 48640
InitializedDataSize: 740864
UninitializedDataSize: -
EntryPoint: 0x4c96
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.3.911.1
ProductVersionNumber: 1.3.911.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Dropbox, Inc.
FileDescription: Dropbox Update Setup
FileVersion: 1.3.911.1
InternalName: Dropbox Update Setup
LegalCopyright: Copyright: Dropbox, Inc. 2015 (Omaha Copyright Google Inc.)
OriginalFileName: DropboxUpdateSetup.exe
ProductName: Dropbox Update
ProductVersion: 1.3.911.1
LanguageId: en
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
197
Monitored processes
61
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dropboxinstaller (1).exe dropboxupdate.exe no specs dropboxupdate.exe dropboxupdate.exe no specs msiexec.exe dropboxupdate.exe no specs dropboxupdate.exe dropboxupdate.exe no specs dropboxupdate.exe dropboxclient_208.4.5824.x64.exe dropbox.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs dropboxupdateclient.exe no specs dbxsvc.exe no specs runonce.exe no specs grpconv.exe no specs sc.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs dismhost.exe dropboxcrashhandler.exe no specs dropboxupdateondemand.exe no specs dropboxupdate.exe no specs dropbox.exe dropboxupdate.exe dropbox.exe no specs dropbox.exe cmd.exe no specs conhost.exe no specs dropbox.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs tiworker.exe no specs dropbox.exe no specs dropbox.exe no specs searchapp.exe dropbox.exe no specs dropbox.exe no specs dropbox.exe no specs dropbox.exe no specs mobsync.exe no specs dropboxupdate.exe no specs dropboxupdate.exe no specs dropboxupdate.exe dropboxcrashhandler.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32"C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /restartexplorerC:\Program Files (x86)\Dropbox\Client\Dropbox.exeDropbox.exe
User:
admin
Company:
Dropbox, Inc.
Integrity Level:
MEDIUM
Description:
Dropbox
Exit code:
3
Version:
208.4.5824
Modules
Images
c:\program files (x86)\dropbox\client\dropbox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\program files (x86)\dropbox\client\208.4.5824\dropbox_core.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\sechost.dll
736"C:\Users\admin\AppData\Local\Temp\GUM8623.tmp\DropboxUpdate.exe" /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd055NzBLd2pBUUFPQlhLVGVMWEM1My1YSFVEbVlxQ0FxNkZDRVZhNkdCSnBwQmZIZTdmdkI5NGY0dXo3NmthWmhoMThBVWFxejU2dmZuWTJoUElYU1hCNzl1cXZ0d1NZY2FsNjJ5Wkp5SUVNR21nVHprUEthNUgtT2FGVHJTaGkyaUZqYWFpTkVaeGRZN0l5amlQYU5mOGZjSElxNGdUZ35-QE1FVEEifQ" /installelevatedC:\Users\admin\AppData\Local\Temp\GUM8623.tmp\DropboxUpdate.exe
DropboxUpdate.exe
User:
admin
Company:
Dropbox, Inc.
Integrity Level:
HIGH
Description:
Dropbox Update
Exit code:
0
Version:
1.3.537.5
Modules
Images
c:\users\admin\appdata\local\temp\gum8623.tmp\dropboxupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
840C:\WINDOWS\system32\regsvr32.exe /S /n /i:\"hklm_reg\" "C:\Program Files (x86)\Dropbox\Client\DropboxExt.76.0.dll"C:\Windows\System32\regsvr32.exeDropbox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
892"C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" -type:crashpad-handler --no-upload-gzip --no-rate-limit --capture-python --no-identify-client-via-url --database=C:\Users\admin\AppData\Local\Dropbox\Crashpad --metrics-dir=0 --url=https://d.dropbox.com/report_crashpad_minidump --https-pin=0xfb,0xe3,0x1,0x80,0x31,0xf9,0x58,0x6b,0xcb,0xf4,0x17,0x27,0xe4,0x17,0xb7,0xd1,0xc4,0x5c,0x2f,0x47,0xf9,0x3b,0xe3,0x72,0xa1,0x7b,0x96,0xb5,0x7,0x57,0xd5,0xa2 --https-pin=0x7f,0x42,0x96,0xfc,0x5b,0x6a,0x4e,0x3b,0x35,0xd3,0xc3,0x69,0x62,0x3e,0x36,0x4a,0xb1,0xaf,0x38,0x1d,0x8f,0xa7,0x12,0x15,0x33,0xc9,0xd6,0xc6,0x33,0xea,0x24,0x61 --https-pin=0x36,0xab,0xc3,0x26,0x56,0xac,0xfc,0x64,0x5c,0x61,0xb7,0x16,0x13,0xc4,0xbf,0x21,0xc7,0x87,0xf5,0xca,0xbb,0xee,0x48,0x34,0x8d,0x58,0x59,0x78,0x3,0xd7,0xab,0xc9 --https-pin=0xf7,0xec,0xde,0xd5,0xc6,0x60,0x47,0xd2,0x8e,0xd6,0x46,0x6b,0x54,0x3c,0x40,0xe0,0x74,0x3a,0xbe,0x81,0xd1,0x9,0x25,0x4d,0xcf,0x84,0x5d,0x4c,0x2c,0x78,0x53,0xc5 --https-pin=0xbd,0xac,0xcb,0xf2,0xe8,0xb2,0x7c,0xc,0x2,0xa6,0x89,0xee,0x86,0x6c,0x9b,0x86,0xec,0x4,0x44,0x2a,0xfc,0xdd,0xdd,0x5d,0x4e,0xc3,0x6d,0xef,0x21,0xe7,0x61,0xdd --https-pin=0xaf,0xf9,0x88,0x90,0x6d,0xde,0x12,0x95,0x5d,0x9b,0xeb,0xbf,0x92,0x8f,0xdc,0xc3,0x1c,0xce,0x32,0x8d,0x5b,0x93,0x84,0xf2,0x1c,0x89,0x41,0xca,0x26,0xe2,0x3,0x91 --https-pin=0x8b,0xb5,0x93,0xa9,0x3b,0xe1,0xd0,0xe8,0xa8,0x22,0xbb,0x88,0x7c,0x54,0x78,0x90,0xc3,0xe7,0x6,0xaa,0xd2,0xda,0xb7,0x62,0x54,0xf9,0x7f,0xb3,0x6b,0x82,0xfc,0x26 --https-pin=0xb9,0x4c,0x19,0x83,0x0,0xce,0xc5,0xc0,0x57,0xad,0x7,0x27,0xb7,0xb,0xbe,0x91,0x81,0x69,0x92,0x25,0x64,0x39,0xa7,0xb3,0x2f,0x45,0x98,0x11,0x9d,0xda,0x9c,0x97 --https-pin=0x5a,0x88,0x96,0x47,0x22,0xe,0x54,0xd6,0xbd,0x8a,0x16,0x81,0x72,0x24,0x52,0xb,0xb5,0xc7,0x8e,0x58,0x98,0x4b,0xd5,0x70,0x50,0x63,0x88,0xb9,0xde,0xf,0x7,0x5f --https-pin=0xa4,0x95,0xc8,0xd1,0x10,0xe8,0xb9,0xe2,0x0,0xf3,0x70,0xae,0xda,0x3f,0xf9,0x2e,0xe4,0x3f,0x8e,0x3d,0x4e,0xc0,0xdb,0x1c,0xd,0xc5,0x8b,0xd7,0x62,0x88,0xb,0xa5 --https-pin=0xa0,0x2f,0xaf,0xa1,0x92,0xc8,0xcb,0x81,0xcb,0x13,0x41,0x55,0x4f,0x9c,0x5,0xb7,0x1c,0xca,0x2a,0x89,0xb,0xd,0x12,0x98,0xd6,0x83,0x64,0x7c,0x96,0x1e,0xfb,0xdf --https-pin=0x6a,0x97,0xb5,0x1c,0x82,0x19,0xe9,0x3e,0x5d,0xec,0x64,0xba,0xd5,0x80,0x6c,0xde,0xb0,0xf8,0x35,0x5b,0xe4,0x7e,0x75,0x70,0x10,0xb7,0x2,0x45,0x6e,0x1,0xaa,0xfd --https-pin=0x2b,0x7,0x1c,0x59,0xa0,0xa0,0xae,0x76,0xb0,0xea,0xdb,0x2b,0xad,0x23,0xba,0xd4,0x58,0xb,0x69,0xc3,0x60,0x1b,0x63,0xc,0x2e,0xaf,0x6,0x13,0xaf,0xa8,0x3f,0x92 --annotation=is_store_managed=false --annotation=machine_id=bb926e54-e3ca-40fd-ae90-2764341e7792 --annotation=platform=win "--annotation=platform_version=10 19045" --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x7fffdd9a4388,0x7fffdd9a4348,0x7fffdd9a4358C:\Program Files (x86)\Dropbox\Client\Dropbox.exeDropbox.exe
User:
admin
Company:
Dropbox, Inc.
Integrity Level:
MEDIUM
Description:
Dropbox
Version:
208.4.5824
Modules
Images
c:\program files (x86)\dropbox\client\dropbox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\program files (x86)\dropbox\client\208.4.5824\dropbox_core.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\program files (x86)\dropbox\client\208.4.5824\python38.dll
964"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mcaC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1148\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1176"C:\Program Files (x86)\Dropbox\Update\Install\{F6C1FE43-5021-404C-826F-AA54F41DC4FE}\DropboxClient_208.4.5824.x64.exe" /S /DBData:eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd055NzBLd2pBUUFPQlhLVGVMWEM1My1YSFVEbVlxQ0FxNkZDRVZhNkdCSnBwQmZIZTdmdkI5NGY0dXo3NmthWmhoMThBVWFxejU2dmZuWTJoUElYU1hCNzl1cXZ0d1NZY2FsNjJ5Wkp5SUVNR21nVHprUEthNUgtT2FGVHJTaGkyaUZqYWFpTkVaeGRZN0l5amlQYU5mOGZjSElxNGdUZ35-QE1FVEEiLCJvbWFoYS1pbnN0YWxsZXItaWQiOiJ7RkYxRTU1N0YtMTUwOC00MDQ1LUI3QzMtQjM1MUREODJBMDE0fSIsInJlcXVlc3Rfc2VxdWVuY2UiOjB9 /InstallType:MACHINEC:\Program Files (x86)\Dropbox\Update\Install\{F6C1FE43-5021-404C-826F-AA54F41DC4FE}\DropboxClient_208.4.5824.x64.exe
DropboxUpdate.exe
User:
admin
Company:
Dropbox, Inc.
Integrity Level:
HIGH
Description:
Dropbox 208.4.5824 Installer
Exit code:
0
Version:
208.4.5824
Modules
Images
c:\program files (x86)\dropbox\update\install\{f6c1fe43-5021-404c-826f-aa54f41dc4fe}\dropboxclient_208.4.5824.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1432"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svcC:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
services.exe
User:
SYSTEM
Company:
Dropbox, Inc.
Integrity Level:
SYSTEM
Description:
Dropbox Update
Exit code:
0
Version:
1.3.537.5
Modules
Images
c:\program files (x86)\dropbox\update\dropboxupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1524"C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" -type:exit-monitor -method:collectupload -session-token:f6596346-8fa3-4d5a-bf55-411ff413a277 -target-handle:724 -target-shutdown-event:716 -target-restart-event:720 "-target-command-line:\"C:\Program Files (x86)\Dropbox\Client\Dropbox.exe\" /firstrun 1 /noappwasrunning /DBData:eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd055NzBLd2pBUUFPQlhLVGVMWEM1My1YSFVEbVlxQ0FxNkZDRVZhNkdCSnBwQmZIZTdmdkI5NGY0dXo3NmthWmhoMThBVWFxejU2dmZuWTJoUElYU1hCNzl1cXZ0d1NZY2FsNjJ5Wkp5SUVNR21nVHprUEthNUgtT2FGVHJTaGkyaUZqYWFpTkVaeGRZN0l5amlQYU5mOGZjSElxNGdUZ35-QE1FVEEiLCJyZXF1ZXN0X3NlcXVlbmNlIjowfQ" -python-version:3.8.17 -process-type:main -handler-pipe:\\.\pipe\crashpad_4056_CIJZNNAAOXQWKCUZC:\Program Files (x86)\Dropbox\Client\Dropbox.exe
Dropbox.exe
User:
admin
Company:
Dropbox, Inc.
Integrity Level:
MEDIUM
Description:
Dropbox
Version:
208.4.5824
Modules
Images
c:\program files (x86)\dropbox\client\dropbox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files (x86)\dropbox\client\208.4.5824\dropbox_core.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2136"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /handoff "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&experiments=buildid%3Dmain%7CThu%2C%2031%20Dec%202099%2023%3A59%3A59%20GMT&dropbox_data=eyJUQUdTIjoiREJQUkVBVVRIOjpjaHJvbWU6OmVKd055NzBLd2pBUUFPQlhLVGVMWEM1My1YSFVEbVlxQ0FxNkZDRVZhNkdCSnBwQmZIZTdmdkI5NGY0dXo3NmthWmhoMThBVWFxejU2dmZuWTJoUElYU1hCNzl1cXZ0d1NZY2FsNjJ5Wkp5SUVNR21nVHprUEthNUgtT2FGVHJTaGkyaUZqYWFpTkVaeGRZN0l5amlQYU5mOGZjSElxNGdUZ35-QE1FVEEifQ&nolaunch=0" /installsource taggedmi /sessionid "{E4B2262D-CF17-4255-9F62-3F272CF3EF6D}"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exeDropboxUpdate.exe
User:
admin
Company:
Dropbox, Inc.
Integrity Level:
HIGH
Description:
Dropbox Update
Exit code:
0
Version:
1.3.537.5
Modules
Images
c:\program files (x86)\dropbox\update\dropboxupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
82 180
Read events
81 578
Write events
470
Delete events
132

Modification events

(PID) Process:(736) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update
Operation:delete valueName:eulaaccepted
Value:
(PID) Process:(736) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update
Operation:writeName:path
Value:
C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
(PID) Process:(736) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update\Clients\{D8968FF2-E0B1-4A13-A3E2-C9F2995F3BC6}
Operation:writeName:pv
Value:
1.3.911.1
(PID) Process:(736) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update\Clients\{D8968FF2-E0B1-4A13-A3E2-C9F2995F3BC6}
Operation:writeName:name
Value:
Dropbox Update
(PID) Process:(736) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DropboxUpdate\Update\ClientState\{D8968FF2-E0B1-4A13-A3E2-C9F2995F3BC6}
Operation:writeName:pv
Value:
1.3.911.1
(PID) Process:(736) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DropboxUpdate.exe
Operation:writeName:DisableExceptionChainValidation
Value:
0
(PID) Process:(2772) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\DropboxUpdate.exe
Operation:writeName:AppID
Value:
{96D1EED3-701E-4FE5-B996-A543A8465897}
(PID) Process:(2772) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}
Operation:writeName:LocalService
Value:
dbupdate
(PID) Process:(2772) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{96D1EED3-701E-4FE5-B996-A543A8465897}
Operation:writeName:ServiceParameters
Value:
/comsvc
(PID) Process:(2772) DropboxUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96D1EED3-701E-4FE5-B996-A543A8465897}
Operation:writeName:AppID
Value:
{96D1EED3-701E-4FE5-B996-A543A8465897}
Executable files
475
Suspicious files
327
Text files
1 982
Unknown types
18

Dropped files

PID
Process
Filename
Type
6308dropboxinstaller (1).exeC:\Users\admin\AppData\Local\Temp\GUM8623.tmp\goopdate.dllexecutable
MD5:EEFC49F19DC8E732750B382E13CEE819
SHA256:B0A29239FE624ADB271A557409727EEA317702F65F34F1ED84C55DE6BC77CB25
6308dropboxinstaller (1).exeC:\Users\admin\AppData\Local\Temp\GUM8623.tmp\DropboxUpdateBroker.exeexecutable
MD5:0CD7FDDF34527FFBC563277CEA3F575B
SHA256:F4D066CE16CA47B19F5ACEC41155906BA08E0A6A565108EA77AE6C8F1136A55C
6308dropboxinstaller (1).exeC:\Users\admin\AppData\Local\Temp\GUM8623.tmp\goopdateres_es.dllexecutable
MD5:9CB5BB68AF81808DB323C3A30533E451
SHA256:C6D0B0916E358B0BD6ED02F3D9CECD7EF5A57FA273ECC164B556F2DD9B879BA1
6308dropboxinstaller (1).exeC:\Users\admin\AppData\Local\Temp\GUM8623.tmp\DropboxUpdateOnDemand.exeexecutable
MD5:2ECAB51764BC64FA9472EEA19CBA6ED0
SHA256:22729F1B9B966C1ADFA268A806856B22E1769A5FF6E56475B0D286B9BF507314
6308dropboxinstaller (1).exeC:\Users\admin\AppData\Local\Temp\GUM8623.tmp\@PaxHeadertext
MD5:332C1795C5132A05FBAA2B4084D134BC
SHA256:7ED3FB1ECDE2882DC1B818671BBEBA4385913706A515F8665D732BD03E8BB86F
6308dropboxinstaller (1).exeC:\Users\admin\AppData\Local\Temp\GUM8623.tmp\npDropboxUpdate3.dllexecutable
MD5:BED3F629455188556D54E8868CC3705B
SHA256:AAF37E7BE50FB5EA738CCDD615C7985B9EFDAEA43290094C6696AE0F6348051F
6308dropboxinstaller (1).exeC:\Users\admin\AppData\Local\Temp\GUM8623.tmp\DropboxUpdate.exeexecutable
MD5:8AD76E0B347BB690697535CE95B1C656
SHA256:7655221B493047C61285E1DE78807D0584920B0D14D150E2487DA9728B1926F3
6308dropboxinstaller (1).exeC:\Users\admin\AppData\Local\Temp\GUM8623.tmp\DropboxCrashHandler.exeexecutable
MD5:3B607E9AE169797C5112736DD445DB25
SHA256:E7141AEB22EA3165A4F7FB8C4D210151575F1B95EF545E0978A2174598A08265
6308dropboxinstaller (1).exeC:\Users\admin\AppData\Local\Temp\GUM8623.tmp\goopdateres_ja.dllexecutable
MD5:B96EB4559E725359525E82E283EC4779
SHA256:5D45D00E17E5A0A9D322299BFEDB9AAEB17469120F1B9C374F0D3BADCD8E0598
6308dropboxinstaller (1).exeC:\Users\admin\AppData\Local\Temp\GUM8623.tmp\DropboxUpdateHelper.msiexecutable
MD5:9AB89A05F39EF9F354DE6D4074BF105B
SHA256:DF7C8BCDBCF6247C25ABDC09D332858B01450225A4EBB29AC6DF4F713691B399
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
82
DNS requests
31
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6400
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6400
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAOKSkxNqmqtTGS8Y78ILE0%3D
unknown
whitelisted
6400
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6052
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAHWlVhJ1rvbwVVZSZDShpE%3D
unknown
whitelisted
1432
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
6052
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
1432
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAHWlVhJ1rvbwVVZSZDShpE%3D
unknown
whitelisted
1432
DropboxUpdate.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAxL%2FrmmJWO5Pdc5ptt97K8%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4544
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6804
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
20.42.73.24:443
browser.pipe.aria.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6400
msiexec.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.186.110
whitelisted
browser.pipe.aria.microsoft.com
  • 20.42.73.24
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.dropbox.com
  • 162.125.66.13
  • 162.125.72.13
shared
edge.dropboxstatic.com
  • 162.125.66.22
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.133
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.138
  • 20.190.160.14
  • 40.126.32.72
  • 40.126.32.134
  • 40.126.31.67
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.75
  • 20.190.159.0
  • 20.190.159.73
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted

Threats

PID
Process
Class
Message
6052
DropboxUpdate.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
1176
DropboxClient_208.4.5824.x64.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
7060
DropboxUpdate.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
1524
Dropbox.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
4056
Dropbox.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
4056
Dropbox.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
Process
Message
powershell.exe
PID=4920 TID=3440 Enter CCommandThread::CommandThreadProcedureStub - CCommandThread::CommandThreadProcedureStub
powershell.exe
PID=4920 TID=936 DismApi.dll: - DismInitializeInternal
powershell.exe
PID=4920 TID=936 DismApi.dll: <----- Starting DismApi.dll session -----> - DismInitializeInternal
powershell.exe
PID=4920 TID=936 DismApi.dll: - DismInitializeInternal
powershell.exe
PID=4920 TID=936 DismApi.dll: Host machine information: OS Version=10.0.19045, Running architecture=amd64, Number of processors=4 - DismInitializeInternal
powershell.exe
PID=4920 TID=936 DismApi.dll: API Version 10.0.19041.3758 - DismInitializeInternal
powershell.exe
PID=4920 TID=936 DismApi.dll: Parent process command line: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell "Get-AppxProvisionedPackage -Online | Where-Object DisplayName -In \"C27EB4BA.DropboxOEM\" | Remove-ProvisionedAppxPackage -Online" - DismInitializeInternal
powershell.exe
PID=4920 TID=936 Enter DismInitializeInternal - DismInitializeInternal
powershell.exe
PID=4920 TID=936 Input parameters: LogLevel: 2, LogFilePath: C:\WINDOWS\Logs\DISM\dism.log, ScratchDirectory: (null) - DismInitializeInternal
powershell.exe
PID=4920 TID=936 Initialized GlobalConfig - DismInitializeInternal
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dropboxinstaller (1).exe