File name:

DocsSign3.1.7.exe

Full analysis: https://app.any.run/tasks/3d045845-8669-4390-9568-6d32bf9cebaf
Verdict: Malicious activity
Analysis date: September 03, 2025, 16:39:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anti-evasion
nodejs
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

D327A50F7C5E08F83D5DAE5BE6316CF8

SHA1:

653F3C8BD03D97CAE2CBA005C01EEC0DF93A3E72

SHA256:

9D26E35E6D36A867C6343B4F6D1D8C3C5550EA12EB0FC14427AA8D7AE6CA0A49

SSDEEP:

786432:Za7wJHAgZZs8lhcJuPTzy9jJ4isk6x6rYCgQDKiOGf:Q09hcJuLzy9jJ4isk6x6rY7GwGf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Collects BIOS Properties (Win32_BIOS) (SCRIPT)

      • powershell.exe (PID: 1164)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DocsSign3.1.7.exe (PID: 5436)

    • The process creates files with name similar to system file names

      • DocsSign3.1.7.exe (PID: 5436)

    • Drops 7-zip archiver for unpacking

      • DocsSign3.1.7.exe (PID: 5436)

    • Executable content was dropped or overwritten

      • DocsSign3.1.7.exe (PID: 5436)

    • Reads security settings of Internet Explorer

      • DocsSign3.1.7.exe (PID: 5436)

    • Process drops legitimate windows executable

      • DocsSign3.1.7.exe (PID: 5436)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6452)
      • cmd.exe (PID: 1980)
      • cmd.exe (PID: 2432)
      • cmd.exe (PID: 5628)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 984)

    • Gets CPU ID (POWERSHELL)

      • powershell.exe (PID: 5988)

    • Application launched itself

      • Dropbox DocSend.exe (PID: 6224)

    • Get information on the list of running processes

      • Dropbox DocSend.exe (PID: 6224)
      • cmd.exe (PID: 1056)

    • Starts CMD.EXE for commands execution

      • Dropbox DocSend.exe (PID: 6224)

    • There is functionality for taking screenshot (YARA)

      • DocsSign3.1.7.exe (PID: 5436)

  • INFO

    • The sample compiled with english language support

      • DocsSign3.1.7.exe (PID: 5436)

    • Reads the computer name

      • DocsSign3.1.7.exe (PID: 5436)
      • Dropbox DocSend.exe (PID: 6224)

    • Checks supported languages

      • DocsSign3.1.7.exe (PID: 5436)
      • Dropbox DocSend.exe (PID: 6224)
      • Dropbox DocSend.exe (PID: 828)

    • Create files in a temporary directory

      • DocsSign3.1.7.exe (PID: 5436)

    • Creates files or folders in the user directory

      • Dropbox DocSend.exe (PID: 6224)

    • Node.js compiler has been detected

      • Dropbox DocSend.exe (PID: 6224)

    • Checks proxy server information

      • Dropbox DocSend.exe (PID: 6224)
      • slui.exe (PID: 1520)

    • Reads the machine GUID from the registry

      • Dropbox DocSend.exe (PID: 6224)

    • Reads the software policy settings

      • slui.exe (PID: 1520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:14+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 473088
UninitializedDataSize: 16384
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.1.7.0
ProductVersionNumber: 3.1.7.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Dropbox Inc.
FileDescription: Dropbox DocSend - Securely manage, track, and share documents
FileVersion: 3.1.7
LegalCopyright: Copyright © 2025 Dropbox Inc.
ProductName: Dropbox DocSend
ProductVersion: 3.1.7
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
29
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start docssign3.1.7.exe dropbox docsend.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs dropbox docsend.exe no specs dropbox docsend.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
828"C:\Users\admin\AppData\Local\Temp\329oCzzgnjYFWvJevW8cc4qtIL5\Dropbox DocSend.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\DropboxDocSend" --mojo-platform-channel-handle=2016 --field-trial-handle=1892,i,5178443706790485868,17255616822747044973,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8C:\Users\admin\AppData\Local\Temp\329oCzzgnjYFWvJevW8cc4qtIL5\Dropbox DocSend.exeDropbox DocSend.exe
User:
admin
Company:
Dropbox Inc.
Integrity Level:
MEDIUM
Description:
Dropbox DocSend
Exit code:
0
Version:
3.1.7
Modules
Images
c:\users\admin\appdata\local\temp\329oczzgnjyfwvjevw8cc4qtil5\dropbox docsend.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
984C:\WINDOWS\system32\cmd.exe /d /s /c "powershell "(Get-CimInstance -ClassName Win32_BIOS).SerialNumber""C:\Windows\SysWOW64\cmd.exeDropbox DocSend.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1056C:\WINDOWS\system32\cmd.exe /d /s /c "tasklist /svc"C:\Windows\SysWOW64\cmd.exeDropbox DocSend.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1160\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164powershell "(Get-CimInstance -ClassName Win32_BIOS).SerialNumber"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1520C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1980C:\WINDOWS\system32\cmd.exe /d /s /c "powershell "(Get-CimInstance -ClassName Win32_DiskDrive).SerialNumber" | Select-Object -First 1"C:\Windows\SysWOW64\cmd.exeDropbox DocSend.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
255
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2280C:\WINDOWS\system32\cmd.exe /d /s /c "powershell "(Get-CimInstance -ClassName Win32_BaseBoard).SerialNumber""C:\Windows\SysWOW64\cmd.exeDropbox DocSend.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
25 234
Read events
25 234
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
123
Text files
72
Unknown types
0

Dropped files

PID
Process
Filename
Type
5436DocsSign3.1.7.exeC:\Users\admin\AppData\Local\Temp\nsbDB68.tmp\app-32.7z
MD5:
SHA256:
5436DocsSign3.1.7.exeC:\Users\admin\AppData\Local\Temp\nsbDB68.tmp\7z-out\icudtl.dat
MD5:
SHA256:
5436DocsSign3.1.7.exeC:\Users\admin\AppData\Local\Temp\nsbDB68.tmp\7z-out\LICENSES.chromium.html
MD5:
SHA256:
5436DocsSign3.1.7.exeC:\Users\admin\AppData\Local\Temp\nsbDB68.tmp\7z-out\locales\en-US.pakbinary
MD5:809B600D2EE9E32B0B9B586A74683E39
SHA256:0DB4F65E527553B9E7BEE395F774CC9447971BF0B86D1728856B6C15B88207BB
5436DocsSign3.1.7.exeC:\Users\admin\AppData\Local\Temp\nsbDB68.tmp\7z-out\locales\am.pakbinary
MD5:4EAA15771058480F5C574730C6BF4090
SHA256:B05DCB8136751AEE5ECED680A5BAD935E386BFCE657DD283D3EC00EE722FD740
5436DocsSign3.1.7.exeC:\Users\admin\AppData\Local\Temp\nsbDB68.tmp\7z-out\locales\bg.pakbinary
MD5:0E8005B17AC49F50FB60F116F822840D
SHA256:50E4F6B9C387ADF4BABA3377C61D99326CC3987928D8D60B88D1AC29352820EA
5436DocsSign3.1.7.exeC:\Users\admin\AppData\Local\Temp\nsbDB68.tmp\nsis7z.dllexecutable
MD5:80E44CE4895304C6A3A831310FBF8CD0
SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
5436DocsSign3.1.7.exeC:\Users\admin\AppData\Local\Temp\nsbDB68.tmp\7z-out\chrome_100_percent.pakbinary
MD5:4FC6564B727BAA5FECF6BF3F6116CC64
SHA256:B7805392BFCE11118165E3A4E747AC0CA515E4E0CEADAB356D685575F6AA45FB
5436DocsSign3.1.7.exeC:\Users\admin\AppData\Local\Temp\nsbDB68.tmp\7z-out\locales\af.pakbinary
MD5:862A2262D0E36414ABBAE1D9DF0C7335
SHA256:57670EAE6D1871E648AD6148125EE82D08575BEC5B323459FC14C3831570774A
5436DocsSign3.1.7.exeC:\Users\admin\AppData\Local\Temp\nsbDB68.tmp\7z-out\chrome_200_percent.pakbinary
MD5:47668AC5038E68A565E0A9243DF3C9E5
SHA256:FAC820A98B746A04CE14EC40C7268D6A58819133972B538F9720A5363C862E32
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
6220
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
4820
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
NL
binary
407 b
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
GB
binary
734 b
whitelisted
4820
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
NL
binary
419 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2040
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6220
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6220
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.73
  • 40.126.31.130
  • 40.126.31.73
  • 40.126.31.0
  • 20.190.159.4
  • 20.190.159.23
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 20.42.65.90
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DocsSign3.1.7.exe